I copied the reg key and the specified DLLs to the correct folder within HM and i no longer recieve errors for most things about "Message not found." I do still get that for Microsoft Exchange. However, now i don't think HM is actually reporting any events. Let me give you a little background on my case:
The program was already set up when i got ahold of it with tests to log all events. I added tests in addition to the others for specific event IDs. It didn't seem like everything that should have been reporting actually was. So i renamed the HostMonitor folder and installed HM again to run from another instance just to start fresh with a new database and everything, keeping all the settings separate from the previous HM so i could go back to it. So basically i have two seperate HMs installed and i just rename whichever one i want to use to the right folder name.
Anyways, the second HM i set up wasn't ever recording events and i could not get it to stop giving me the "Message not found" error. So i went back to the first installation i had and now it is not reporting any events, but they all report status "Ok." I know there should be events because a few days ago using this installation it was generating plenty of events.
Sorry this is so long, but i am just trying to get HM to work right for me and want to give any necessary information that might help.
So basically,
1. Is there something else I need to do to make the "Microsoft Exchange, Microsoft Exchange Database" message errors go away?
2. Is there something i can check or try or change to make it actually find events again?
3. Not mentioned above, but is there a way to only log bad or unknown events? (e.g. no log of "Ok" events)?
Thanks so much
More NT Event Log questions
I am confusedAnyways, the second HM i set up wasn't ever recording events and i could not get it to stop giving me the "Message not found" error.
1) "wasn't ever recording events"? NT Event Log test method does not record events. It checks for events that were recorded by Windows or 3rd party applications
2) If HostMonitor shows "Message not found. Insertion strings.." message, this means HostMonitor has detected event record that fits your filter. So, it worked fine. HostMonitor just could not reach necessary DLL to retrieve text description of the event.
You mean "Message not found. Insertion strings.." errors? You need to copy some more registry keys and DLLs. Every event source (application) has its own key under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\1. Is there something else I need to do to make the "Microsoft Exchange, Microsoft Exchange Database" message errors go away?
Please check event filter and the Event log. "Ok" status means HostMonitor is able to connect to the host and open Event Log; there are no NEW events that fit specified filter.Is there something i can check or try or change to make it actually find events again?
You may disable common log for the test item and add "Record HM log" action into alert profile assigned to the test. Using "advanced" mode action you may specify condition like ('%SimpleStatus%'=='DOWN') or ('%SimpleStatus%'=='UNKNOWN')Not mentioned above, but is there a way to only log bad or unknown events? (e.g. no log of "Ok" events)?
http://www.ks-soft.net/hostmon.eng/mfra ... ncedaction
Regards
Alex
Thanks a lot for the help. I went through and grabbed a lot of Reg keys and DLL files and threw them all into the EventLogDlls folder and i began seeing hundreds of events. Backlogs i guess? I don't know if this software looks backwards at all, but i got a lot once i got it working.
Another question i had was if there was any way to "clean up" the event logs that are found. There are a lot of pipes and squares that appear all through the event log, which i'm sure people have mentioned before. I opened the DLL that gives out all that information and saw all the strings with the weird characters. I tried changing that for one of the events to see if i could manually edit what it printed out, but when i did that nothing printed for any of the events. The reply field was just blank. Just thought i'd ask.
Another question i had was if there was any way to "clean up" the event logs that are found. There are a lot of pipes and squares that appear all through the event log, which i'm sure people have mentioned before. I opened the DLL that gives out all that information and saw all the strings with the weird characters. I tried changing that for one of the events to see if i could manually edit what it printed out, but when i did that nothing printed for any of the events. The reply field was just blank. Just thought i'd ask.
Nope. NT Event Log test method checks for new events onlyBacklogs i guess? I don't know if this software looks backwards at all, but i got a lot once i got it working.
pipes and squares? For example? Something like %%4130?Another question i had was if there was any way to "clean up" the event logs that are found. There are a lot of pipes and squares that appear all through the event log, which i'm sure people have mentioned before.
Regards
Alex
No. I was talking about all of the || symbols and squares used for spaces that are generated within the monitor and stored to the database. But in the HTML report, they aren't there. So i guess it's just all formatting tags. So no problem there. I can deal.
Next problem. The domain password for the account i was using expired today. I changed the password for the domain and changed each password for my NT Event Log tests accordingly. So obviously i am using "Connect as" on all the tests. The new credentials worked for a while. I stopped monitoring for an hour or so and then started monitoring again. When i turned monitoring back on, every test gave me "Win32 Error. Code 5: Access is denied." I have also tried disabling the "connect as" for a couple tests and use the connection manager, but no luck with that either.
I know the password is correct, because i can remote desktop to a server using that account. What other reasons are there that could cause that error? I can ping and terminal service to those machines.
Thanks
Next problem. The domain password for the account i was using expired today. I changed the password for the domain and changed each password for my NT Event Log tests accordingly. So obviously i am using "Connect as" on all the tests. The new credentials worked for a while. I stopped monitoring for an hour or so and then started monitoring again. When i turned monitoring back on, every test gave me "Win32 Error. Code 5: Access is denied." I have also tried disabling the "connect as" for a couple tests and use the connection manager, but no luck with that either.
