NT Event Log

KS-Soft · Post by **KS-Soft** » Mon Jan 21, 2008 9:13 am

By RMA

Ha ha. Then DLL should be located on system where RMA is running

EventLogDlls should be created in RMA's home folder.

Regards
Alex

Nadir · Post by **Nadir** » Tue Jan 22, 2008 6:14 am

Doesn't work !!

KS-Soft · Post by **KS-Soft** » Tue Jan 22, 2008 7:23 am

May we have access to your system?

Regards
Alex

Nadir · Post by **Nadir** » Tue Jan 22, 2008 7:31 am

Sorry, but I'm not the security admin and I don't think that will be done

KS-Soft Europe · Post by **KS-Soft Europe** » Tue Jan 22, 2008 8:00 am

What exact version of Trend Micro antivirus does generate event, you are monitoring using "NT Event Log" test method?

Regards,
Max

KS-Soft · Post by **KS-Soft** » Tue Jan 22, 2008 8:30 am

What version of the agent do you use?

Regards
Alex

KS-Soft Europe · Post by **KS-Soft Europe** » Tue Jan 22, 2008 8:30 am

Also, what exact EventId do you monitor?

Regards,
Max

Nadir · Post by **Nadir** » Tue Jan 22, 2008 8:38 am

What exact version of Trend Micro antivirus does generate event

Trend server Protect 5.5

you are monitoring using "NT Event Log" test method?

Exact

What version of the agent do you use?

3.38

Also, what exact EventId do you monitor?

211, 212, 220

KS-Soft Europe · Post by **KS-Soft Europe** » Thu Jan 24, 2008 5:16 am

We have installed Trend Micro and tested RMA, everything works fine.

Probably, you did not understand me or made something wrong. Lets clear it up.
Lets consider, HostMonitor is running on system A. RMA is running on system B. RMA is checking event log on system C.
So, on system C, you should start regedit.exe or Regedt32.exe and export
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SpntLog] key to certain text file (e.g. spnt.reg). After that you should copy it to system B (where RMA is running). On system B, you should start regedit.exe or Regedt32.exe and import this spnt.reg file into the registry. Now there are 2 options
1) on system B create EventLogDlls\ subdirectory in RMA's home folder and copy specified DLL (EventMsg2.dll) into this subfolder (copy DLL from system C to system B where RMA is running)
2) or you may modify path specified in the registry to fit your existing folder structure and copy specified DLL into that folder (e.g. c:\Windows\system32\)
That's all.

For instance, on my system, exported key looks like:

Code: Select all

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SpntLog]
"CategoryMessageFile"="C:\\WINDOWS\\system32\\EventMsg2.dll"
"EventMessageFile"="C:\\WINDOWS\\system32\\EventMsg2.dll"
"ParameterMessageFile"="C:\\WINDOWS\\system32\\EventMsg2.dll"
"CategoryCount"=dword:00000008
"TypesSupported"=dword:00000007

After importing registry key to system B, I have copied EventMsg2.dll from systemC to C:\WINDOWS\system32 on systemB.

Regards,
Max

qwerty · Post by **qwerty** » Mon Sep 16, 2013 4:16 am

Hello,

We have same issue:
1. server01 - HM
2. server01 - RMA
3. Wants to get any errors from System Log

Get the reply:

Code: Select all

Reply   : Message not found.  Insertion strings:

Code: Select all

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System]

KS-Soft · Post by **KS-Soft** » Mon Sep 16, 2013 4:38 am

Why are you running HostMonitor and RMA on the same system (server01)?
Test is performed by agent? Version?
Agent checks some remote system (server02)? Window? Service Pack?
Have you created EventLogDlls\ subdirectory?
Have you created registry record?

Regards
Alex

qwerty · Post by **qwerty** » Mon Sep 16, 2013 5:03 am

Why are you running HostMonitor and RMA on the same system (server01)?

This is test setup - I want to check local server.

Test is performed by agent? Version?

Test by: HostMonitor 9.58

Agent checks some remote system (server02)? Window? Service Pack?

Tried now one server with the same result: Microsoft Windows Server 2008 R2, Enterprise x64 Edition Version 6.1 (Build 7601 : Service Pack 1) (x64) Server Full Installation

Have you created EventLogDlls\ subdirectory?

Code: Select all

"c:\Program Files (x86)\HostMonitor\EventLogDlls"
"c:\Program Files (x86)\HostMonitor\RMA-Win\EventLogDlls"

both with wevtapi.dll

Have you created registry record?

Which record in my case ?

KS-Soft · Post by **KS-Soft** » Mon Sep 16, 2013 5:40 am

If you check local system then it should work...
What exactly event is not processed?

Regards
Alex

qwerty · Post by **qwerty** » Mon Sep 16, 2013 6:13 am

What exactly event is not processed?

Code: Select all

EVENTCREATE /T ERROR /ID 1000 /L SYSTEM /D "My application error mesaage"

KS-Soft · Post by **KS-Soft** » Mon Sep 16, 2013 9:21 am

EventCreate? Yes, Windows API will return error for such events. You may try Windows Event Viewer, result should be the same

Regards
Alex