I am getting "System Error: Code5 Access is Denied" attempting to monitor Windows Application Event Log on a Server 2008R2 host. There is no local Windows firewall active on the host. I have tried supplying the user name and password of the administrator on the host as part of the test configuration also.
I am having this same problem on two different Server 2008R2 hosts. Other tests to the same servers are functional however, but not Event Logs.
Maybe the problem is my Host Monitor is running on Windows Server 2000 SP4? Or maybe my version of Host Monitor is too old (v.7.72)?
Any ideas how to solve this?
Thanks.
Cannot monitor NT Event Logs on Windows Server 2008 R2 hosts
Both systems located in the same domain? the same wordgroup? Different domain?
I think several other customers had the same problem. It may occur on any version of the Windows. HostMonitor calls Windows API function using specified user name and password but Windows sends to remote system name of the current user! You may verify that by checking security event log on target system.
Why it happens on some Windows systems while most of them work correctly? We spend a lot of time trying to find explanation and found nothing
Solution: if you do not have identical admin account on all systems (system where HostMonitor is installed and target systems), you may create new local admin account on both systems (e.g. "hmuser" account) using the same name and the same password. Then use this account to start HostMonitor. If HostMonitor is started as service, specify this account on Service page in the Options dialog (HostMonitor Options dialog). In such case authentication will be passed even in case Windows send current user account.
Regards
Alex
I think several other customers had the same problem. It may occur on any version of the Windows. HostMonitor calls Windows API function using specified user name and password but Windows sends to remote system name of the current user! You may verify that by checking security event log on target system.
Why it happens on some Windows systems while most of them work correctly? We spend a lot of time trying to find explanation and found nothing
Solution: if you do not have identical admin account on all systems (system where HostMonitor is installed and target systems), you may create new local admin account on both systems (e.g. "hmuser" account) using the same name and the same password. Then use this account to start HostMonitor. If HostMonitor is started as service, specify this account on Service page in the Options dialog (HostMonitor Options dialog). In such case authentication will be passed even in case Windows send current user account.
Regards
Alex
Could it be the Event Log path is different?
Alex:
I am using the same admin account on both the host computer and the Host Monitor system with the same user password.
Could it be a problem that the path to the Event Log is different on a Server 2008R2? I get this message trying to set up the test and selecting the event log from the pulldown list:
"Cannot retrieve list of Event Logs from ...... Will be used local system list"
I checked and the location of the event logs on Server 2008R2 is \\Windows\System32\Winevt\Logs\. However on Server 2003 (which does work) the event logs are located in a different Windows folder. Could that be the issue?
Thanks.
I am using the same admin account on both the host computer and the Host Monitor system with the same user password.
Could it be a problem that the path to the Event Log is different on a Server 2008R2? I get this message trying to set up the test and selecting the event log from the pulldown list:
"Cannot retrieve list of Event Logs from ...... Will be used local system list"
I checked and the location of the event logs on Server 2008R2 is \\Windows\System32\Winevt\Logs\. However on Server 2003 (which does work) the event logs are located in a different Windows folder. Could that be the issue?
Thanks.
Alex:
I watched the security event log on the host while running the event log test from the Host Monitor computer (both on the same LAN). There were NO security events logged when I ran the tests.
I am wondering still about the version of Windows I am using on the Host Monitor computer (Windows Server 2000 SP4). It does seem possible that the security information is not correctly sent to a Server 2008R2 host from such an old OS. Earlier you thought that did not matter, however.
Thanks for the help.
I watched the security event log on the host while running the event log test from the Host Monitor computer (both on the same LAN). There were NO security events logged when I ran the tests.
I am wondering still about the version of Windows I am using on the Host Monitor computer (Windows Server 2000 SP4). It does seem possible that the security information is not correctly sent to a Server 2008R2 host from such an old OS. Earlier you thought that did not matter, however.
Thanks for the help.
May be such kind of auditing is disabled?There were NO security events logged when I ran the tests
Well, we recommend to use Windows Server 2003 SP2. If you have such system, its better to install HostMonitor there.I am wondering still about the version of Windows I am using on the Host Monitor computer (Windows Server 2000 SP4). It does seem possible that the security information is not correctly sent to a Server 2008R2 host from such an old OS. Earlier you thought that did not matter, however
Or you may keep HostMonitor on old system and try to install RMA on Windows 2008.
Regards
Alex
Problem still exists
Alex:
I am still trying to solve this. I used the latest release of Host-Monitor and installed an RMA on the 2008R2 Server I am trying to monitor. The passive RMA does not function and the active RMA is only partially functional in that the RMA Manager reports the RMA on the 2008R2 Server has not yet connected. And the RMA reports connection failures, but still the RMA and RMA Manager seems aware of each other and are communicating on some level. I tried using a Windows7 host to monitor the NT event logs and had the same problem as I do on 2008R2 Server. I also cannot even get a list of the event logs from the pull-down when I set up the tests.
I have done lots of internet searching on security of the Event Logs and could not find anything that solved this. Do you have a Windows7 computer or a 2008R2 server there you are able to test on and just let me know if you are able to set up an NT Event Log test?
Thanks.
