Big Events.log in $COMMON_TOP/admin/log

Hello,
I have noticed there are always many logs in the $COMMON_TOP/admin/log. Apart from the concurrent managers logs etc, there are those Events.logs which can grow to any size as long as the apps keeps running.
New ones are however created upon restart of apps and I can clear the old ones.
I will like to reduce what is written to the Events.log so that they do not grow too big. Can someone let me how to do this or point me to an article on these logs?
Regards

I have found the solution I wanted and I think it may be useful to someone later and that is why I am posting this.
Those LARGE eventxx.logs under $COMMON_TOP/admin/log are Fulfillment Server logs and looking through them, I don't really know their benefits and I have been deleting them but I can swtich off the loggings now.
This is detailed in the metalink note ID 601375.1
I got this when I came across this link on the internet:
http://newappsdba.blogspot.com/2008/12/huge-eventslog-files-in-applcsfappllog.html
Regards
Edited by: user12191278 on 18-Jan-2010 05:24

Similar Messages

  • Creating a Custom Event Log View Shortcut on a server desktop for an admin

    Good morning,
    We have a new admin starting and I would like to create custom event log view shortcut on there desktop for each server they need to check. Is there a way to do this in Server 2012 and Server 2008?
     I have figured out how to create a shortcut of the Application and System log, but not Custom Views. Thanks.

    Hi,
    Based on my research, you can create a custom view like
    this.However, I tried miltiple ways to create a shortcut of the custom view of the event viewer and no result. I can only create a shortcut of the event viewer. You may need a script can achieve that.
    Best regards,
    Susie

  • RAID Admin Event Log?

    I'm seeing some strange behavior with our RAID Admin event log. On Friday, I did a rebuild of our one of our RAIDs and, in the event log, there was an entry added that said "RAID Rebuild Started" or something along those lines.
    Today I opened RAID Admin and that event entry was gone. All of the other events around it were still there (removing and reinserting a drive, etc.), but not the actual rebuild message (or the subsequent success message).
    Is this normal behavior?

    Yes, that is normal behavior. If there were any problems with the rebuild, you would see error messages in the event log, but the message about starting the rebuild does disappear after the rebuild finishes.
    -Phoenix

  • Questions about BT Home Hub 4A event log - WIFI c...

