Hi Team,
First let me brief you about my curent setup:
1. I have 1 domain controller and 3 domain machines. (All in VM). one od the domain machine server 2012 R2 is working as windows event collector and configured as source initiated windows event subscription which is forwarding logs to Qradar.
2. Qradar CE installed on VM
3. All source machines are configured with audit policy, event forwarding target, powershell logging, sysmon logging, incresed log size for powershell / powershell-operation under eventviewer etc.
Issue: On collector machines, under event subscription --> forwarded event, I dont see complete logs getting forwarded from source computers, i can see only Message=%3 Context: %1 User Data: %2 but not complete powershell command executed and same is forwarded to qradar.
QRadar sample log:
<13>Oct 29 23:08:59 DC1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-PowerShell/Operational
PluginVersion=7.2.9.72 Source=Microsoft-Windows-PowerShell Computer=DC1
OriginatingComputer=10.x.x.x User=Admin Domain=MY EventID=4103 EventIDCode=4103
EventType=4 EventCategory=106 RecordNumber=3175
TimeGenerated=1572390535 TimeWritten=1572390535
Level=Informational Keywords=0 Task=ExecutePipeline Opcode=20
Message=%3 Context: %1 User Data: %2
I need to understand why this is happening and any resolution avilable to fix this.
Thanks,
Atul