I am still trying to solve this. I used the latest release of Host-Monitor and installed an RMA on the 2008R2 Server I am trying to monitor. The passive RMA does not function and the active RMA is only partially functional in that the RMA Manager reports the RMA on the 2008R2 Server has not yet connected. And the RMA reports connection failures, but still the RMA and RMA Manager seems aware of each other and are communicating on some level. I tried using a Windows7 host to monitor the NT event logs and had the same problem as I do on 2008R2 Server. I also cannot even get a list of the event logs from the pull-down when I set up the tests.
I have done lots of internet searching on security of the Event Logs and could not find anything that solved this. Do you have a Windows7 computer or a 2008R2 server there you are able to test on and just let me know if you are able to set up an NT Event Log test?
Thanks.
One more point
I forgot to mention that as a test I installed a full Host Monitor system directly on the 2008R2 server and that was successful in testing its own Event Logs. But that is the only way so far I can make the test work.
Yes, it works on our systems.
I am not sure what do you mean when say "RMA is only partially functional" and "passive RMA does not function". Could you please explain?
If HostMonitor cannot connect to Passive RMA due to firewall issue then NT Event Log and other tests will not work either.
If you setup Passive RMA correctly by providing the same port number and the same password on both ends (HostMonitor and RMA) and HostMonitor shows "Connection error" message in Reply field of the test while RMA does not show any (accepted/rejected) connection attempts in RMA logs, this means there is some network problem. Most likely firewall..
If there are some messages in the logs, what exacly messages do you see?
Regards
Alex
I am not sure what do you mean when say "RMA is only partially functional" and "passive RMA does not function". Could you please explain?
If HostMonitor cannot connect to Passive RMA due to firewall issue then NT Event Log and other tests will not work either.
If you setup Passive RMA correctly by providing the same port number and the same password on both ends (HostMonitor and RMA) and HostMonitor shows "Connection error" message in Reply field of the test while RMA does not show any (accepted/rejected) connection attempts in RMA logs, this means there is some network problem. Most likely firewall..
If there are some messages in the logs, what exacly messages do you see?
Regards
Alex
Problem is SOLVED
Alex:
I finally solved this problem of access to the Event Logs and wanted to let you know about it as I think you may get similar questions. You were correct it was a true security access problem. The solution was to add the user account on the 2008R2 Server into the User Group "Event Log Readers". I had previously tried adding the user account to "Administrators" thinking it would give sufficient rights into the Event Logs, but apparently not. I have the same user name and password on the 2008R2 Server being monitored as the user name and password on the Host-Monitor computer and all tests are run using that user's security. By the way, Windows 7 also has an Event Log Readers users group, so the same issue will apply to any Windows 7 hosts being monitored.
Thank you for sticking with me on solving this.
I finally solved this problem of access to the Event Logs and wanted to let you know about it as I think you may get similar questions. You were correct it was a true security access problem. The solution was to add the user account on the 2008R2 Server into the User Group "Event Log Readers". I had previously tried adding the user account to "Administrators" thinking it would give sufficient rights into the Event Logs, but apparently not. I have the same user name and password on the 2008R2 Server being monitored as the user name and password on the Host-Monitor computer and all tests are run using that user's security. By the way, Windows 7 also has an Event Log Readers users group, so the same issue will apply to any Windows 7 hosts being monitored.
Thank you for sticking with me on solving this.
Thank you for information, it can be useful for other customers.
However I should say - our "administrator" account is not a member of "Event Log Readers" group and it can read events from local and remote systems (Windows 7 and Windows 2008).
May be some security policy leads to this effect?
BTW: are we talking about Application event log? You said "I am getting System Error: Code5 Access is Denied attempting to monitor Windows Application Event Log".
I think "Event Log Readers" group should be used when you need access to Security log while other logs can be read by "regular" users.
Regards
Alex
However I should say - our "administrator" account is not a member of "Event Log Readers" group and it can read events from local and remote systems (Windows 7 and Windows 2008).
May be some security policy leads to this effect?
BTW: are we talking about Application event log? You said "I am getting System Error: Code5 Access is Denied attempting to monitor Windows Application Event Log".
I think "Event Log Readers" group should be used when you need access to Security log while other logs can be read by "regular" users.
Regards
Alex
Clarification on event logs
Alex:
I double checked my results and when I remove the user running the tests from the Event Log Readers group and put that user in the Administrators group I again get the System Error: Coder5 Access is Denied message. I am monitoring the Windows Application Event Log not the Security Event Log. The description from Windows Server 2008R2 for the Event Log Readers group is "Members of this group can read event logs from local machine" it does not specify only the Security Event Log. As far as I know I have not done anything with the security settings to affect this behavior and I have tested it on 3 different servers now. So for whatever reason, I think if someone is having trouble with Host Monitor reading the NT event logs and is getting access denied error returned, you might suggest the solution of adding the user running the test into the Event Log Readers group. It definitely worked for me.
Thank you.
I double checked my results and when I remove the user running the tests from the Event Log Readers group and put that user in the Administrators group I again get the System Error: Coder5 Access is Denied message. I am monitoring the Windows Application Event Log not the Security Event Log. The description from Windows Server 2008R2 for the Event Log Readers group is "Members of this group can read event logs from local machine" it does not specify only the Security Event Log. As far as I know I have not done anything with the security settings to affect this behavior and I have tested it on 3 different servers now. So for whatever reason, I think if someone is having trouble with Host Monitor reading the NT event logs and is getting access denied error returned, you might suggest the solution of adding the user running the test into the Event Log Readers group. It definitely worked for me.
Thank you.