    Hope someone can help please ?
    I had BT inifinity installed 2 weeks ago with the HH 4 (type A) and everything has worked - connection found, no problem.
    This week, my ipod touch was unable to join the network but the iphone 5, another ipod and a tablet could connect without a problem. The ipod touch managed to connect to another WIFI used at the property and my work wifi without a problem.
    I thought it maybe the ipod touch as it was quite old but that doesn't make sense since it connects fine to other networks.  I restored network settings and other options suggested by Apple but to no avail.
    I have turned my attention to the Hub. My laptop (older than the ipod touch) gets the connection no problem along with the other devices.  I went into the hub management page but I am not smart enough to decifer the event log so would like some help so I can fix this because I thought BT infinity was the better more reliable option?
    The ipod touch Wifi IP address is 00:25:00:b7:35:f6.
    On the event log, it shows STA before the address - but it shows STA before all the device IP addresses. Should I change this to DCHP ? or is this (Static ? alright)
    The Lease on all the devices on the event log is set to 1440 min. (1 day) is that alright too, what does it mean ?
    Do I have to keep renewing the lease ? How do I do that ? I read it can be set to 21 days ?
    Going back to the IP address on the ipod it shows the Hostname as 00:25:00:B7:35:f6-2 this is different to the IP address with the -2. Could that be a cause of the unable to join network or is it because I attempted to recreate the network on the ipod so its the second version of that host name ?
    Is there any setting I can change to fix this because I am concerned the same this will happen to the other devices and then the laptop....
    What do I need to do to be able to get my ipod touch to connect to the BT network setting ?
    I think its the hub 4A causing the 'block' on the ipod touch not the device and I think its maybe a matter of changing a setting - but then why was it all fine before when Infinity was first installed ?
    Lastly my laptop (7 Years old) seems to be attached to the 5GHZ Wireless channel - is that alright ? The other more recent devices are on the 2.4ghz channel (except the ipod touch which isn't on any !!)
    Is it alright to turn the hub on / off ? -I am resisting that because I don't want to make the situation worse. 
    Sorry but what does client disassociated mean and all the BLOCKS - do they relate to firewall ?
    Please can you review the event log and my questions ?
    Many thanks
    angie 2601 
    The time frame is 3.55am 8/8/2013 - 7.16 am 8/8/2013
    (Latest (7.16am) at the top
    Message
    07:16:39, 08AUG
    (1224785.050000) Admin login successful by 192.168.1.64 on HTTP (1224766.610000) Admin login FAILED by 192.168.1.64 on HTTP (1224648.050000) New GUIsession  from IP 192.168.1.64
    (1224466.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
    IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
    wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client  disassociated
    (1224362.750000) lease for IP 192.168.1.65 renewed by host Unknown­ d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1224362.750000) Device connected: Hostname:Unknown-d8:d1:cb:ec:a6:feiP:
    192.168.1.65 MAC:d8:dl:cb:ec:a6:fe lease time: 1440 min. link rate:90.0 Mbps
    (1224362.690000) Lease requested
    wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
    (1224241.150000) lease for IP 192.168.1.64 renewed by host FAMILY (MAC
    00:13:02:de:6d:e6). Lease duration:1440 min
    (1224241.150000) Device connected: Hostname: FAMii.Y IP:192.168.1.64 MAC:
    00:13:02:de:6d:e6 Lease time: 1440 min. link rate: 54.0 Mbps
    (1224241.090Cl00) Lease requested
    wlan1TA  00:13:02:de:6d:e6 IEEE 802.11:Client associated
    OUT: BLOCK [9] Packet invalid in connection (TCP
    192.168.1.66:34905->31.13.72.38:443 on ppp1)
    (1223644.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
    IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
    wlanl: STA d8:d1:cb:ec:a6:-fe IEEE 802.11:CHent diSassociated
    (1223489.390000) Lease for IP 192.168.1.65 renewed by host Unknown­ d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1223489.380000) Device connected:Hostname:Unknown-d8:dl:cb:ec:a6:fe IP:
    192.168.1.65 MAC: d kd1:cb ec:-a6-:fe Lease time: 1440 min. Link  rare: 90.0 Mbps
    (1223489.330000) Lease requested
    wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client  associated wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disasSociated
    wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
    OUT;BLOCK [9] Packet i valid in connection (TCP
    192.168.1.66:34375->31.13.72.38:443 on pppl)
    l'N':BLOCK [16-} Remote administration {ICMP type 8 code 0
    117.1.42.94->86.182.228.205 on ppp1)
    IN: BLOCK [9] Packet invalid in connection (TCP
    31.13.72.33:443->86.182.228.205:44156 on ppp1) IN: BLOCK [9] Packet invalid in connection (TCP
    31.13.72.33:443->86.182.228.205:36615 on ppp1)
    OUT: BLOCK [9] Packet invalid  in connection (TCP
    192.1-68.1.68:49476->173.252.103.16:443 OR ppp1)
    BLOCKED 5 more  packets (because of Packet invalid in connection) OUT: BLOCK [9] Packet invalid  in connection (TCP
