Incorrect status readings from Windows Update event log

myxiplx · Joined: 13 Apr 2004 Posts: 21

Hi,

I'm using HostMonitor v4.42 and have been experiencing odd problems trying to monitor the Windows Event log for the Windows Update service.

I am trying to monitor Warning and Error events for the WUSyncService, but HostMonitor is generating warnings for Information messages too.

All of my other event monitoring services work ok, it seems to be just this particular service.

This service does seem a little odd in the way it works with the event log. I cannot filter by this service, turning on filtering for this service actually does not display any events, and I don't know whether this would indicate a problem with the event log?

Ross

timn · Joined: 20 Nov 2003 Posts: 184 Location: United States

Sorry to ask what may be obvious but...

Under Test Properties, Alert Condition, Event Type drop-down, does the drop-down indicate simply "Error, Warning"?

I'm running several of these test under 4.42 and they all seem to be working (i.e. I get Errors, Warnings, but NOT Informational)

myxiplx · Joined: 13 Apr 2004 Posts: 21

Yes it does. I'm using similar criteria for other events and they are working fine. It's purely the SUS events that are behaving strangely.

I'm not entirely sure it's not the SUS service doing something wrong when it logs events. I don't know how the event log works internally so I don't know if this is possible, but there is definately something not quite right with them.

I'm trying to get in touch with MS support at the moment to find out if this is a known problem.

Ross

KS-Soft · Joined: 03 Apr 2002 Posts: 12795 Location: USA

Could you please show settings of the test?
You may export test properties using menu File->Export to text file->Export selected test(s). After export you may simply copy&paste information into the forum.

Regards
Alex

myxiplx · Joined: 13 Apr 2004 Posts: 21

;-----------------------------------------------------------------------------
;- HostMonitor`s export/import file -
;- Generated by HostMonitor at 15/04/2004 12:09:33 -
;- Source file: C:\Program Files\HostMonitor4\robinsons.hml -
;- Generation mode: Selected_Tests -
;-----------------------------------------------------------------------------

; ------- Test #01 -------

Method = NTLog
;--- Common properties ---
;DestFolder = Robinsons\Event Logs\
Title = SUS Server Update
Comment = SUS Server Update
RelatedURL =
ScheduleMode= Regular
Schedule =
Interval = 600
Alerts = Robinsons Event - Bad only
ReverseAlert= No
UnknownIsBad= No
UseCommonLog= Yes
PrivLogMode = Default
CommLogMode = Default
SyncCounters= Yes
SyncAlerts = No
DependsOn = list
MasterTest-Alive = rob-028
;--- Test specific properties ---
Computer = rob-028
Log = System
Source = WUSyncService
CheckComp = Any
CheckType = AnyFromList
CheckID = Any
CheckDescr = Any
CompList =
TypeList = Error
TypeList = Warning
IDList =
DescrList =
ReportMode = LastEvent

;-----------------------------------------------------------------------------
; Exported 1 tests

KS-Soft · Joined: 03 Apr 2002 Posts: 12795 Location: USA

Strange... all settings look correctly.
Could you setup action profile (assigned to the test) to send e-mail when event occurs? If you use event related macro variables in the mail body (such as %NTEventSource%, %NTEventComp%, %NTEventType%, %NTEventID%, etc), you will see what exactly event HostMonitor takes...

Regards
Alex

myxiplx · Joined: 13 Apr 2004 Posts: 21

I already do, below is the e-mail I receive regarding this service. The event viewer shows this event as an information event, but hostmonitor reports it as bad anyway.

I'm currently speaking with Microsoft as I believe there may be problems with either SUS or the event log on this machine.

-------------------

Event log text:
Software Update Services successfully synchronized all content.

Your server is completely up-to-date.

User Action

To view the list of files that may have been added, removed, or updated during this synchronization, see the synchronization log.

To see the synchronization log, go to the Software Update Services Admin Web site (http://<YourServerName>/SUSAdmin), and then click the View synchronization log link.

For more information about administering a server running Software Update Services, see the Microsoft Software Update Services Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=6928).

Message from HostMonitor (host changed status)

Test : SUS Server Update
Method: check NT Event Log
Status : Bad
Date : 16/04/2004 04:02:37
Reply : 0 ms

Recurrences : 1
Last status: Ok
Total tests: 722
Alive ratio : 98.75
Dead ratio: 1.25

Folder: Event Logs

KS-Soft · Joined: 03 Apr 2002 Posts: 12795 Location: USA

nicksp · Joined: 20 Jan 2004 Posts: 7

I also have the same problem with the Software Update info alert getting picked up as a warning/error.

Although not 100% sure i think this is a bug with SUS. Whenever I run a eventlog query using WMI or MS logparser some of the data for SUS (only) is missing. From memory the eventttype field is listed as an "Unknown event".
This is probably causing ahm to include it in the query specs.

We can either wait for the new version of SUS (shortly) or you may want to add an additional criteria for "unknown event" in the event type selection.

HTH, Nick

KS-Soft · Joined: 03 Apr 2002 Posts: 12795 Location: USA

I checked HostMonitor's code - if some application records event with invalid type (I don't know it that possible) HostMonitor should ignore this event. It should ignore any event with type different from specified (of course if you use appropriate filter).

Did you use macro variables (%NTEventSource%, %NTEventComp%, %NTEventType%, %NTEventID%, etc) to check what exactly HostMonitor sees in the log?

Regards
Alex

myxiplx · Joined: 13 Apr 2004 Posts: 21

Hi,

I've just realised that the SUS server events have a type of 'none'. They are shown in event viewer as information events, but the event properties shows the problem.

Is there any way around this in HostMonitor? I only want to be alerted if the type is Error or Warning.

I'm contacting Microsoft now to inform them of the problem, but I suspect I will get a faster response here.

many thanks,

Ross

KS-Soft · Joined: 03 Apr 2002 Posts: 12795 Location: USA

Type of 'none'??
Could you setup HostMonitor to send-email when it find such event? Please use %NTEventType% variable in the mail template. It will display real type of the event (integer number). What number you will see?

Regards
Alex

myxiplx · Joined: 13 Apr 2004 Posts: 21

Hi Alex,

It shows a type of 0:

Event ID: 104
Source: WUSyncService
Computer: ROB-028
Event Type: 0
Event Time: 04/02/2005 03:00:37
Event User -

Event log text:
---------------------------------------------------------------
Software Update Services successfully synchronized all content.
Your server is completely up-to-date.

KS-Soft · Joined: 03 Apr 2002 Posts: 12795 Location: USA

H'm, originally..
Ok, I made some changes. Update available at http://www.ks-soft.net/download/hm501.zip
Please install version 5.00 before using this update (its not critical, this way you will have up to date manual and help file)

Regards
Alex