I know the password is correct, because i can remote desktop to a server using that account. What other reasons are there that could cause that error? I can ping and terminal service to those machines.
Thanks
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
Is HostMonitor started as service? In case it is started as service: What account do you use to start hostMonitor (Options > Service tab). Have you change password for that account?
In case HostMonitor is started as application: I think you should logoff and then login again using new password.
Regards,
Max
In case HostMonitor is started as application: I think you should logoff and then login again using new password.
Regards,
Max
Event description may contain CR, LF, Tab characters. When HostMonitor creates HTML report, it replaces these symbols with <br> and other appropriate tags.No. I was talking about all of the || symbols and squares used for spaces that are generated within the monitor and stored to the database. But in the HTML report, they aren't there. So i guess it's just all formatting tags. So no problem there. I can deal.
Regards
Alex
HostMonitor is started as a service. The computer HM is installed on is not on the domain and is therefore using local credentials. I put the local information in the service options and it started working again. Before, it just started on the system and worked up until today. But thanks for the help.KS-Soft Europe wrote:Is HostMonitor started as service? In case it is started as service: What account do you use to start hostMonitor
Is there somewhere that you can specify a location for HostMonitor to look for DLLs? Or is it hard-coded? The reply messages were working correctly before this also, but now the "Message not found" errors are back. I re-imported and re-copied all of the reg keys and DLL files but still no luck.
Thanks for all the help.
Do you mean you are using "local system" account? And HostMonitor is able to check remote systems?I put the local information in the service options and it started working again
That's impossible. Local system account does not have rights to use network API. Unless you have specified normal account somewhere else.
There are 2 places where you may specify account information for HostMonitor:
1) Windows Services applet. Here you should keep default "local system" account. Otherwise HostMonitor will not be able to interact with desktop
2) Service page in the Options dialog (HostMonitor's dialog). Here you should provide account that has enough rights to work with remote systems.
HostMonitor reads information about system and 3rd party DLLs from the registry. Often you don't need to modify registry and you don't have to copy DLLs.Is there somewhere that you can specify a location for HostMonitor to look for DLLs? Or is it hard-coded?
However its good to copy DLLs from remote systems into EventLogDlls directory in case you need to monitor some specific software not installed on local system. Also you must copy DLL from remote system when local system has different version of the same DLLs which provides different list of parameters. Why? Because Windows does not check the accordance between the number of variables in a template (that is stored in resource file) and the number of variables stored in an event log.
So, its better to use special folder to store DLLs instead of replacing these files on working system.
May be you have played with 2 instances too much and started wrong copy of HostMonitor?The reply messages were working correctly before this also, but now the "Message not found" errors are back.
Regards
Alex
I have been using the local system account to run HostMonitor as a service. Up until today, when it started no longer working.Do you mean you are using "local system" account? And HostMonitor is able to check remote systems?
That's impossible.
The machine running HostMonitor is a standalone machine physically connected to the network but not on the domain. When i create tests to monitor event logs, i specify a valid domain account with administrative rights. Are you saying that this setup should not be working at all? Does the HM machine have to be on the domain and run the service with domain credentials to access network API? I don't believe the Windows Service applet was changed, and until today the Options>Service page was only running the service as local system.
If it is the case that i need to add that computer to the domain, then that would most likely fix my problems with DLLs and API access, correct?
This is not the case. The 2 instances have a different amount of tests with different names and i would recognize if the wrong instance was running. I will delete the other instance anyways just to be safe.May be you have played with 2 instances too much and started wrong copy of HostMonitor?
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
Such configuration should work and it works in most cases. But sometimes it is not working properly. HostMonitor sends correct account information to Windows API but Windows may use current user account information (account that was used to start service) instead of using account, you have specified in "Connect as" box. We have not found solution for this problem yet. Just workaround: you may create the same account on remote system using the same username and password (if all systems in the same domain, its not a problem).nate-boit wrote:The machine running HostMonitor is a standalone machine physically connected to the network but not on the domain. When i create tests to monitor event logs, i specify a valid domain account with administrative rights. Are you saying that this setup should not be working at all?
Anyway, instead of "Connect as" option, using "Connection manager" is more convenient way, I think. In such case you have to change password only in one place.
It definitely helps to fix API access problems, and perhaps, it could fix DLLs problem too.nate-boit wrote:If it is the case that i need to add that computer to the domain, then that would most likely fix my problems with DLLs and API access, correct?
Regards,
Max
I was not talking about system-domain relations. What I mean - service (the process, not entire system) started under local system account does not have rights to use some functions from Windows API.The machine running HostMonitor is a standalone machine physically connected to the network but not on the domain. When i create tests to monitor event logs, i specify a valid domain account with administrative rights. Are you saying that this setup should not be working at all?
So, if you have specified "local system" account using Windows Service applet AND HostMonitor Options dialog, then NT Event Log, CPU Usage, Process, Service and some other tests should not work with remote systems. If these test methods worked, you should complain to Microsoft. Because such behavior means there is some security problem.
Anyway, beside "connect as" option that tells what account should be used for connection with remote system, you should specify what account should be used to run service (HostMonitor). These options located on Service page in the Options dialog.
Regards
Alex