NT Event Log

All questions related to installations, configurations and maintenance of Advanced Host Monitor (including additional tools such as RMA for Windows, RMA Manager, Web Servie, RCC).
nate-boit
Posts: 33
Joined: Thu Sep 28, 2006 2:50 pm

Post by nate-boit »

Maybe i'm an idiot, but when you export a registry key it is not a DLL. Are you talking about the DLLs that the key specifies for various things? I copied all the DLLs i saw mentioned in the key to into my EventLogDlls folder and still get the same message:

Code: Select all

"Message not found.  Insertion strings:<username/computer name>$, DOMAIN, (0x0,0x316E88CC), 3, Kerberos, Kerberos, , {d6299ea5-4d21-a10d-59ae-ae4a2ec859ff}, -, -, -, -, -, <IP address>, 3253"
Messages exactly like that keep flashing in the Reply section for all of the different users.

This is only happening for two of the many computers i am trying to log events from. One of them is the primary domain controller. However, i also get a similar error on any computer whenever i check the "Success Audit" field for the event logs.

Any help would be greatly appreciated. Thanks

BTW, i am using version 6.20 Beta running on Windows XP SP2. Most, if not all, of the servers i am logging events from are Windows Server 2003.
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:

Post by KS-Soft »

Maybe i'm an idiot, but when you export a registry key it is not a DLL. Are you talking about the DLLs that the key specifies for various things? I copied all the DLLs i saw mentioned in the key to into my EventLogDlls folder and still get the same message:
Sorry if I was not clear. We are talking about the KEY AND DLL. You should export and import the key AND you should copy the DLL.

Regards
Alex
ttewes
Posts: 20
Joined: Mon Sep 11, 2006 7:30 am
Location: Germany

Post by ttewes »

Hello,

i have searched for the problem and i found when i open the Event-File under

C:\WINDOWS\system32\config\SysEvent.Evt

with Notepad it contains the value:

"R E A S O N = % % 4 1 3 0".

When i save the Event File as "csv-File" there is the correct entry:

"Reason = Authentication failed because the user
account is not enabled. Before the account can
be authenticated, a person with administrative
rights for either the computer or the domain
must enable the user account.".

Have you any idea ??

regards
ttewes
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:

Post by KS-Soft »

Yes, I understand that Windows Event Viewer resolves "% % 4 1 3 0". Unfortunately we still cannot find any manual that describes how to resolve such variables...

Regards
Alex
KS-Soft Europe
Posts: 2832
Joined: Tue May 16, 2006 4:41 am
Contact:

Post by KS-Soft Europe »

ttewes wrote:i have searched for the problem and i found when i open the Event-File under
C:\WINDOWS\system32\config\SysEvent.Evt
with Notepad it contains the value:
"R E A S O N = % % 4 1 3 0".
Could you start the EventViewer on the machine, when HostMonitor is running, please? Using menu "Action" > "Connect to another computer" you may connect to the machine, who generates mentioned event, and find the appropriate record. Do you see the properly description for this record?

Regards,
Max
KS-Soft Europe
Posts: 2832
Joined: Tue May 16, 2006 4:41 am
Contact:

Post by KS-Soft Europe »

ttewes wrote:have you found some answer for my problem ??
Could you install the RMA on machine you want to monitor Event Log and perform the NT Event Log test by RMA? In such case in Test Properties Window for the test you should specify Test by parameter as RMA and Computer (UNC) as <local computer> (for RMA it is local machine).
Do you see the properly description now?

Regards,
Max
ttewes
Posts: 20
Joined: Mon Sep 11, 2006 7:30 am
Location: Germany

Post by ttewes »

KS-Soft Europe wrote: Could you start the EventViewer on the machine, when HostMonitor is running, please? Using menu "Action" > "Connect to another computer" you may connect to the machine, who generates mentioned event, and find the appropriate record. Do you see the properly description for this record?
Yes, i see the properly description for this event.

KS-Soft Europe wrote: Could you install the RMA on machine you want to monitor Event Log and perform the NT Event Log test by RMA? In such case in Test Properties Window for the test you should specify Test by parameter as RMA and Computer (UNC) as <local computer> (for RMA it is local machine).
Do you see the properly description now?
With the RMA, the description is still not correct.

Regards,
ttewes
KS-Soft Europe
Posts: 2832
Joined: Tue May 16, 2006 4:41 am
Contact:

Post by KS-Soft Europe »

We have found the solution. We will modify our code in next version.

Regards,
Max
ttewes
Posts: 20
Joined: Mon Sep 11, 2006 7:30 am
Location: Germany

Post by ttewes »

That`s great ! :D

Thanks for your help !!!!

Best Regards,
ttewes
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:

Post by KS-Soft »

Version 6.40 Beta available at http://www.ks-soft.net/hostmon.eng/downpage.htm

Regards
Alex
Nadir
Posts: 264
Joined: Mon Aug 29, 2005 2:01 am

Post by Nadir »

If I install new version (6.54), must I copy dlls files and registery key (on AHM server) to see EventLog test reply correctly?

Thanks
KS-Soft Europe
Posts: 2832
Joined: Tue May 16, 2006 4:41 am
Contact:

Post by KS-Soft Europe »

Nadir wrote:If I install new version (6.54), must I copy dlls files and registery key (on AHM server) to see EventLog test reply correctly?
You should copy appropriate dll into EventLogDlls subdirectory of HostMonitor folder only if you check Event Log on remote machine and such dll is not installed on the system, where HostMonitor is running. If you are using previous version of HostMonitor, like 6.24 and you already copied these dlls you may select "Update/repair" installation mode and in this case you do not need to copy any dlls. If you want to install version 6.54 onto clean machine, you may copy EventLogDlls subdirectory of HostMonitor folder from previous installation.

Regards,
Max
Nadir
Posts: 264
Joined: Mon Aug 29, 2005 2:01 am

Post by Nadir »

If I copy all dll file in EventLogDlls subdirectory of HostMonitor folder, and import registry key the path in EventMessageFile value will become false no?
KS-Soft Europe
Posts: 2832
Joined: Tue May 16, 2006 4:41 am
Contact:

Post by KS-Soft Europe »

At first, if you copy dlls into EventLogDlls subdirectory of HostMonitor folder, you do not have to import registry keys.
I do not think it is a good idea to copy all dll's at once. Do you know exactly which dlls are present on remote system and not present on the system where HostMonitor is running? Are you sure you will monitor Event records, that use all these dlls? If you already have some dlls in EventLogDlls subdirectory, then you may copy them into new HostMonitor's location. I would suggest you copy appropriate dll only when you face to the problem with certain Event description.

Regards,
Max
Nadir
Posts: 264
Joined: Mon Aug 29, 2005 2:01 am

Post by Nadir »

Hi,

All events logs generated by Trend server Protect do not display correctly it's for that I've copied the appripriate dll (EventMsg2.dll) in hostMonitor directory. I have restart AHM but it doesn't change anythings.

AHM 6.54 started as service on Win 2003

Thanks for help
Post Reply