Windows Application event log computer name

Question

Windows Application event log computer name

zibs1 opened this issue 2 years ago · 6 comments

This might be a small thing but we are seeing this as some inconvenience in SIEM log searching with regards to Computer name for DCs.
We would like to have Computer name to be FQDN rather to be hostname. Is there something we can configure this in LPP agent?
At the moment we have something like:

but we would like to match Computer as with other example Windows logs:

Answer 1 · 2022-10-07T20:24:40.000Z

Hi @zibs1

That's a strange one.

I've just checked my machines and I get the FQDN.

Unfortunately, it's not something we specify when we create an event log entry. Windows must fill this in itself, so you might need to seek advice from Microsoft as to why this is happening.

Answer 2 · 2022-10-07T22:09:38.000Z

@ryannewington thanks for coming back to me.
What OS version are you running on?
I can confirm this is only happening on OS 2016 onwards.
Where is Lithnet app taking Computer name value from because if that would be OS or configuration specific why built in and any remaining events taking fqdn?

Answer 3 · 2022-10-07T23:20:58.000Z

@zibs1
I'm using Server 2019 and 2022

We use this API from Windows
https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-reporteventa

We don't provide a computer name at all.

Answer 4 · 2022-10-08T07:02:05.000Z

@ryannewington can you post here screenshot of Lithnet Event ID 4, how it actually looks?
Also can you tell what is the command output of the hostname from the machine? Is it just host or fqdn?

Answer 5 · 2022-10-10T08:53:21.000Z

@ryannewington Would that anything to do how the messages are being described in C:\Program Files\Lithnet\Active Directory Password Protection\messages.dll?
I just scanned through various events in both system and application logs and can confirm 99.99% events, are coming with Computer names as FQDN, except of LPP, so I'm inclined to say this is definitely a problem with LPP rather than a Windows server itself.
Are there any specific configuration or difference if event is generated because of using Get-PasswordFilterResult PS command?

Answer 6 · 2022-10-10T19:28:29.000Z

hostname shows the short name of the machine.

messages.dll is compiled from messages.mc, but again, no references to computer name is in there.

Sorry @zibs1 there is not much I can advise on here. It's either something in Windows or something in the C++ runtime, but its not something I have control of with LPP.