How do I monitor a non-default NT EventLog container?

[Wolfgang Bach]

I never had any specific Source configured. I'm forced to select a Event-Log and in my case i can only choose between the following eventlogs:

- Application
- HardwareEvents
- Internet Explorer
- Key Management Service
- Security
- System

I can leave "source" blank but have to select a log.

Regards

[KS-Soft]

We have tested HostMonitor on system with Microsoft Virtual Machine and we cannot get these events as well. Will investigate the problem....

Regards
Alex

[Wolfgang Bach]

Hi Alex,

whats the status of this problem? I'm running HM 8.32 and it still doesn't work.

Regards

[Wolfgang Bach]

Any updates available? Still hoping for a fix...
I've tested it now with HM 8.54.... still not working.

Regards.

[KS-Soft]

I though we fixed this in version 8.50 or so
We will re-check this today...

Regards
Alex

[KS-Soft]

Yeah, you are right - it does not work
We are checking why....

Regards
Alex

[Wolfgang Bach]

Hi Alex,

still not working on my HM 8.80. Can you please investigate?

Regards, Wolfgang

[KS-Soft]

Are you using new "Compatibility: Windows Vista" option for this NT Event Log test?
If so, could you please export test settings into text file using menu File->Export into text file and send it to support@ks-soft.net (or post here)?

Regards
Alex

[Wolfgang Bach]

m using Windows-NT Mode. When using Vista mode i got an error "Cannot load wevtapi.dll".

[KS-Soft Europe]

I assume, HostMonitor is started on OS previous to Vindows Vista (E.g. Windows server 2003, Windows XP e.t.c..) ?
HostMonitor uses Windows API for NT Events Log test, so "Windows Vista mode" can be used on Windows Vista and later OS.

Quote from manual:
http://www.ks-soft.net/hostmon.eng/mfra ... m#chkNTLog

Compatibility
For each test item you may choose "Windows NT API" or "Windows Vista+ API" mode. If HostMonitor is started on Windows Vista, Windows 2008 or Windows 7 and target host uses one of these operational systems as well, we recommend using "Windows Vista API" mode. Otherwise you should use "Windows NT API" mode that works fine for Windows 2000, Windows XP and Windows Server 2003 as well.

[Wolfgang Bach]

HostMonitor is started on Windows Server 2003, so i'm using "Windows NT mode". The problem is that i dont get the right eventlog entries from the target machines. I get something like "Message not found" or nothing sometimes.

[KS-Soft Europe]

I get something like "Message not found" or nothing sometimes.

Please check the following article about how to resolve "Message not found" issue:
http://www.ks-soft.net/cgi-bin/phpBB/vi ... php?t=4846

[Wolfgang Bach]

i thought this was fixed in HM 8.00?:

NT Event Log test: when Event Log API cannot retrieve complete event description from remote system (e.g. necessary DLL is not installed on local system), HostMonitor may request additional information using WMI technology. This is especially handy when you need to monitor remote Windows Vista or Windows Server 2008 system.

[KS-Soft]

Fixed? Its not a bug.
WMI is another way, HostMonitor tries to use WMI when it cannot receive description in "normal" way. This does not mean this workaround will work on all systems... you may try to setup any WMI test against this remote system and check if it works.

Anyway, if you want to monitor new logs/channels specific to Windows Vista, Windows 2008 or Windows 7 system, you should install HostMonitor or RMA on Windows Vista or higher Windows OS.
If you want to keep HostMonitor on Windows Server 2003 and monitor such logs on Windows Vista, I would recommend to install Remote Monitoring Agent (RMA) on Windows 2008/Windows 7 system and use this agent to check Windows Vista+ Event Logs.

Regards
Alex