more than one msaudite.dll file
more than one msaudite.dll file
The MsAuditE.dll file is the main dll that events are formatted with, correct? Well how can you have two of those files in the EventLogDlls folder?; one for 2003 events and one for 2000 events. Because it seems like whenever i have one or the other in there, the corresponding Windows server type displays event logs correctly. But say if i only have the 2000 dll in that folder, values are missing from the 2003 server events.
If you are checking security log, then yes.The MsAuditE.dll file is the main dll that events are formatted with, correct?
You cant.Well how can you have two of those files in the EventLogDlls folder?;
Yes, but you may copy DLL from Windows 2003 (if HostMonitor is running on Windows 2003, you don't need to copy this DLL at all). In such case you should see all messages because new version of the DLL should include old messages as well.But say if i only have the 2000 dll in that folder, values are missing from the 2003 server events.
It doesnt?
Regards
Alex
Code: Select all
In such case you should see all messages because new version of the DLL should include old messages as well.
It doesnt? I am using using the 2003 DLL, running on Windows XP SP2.
I am also getting a lot of replies from that 2000 server saying "Win32 Error. Code:87. The parameter is incorrect." I know you looked for the cause of that error previously and didn't have any luck. But it might be related.
Means Microsoft changed format of some messagesYes and no. Some messages from the 2000 server try to appear but get the "Not enough insertion data for the message (MsAuditE.dll)" error.
Solution? H'm... you may install RMA on the same system and create EventLogDlls subfolder in RMA's directory, copy DLL from Windows 2000 into that folder and use agent to monitor Windows 2000 systems, while use HostMonitor to checks Windows 2003 and XP directly.
Or simply install RMA on Windows 2000 system and do not copy any DLLs.
We found article that explains error 87 but.. this article relates to Windows NT 4.0I am also getting a lot of replies from that 2000 server saying "Win32 Error. Code:87. The parameter is incorrect."
http://support.microsoft.com/default.as ... -us;177199
On the other hand, may be it can apear on XP under some circumstances? What size of your Event logs? Over 2MB?
Could you try to install HostMonitor on Windows 2003 SP1?
Regards
Alex
This sounds like a good solution, however, in order to use a test with even the localhost RMA, you have to purchase a license for 10 RMAs.you may install RMA on the same system and create EventLogDlls subfolder in RMA's directory, copy DLL from Windows 2000 into that folder and use agent to monitor Windows 2000 systems, while use HostMonitor to checks Windows 2003 and XP directly.
I'm not sure of the individual size of each event, i can only connect to the event viewer through another computer. The size of the entire security events is 73MB, overwritten as needed. Installing HM on 2003 is not really an option at this time, because there is a specific computer on the network designed for this purpose and it sadly has XP on it. Maybe i can implement a virtual machine on top of it in the future with 2003. We'll see.
Yes (Enteprise license includes 10 RMA)This sounds like a good solution, however, in order to use a test with even the localhost RMA, you have to purchase a license for 10 RMAs.
That's what I asked. It doesn't matter what the size of each event.The size of the entire security events is 73MB
We recommend Windows 2000 SP4 or Windows 2003 SP1Installing HM on 2003 is not really an option at this time, because there is a specific computer on the network designed for this purpose and it sadly has XP on it.
Maybe i can implement a virtual machine on top of it in the future with 2003. We'll see.
Regards
Alex
Not likely, huh?Hey thanks so much for that. I am running the RMA on localhost with the 2000 MsAuditE.dll in the RMA's EventLogDlls folder, and running the test for the 2000 servers from the RMA. So far it looks like it is working good. Better than before anyway. I am no longer getting the "Not enough insertion data" error, but i am still getting that Win32 Error. Code:87. It just has 'RMA: 301' in front of it now.
One other thing, that might not be fixable, is that events from the RMA test using the 2000 DLL seem to be double-spaced when i look at them in MySQL, as opposed to single spaced as they are normally. I am logging this with the %Reply% variable. When i use the %NTEventText% variable, all tests are double-spaced. I guess the Server 2000 DLL has some extra carriage returns in there? Is there any way you know of to make those single-spaced as well?
Again thanks for the help with that, and the quick response.
One other thing, that might not be fixable, is that events from the RMA test using the 2000 DLL seem to be double-spaced when i look at them in MySQL, as opposed to single spaced as they are normally. I am logging this with the %Reply% variable. When i use the %NTEventText% variable, all tests are double-spaced. I guess the Server 2000 DLL has some extra carriage returns in there? Is there any way you know of to make those single-spaced as well?
Again thanks for the help with that, and the quick response.
Sorry, we did not find any useful information about this error in Microsoft manuals. And I do not remember any customer that had such errorbut i am still getting that Win32 Error. Code:87
double-spaced? You see 2 space characters between every word? I cannot reproduce this problem.One other thing, that might not be fixable, is that events from the RMA test using the 2000 DLL seem to be double-spaced
...
or may be you see empty lines? Something like this
Code: Select all
Logon Failure:
Reason: Unknown user name or bad password
User Name: testRegards
Alex