Summary text missing event descriptions

Sep 11, 2012 at 6:05 PM

Hi, I'm setting up EventScavenger in a lab right now. I plan to use it for a client once I get my head wrapped around it. 

One thing I have noticed is that the event log is collected without the text that you would normally see in the Event Viewer. For example, I get this as the Summary for a DCOM error:

The description for Event ID '-1073731808' in Source 'DCOM' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'application-specific', 'Local', 'Launch', ...

Do you know of a way to get all of the info imported? I know I can generally figure out common errors like the DCOM error above, but for custom applications that will likely be present in a third-party environment, I'd like to have the same text that will show up on the local computer.

Any help is appreciated!

Thanks,

Matt

Coordinator
Sep 12, 2012 at 10:34 AM

Hi, thanks for trying out this tool.

First thing I have to ask what your environment looks like? i.e. What OS'es, versions etc.

I can't say that I've experienced a problem like this - nor has anyone else reported something like this yet. Generally if the service can access the relevant eventlog at all then all properties including the actual text of the event log entry is gathered. However, I have not tested this on the latest versions of Windows (8 or 2012) yet. Perhaps they changed something that I'm not aware of.

Regards

Rudolf

Sep 12, 2012 at 4:44 PM

Thanks for the fast response. And I forgot to mention- great tool! I am a DBA who was considering writing an SSIS package to get this functionality. I think I'm going to get what I need out of your tool much fast than writing my own.

I am using Windows 2008 R2 with SP1 and the latest patches. Everything is really vanilla as it is a lab environment. The service account is an Administrator on the local machine and is in the Event Log Readers group on the monitored machines. 

Most of the events come through fine. Some sources (such as SceCli) come through for the local machine, but not for the remote machines. Others (such as WinMgmt) don't come through for the local machine at all. 

I should also say, I don't think this is related to the tool, because I was seeing the same issue while pulling the event logs using C# code and the 'EventLog' class. I just figured it was something that you might have encountered before. I'll share more as I try to figure the problem out.

Regards,

Matt

Coordinator
Sep 13, 2012 at 9:38 AM

I suspect like you say it is a problem with the way the .Net framework implemented the old Evenlog class. You can also try to use the other EventScavenger service (Collector one) which use the newer .Net Event driven classes. The only problem with it is that it only capture events 'as they happen'. If you have existing entries in the log it won't be able to retrieve them.

Sep 13, 2012 at 2:04 PM

My only hesitation with that is that I would like to avoid installing software on the monitored systems as I won't have access to log on and manage it. I'll check it out in the lab just to see if my problem goes away.,

I think this is a small enough issue that I'll move forward with setting this up for the client. Again- great tool, thanks for sharing your work.

 

Coordinator
Sep 25, 2012 at 7:45 AM

In an offline discussion we figured out that it is the 'Remote Registry' service that was not running on the remote machines that were causing the issue. Solution is to simply enable it.

Sep 27, 2012 at 6:10 PM

Interesting- we do have that service turned on in my lab (not sure about the customer's env). I'm disabling the firewall in the lab to see if that helps. I'll post back what I find.

Oct 1, 2012 at 5:48 PM

Well, the firewall wasn't preventing the service from collecting these descriptions. I'm not sure what it is, but I'm going to table the research for now. Hopefully I'll be able to circle back at some point at see what the issue was.

Thanks again for your help with this and for putting this tool out there.