NT Event Log

[nate-boit]

Maybe i'm an idiot, but when you export a registry key it is not a DLL. Are you talking about the DLLs that the key specifies for various things? I copied all the DLLs i saw mentioned in the key to into my EventLogDlls folder and still get the same message:

Code: Select all

"Message not found.  Insertion strings:<username/computer name>$, DOMAIN, (0x0,0x316E88CC), 3, Kerberos, Kerberos, , {d6299ea5-4d21-a10d-59ae-ae4a2ec859ff}, -, -, -, -, -, <IP address>, 3253"

Messages exactly like that keep flashing in the Reply section for all of the different users.

This is only happening for two of the many computers i am trying to log events from. One of them is the primary domain controller. However, i also get a similar error on any computer whenever i check the "Success Audit" field for the event logs.

Any help would be greatly appreciated. Thanks

BTW, i am using version 6.20 Beta running on Windows XP SP2. Most, if not all, of the servers i am logging events from are Windows Server 2003.

[KS-Soft]

Maybe i'm an idiot, but when you export a registry key it is not a DLL. Are you talking about the DLLs that the key specifies for various things? I copied all the DLLs i saw mentioned in the key to into my EventLogDlls folder and still get the same message:

Sorry if I was not clear. We are talking about the KEY AND DLL. You should export and import the key AND you should copy the DLL.

Regards
Alex

[ttewes]

Hello,

i have searched for the problem and i found when i open the Event-File under

C:\WINDOWS\system32\config\SysEvent.Evt

with Notepad it contains the value:

"R E A S O N = % % 4 1 3 0".

When i save the Event File as "csv-File" there is the correct entry:

"Reason = Authentication failed because the user
account is not enabled. Before the account can
be authenticated, a person with administrative
rights for either the computer or the domain
must enable the user account.".

Have you any idea ??

regards
ttewes

[KS-Soft]

Yes, I understand that Windows Event Viewer resolves "% % 4 1 3 0". Unfortunately we still cannot find any manual that describes how to resolve such variables...

Regards
Alex

[KS-Soft Europe]

i have searched for the problem and i found when i open the Event-File under
C:\WINDOWS\system32\config\SysEvent.Evt
with Notepad it contains the value:
"R E A S O N = % % 4 1 3 0".

Could you start the EventViewer on the machine, when HostMonitor is running, please? Using menu "Action" > "Connect to another computer" you may connect to the machine, who generates mentioned event, and find the appropriate record. Do you see the properly description for this record?

Regards,
Max

[KS-Soft Europe]

have you found some answer for my problem ??

Could you install the RMA on machine you want to monitor Event Log and perform the NT Event Log test by RMA? In such case in Test Properties Window for the test you should specify Test by parameter as RMA and Computer (UNC) as <local computer> (for RMA it is local machine).
Do you see the properly description now?

Regards,
Max

[ttewes]

Could you start the EventViewer on the machine, when HostMonitor is running, please? Using menu "Action" > "Connect to another computer" you may connect to the machine, who generates mentioned event, and find the appropriate record. Do you see the properly description for this record?

Yes, i see the properly description for this event.

Could you install the RMA on machine you want to monitor Event Log and perform the NT Event Log test by RMA? In such case in Test Properties Window for the test you should specify Test by parameter as RMA and Computer (UNC) as <local computer> (for RMA it is local machine).
Do you see the properly description now?

With the RMA, the description is still not correct.

Regards,
ttewes

[KS-Soft Europe]

We have found the solution. We will modify our code in next version.

Regards,
Max

[ttewes]

That`s great !

Thanks for your help !!!!

Best Regards,
ttewes

[KS-Soft]

Version 6.40 Beta available at http://www.ks-soft.net/hostmon.eng/downpage.htm

Regards
Alex

[Nadir]

If I install new version (6.54), must I copy dlls files and registery key (on AHM server) to see EventLog test reply correctly?

Thanks

[KS-Soft Europe]

If I install new version (6.54), must I copy dlls files and registery key (on AHM server) to see EventLog test reply correctly?

You should copy appropriate dll into EventLogDlls subdirectory of HostMonitor folder only if you check Event Log on remote machine and such dll is not installed on the system, where HostMonitor is running. If you are using previous version of HostMonitor, like 6.24 and you already copied these dlls you may select "Update/repair" installation mode and in this case you do not need to copy any dlls. If you want to install version 6.54 onto clean machine, you may copy EventLogDlls subdirectory of HostMonitor folder from previous installation.

Regards,
Max

[Nadir]

If I copy all dll file in EventLogDlls subdirectory of HostMonitor folder, and import registry key the path in EventMessageFile value will become false no?

[KS-Soft Europe]

At first, if you copy dlls into EventLogDlls subdirectory of HostMonitor folder, you do not have to import registry keys.
I do not think it is a good idea to copy all dll's at once. Do you know exactly which dlls are present on remote system and not present on the system where HostMonitor is running? Are you sure you will monitor Event records, that use all these dlls? If you already have some dlls in EventLogDlls subdirectory, then you may copy them into new HostMonitor's location. I would suggest you copy appropriate dll only when you face to the problem with certain Event description.

Regards,
Max

[Nadir]

Hi,

All events logs generated by Trend server Protect do not display correctly it's for that I've copied the appripriate dll (EventMsg2.dll) in hostMonitor directory. I have restart AHM but it doesn't change anythings.

AHM 6.54 started as service on Win 2003

Thanks for help