TL/DR: Logs working on system with source installed, but display info not getting archived with wevtutil al. When trying to read messages on system without sources installed I get the "description for Event ID from source cannot be found. Either the component that raises this event is not installed ...". Most of my sources' messages get archived correctly, but messages from 2 of them don't.
Full desc: I'm trying to update some of my companies support scripts so that our product doesn't need to be installed in order to read the messages we produce in the event log. This requires running wevtutil epl, and then wevtutil al back to back, and it generates an evtx file and a locale specific MTA file. This works for 4 for our event sources/products, but not for 2 of them. And I can't figure out why. The logs are working correctly on systems with those sources installed, and they all have the correct entry under HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\\EventMessageFile.
I've rebooted both the machine generating the logs, and the machine without the sources installed that I'm testing the archives on. That hasn't fixed the problem. I've also checked the list of publishers with wevtutil ep, and that seems fine.
0 Answers