Forwarded Events Log Is Not Retrieving Correctly


In some cases, Sensage customers need to retrieve the Forwarded Events log from customer's Windows log sources apart from configuring registry keys as indicated in page 1 of the Collector Guide.

However, the process indicated in the Collector Guide does not retrieve the log correctly.


Sensage AP all versions


Access to Sensage AP environment and Windows Servers (for configuring registry keys).

Root Cause

When readers pull information from both custom and standard sources (i.e. fwd, sec) it causes the collector to pull information from the custom log source incorrectly.


Consider the following steps performed by an agent to retrieve Forwarded Events log for one of the configured servers where the Registry Keys were set correctly as documented in the Collector Guide on pages 106-107.

  1. The agent was able to retrieve the logs correctly from the Forwarded Events source in the Windows machine after identifying that logmap.fwd=ForwardedEvents did not require the space between the words "ForwardedEvents" in the agentless2k8.prop​ configuration file
    • This is opposed to the documentation under Setup Instructions for Forwarded Logs in the Collector Guide which says the following:

      IMPORTANT: Be sure to separate the two words of the key name Forwarded Events with a space.

  2. Additionally, on the reader line, the agent left only the fwd logs to make sure they were gathering from the correct log file.

  3. After reviewing all the configurations, the agent restarted the collector and was able to gather Forwarded Events log sourced from the configured Windows server.


The log should retrieve and load normally.




Please sign in to leave a comment.