Overview
When collecting logs from Windows 2016 Servers the Event Descriptions and Event Fields data are blank.
EventsManager is failing to get the tags for the event 4624 on Windows Servers 2016 with the following errors registered in the logs:
info, EvtMgrs.dll, TryGetEventTags, failed to get the tags for event 4624 with version 2 on OS 6.3 with publisher Microsoft-Windows-Security-Auditing
info, EvtMgrs.dll, TryGetEventTagsWithDefaultPublisher, Falling back on default provider for event 4624, version 2, os 6.3
info, EvtMgrs.dll, TryGetEventTags, failed to get the tags for event 4624 with version 2 on OS 6.3 with publisher default
info, VstExtractor.dll, VistaExtractor.ProcessUserData, No UserData found for event 4624
This article provides a resolution to fix the problem described above.
Resolution
Install the attached patch using the steps below. You may also download it from the link provided.
Note: Download the zip and make sure to unblock it after downloading it and before extraction.
Steps to apply the patch:
- Kill esmmgr.exe if running.
- Stop GFI Events Manager Services.
- Kill esmcfgsrv.exe if running.
- Make a copy of EvtMgrs.dll.
- Replace EvtMgrs.dll in the installation directory.
- Start GFI Events Manager Services.