    192.168.1.68:49443->95.100.195.205:443 on ppp1)
    OUT:BLOCK {9] PaCket invalid in connection (TCP
    192.168.1.68:49438->95.100.194.217:443 on ppp1)
    IN:BLOCK [9] Packet invalid in connection (TCP
    95.100.194.217:443->86.182.228.205:49444 on ppp1)
    (1222111.810000) Lease for IP 192.168.1.68 renewed by host Unknown-
    70:56:81:46:bf:d9 (MAC 70:56:81:46:bf:d9).Lease duration:1440 min
    (1222111.810000) Device connected:Hostname:Unknown-70:56:81:46:bf:d9 IP:,
    192.168.1.68 MAC:70:56:8:t:46:bf:d9lease time:1440 min. Link rate:52.0 Mbps
    (1222111.750000) Lease requested  .-
    wlanO: STA 70:56:81:46:bf:d9 IEEE 802.11: Client  associated • (1222093.690000) Device dlsconn: Hostname:Unknown-
    00:25:00:b7:35:f6-2 IP: 192.168. MAC: 00:25:00:b7:35:f6 wlanoTA  00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
    OUT:BLOCK [9] Packet invalid in connection (TCP
    192.168.1.66-:43272->31.13.72.33:443 on ppp1)
    221969.130000) lease for IP 192.168.1.67 renewed  by host Unknown-
    00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
    (1221969.130000} Devicconnected: Hostname·:Unknowwoo·:25:00:b7 35:f6-2
    IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk  rate: 54.0
    Mbps
    (1221969.070000) Lease requested
    wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
    (1220365.290000) Device disconnected: Hostname:Unknown-
    00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
    (1220348.230000) Lease for IP 192.168.1.67 renewed by host Unlmown-
    00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6).lease duration: 1440 min
    (1220348.230000) Device connected: Hostname:Unknown-00:25:00:b7:35:f6-2
    IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
    Mbps
    (1220348.170000) lease requested
    wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
    IN: BLOCK f16] Remote administration (TCP
    123.151.42.61:12233->86.182.228.205:8080 on ppp1) OUT: BLOCK [9] Packet invalid  in connection (TCP
    :t92.Hi8.1.66:53813->31.13.72.33:443 on ppp1)
    OUT:BLOCK [9] Packet invalid in connection (TCP
    192.168.1.66:43989->31.13.72.33:443 on ppp1)
    IN: BLOCK [16] Remote administration (ICMP type 8 rode 0
    2.7.251.109.227->86.182.228.205 on pppl)
    (1216770.650000) Device disconnected:Hostname:Unknown-
    00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6
    OUT:BLOCK [9j Packet invalid in connection (TCF
    192.168.1.67:49180->74.125.136.109:993 on ppp1)
    wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
    (1216753.280000) Lease for IP 192.168.1.67 renewed  by host Unknown-
    00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
    (1216753.270000) Device connected: Hostname: Unknown-00:25:00:b7:35:f6-2
    IP: 192.168.1.67 MAC: 00:25.:00-:.b7.:35:f6 Lease time: 1440 min. Unk  rate: 54.0
    Mbps
    (1216753.220000) lease requested
    wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client assodat
    OUT: BLOCK [9] Packet invalid in connection (TCP
    192.168.1.66:55944->23.21.78.229:443 on ppp1)
    OUT: BLOCK [9J  Packet invafid in connection (TCP
    192.168.1.66:34794->31.13.72.33:443 on ppp1)
    OUT:BLOCK [9] Packet invalid in connection (TCP
    192.168.1.66:41441->31.13.72.33:443 on ppp1)
    {1213176.020000) Device disconnected:.Hostname:Unknown-
    00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC:00:25:00:b7:35:f6 wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client disassociated
    (1213158.410000) Lease for IP 192.168.1.67 renewed  by host Unknown-
    00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min                           _./:\ (1213158.400000) Device connected:Hostname:Unknown-00:25:00:b7:35:ftt.Y IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min.Unk rate: 54.0
    Mbps
    (1213158.340000) Lease requested
    wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client associated
    OUT:BLOCK (9] Packet invalid in connection (TCP
    192.168.1.66:59767->176.34.180.243:443 on ppp1) OUT;BLOCK [9] P.acket invalid in connection {TCP
    192.168.1.66:56075->31.13.72.33:443 on ppp1) OUT: BLOCK [9] Packet invalid  in connection (TCP
    192.168.1.66 581:1:0->31.13.72.33:443 on ppp1)
    BL.OCKED 2 more packets (because of Packet invalid in connection) OUT:BLOCK [9] Packet invalid in connection (TCP
    192.168.1.66:56251->31.13.72.33:443 on ppp1)
    OUT:BLOCK [9] Packet invalid in connection (TCP
    192.168.1.66:36959->31.13.72.33:443 on ppp1)
    BlOCKED 1more packets (because of Packet invalid in connection)

    It could be that the Ipod touch is having problems with both the 2.4GHz and 5GHz frequencies being named the same. If you give them separate SSids it may help. ie add a 5 to the 5GHz SSid.
    If you do this you will need to re-connect all your devices that can see both frequencies to both SSids so that they will swap between the frequencies seamlessly when ever they need to
    See link how to change SSid.
    http://bt.custhelp.com/app/answers/detail/a_id/445​04/related/1/session/L2F2LzEvdGltZS8xMzc1OTY2ODIxL​...
    Once you have changed the SSid I would delete the network connection on the Ipod touch and start again.

  • Exception write to event log when user not found in active directory

    I'm trying to use a exception to write to a event log to show which user did not get imported from my csv file. Any help to write this exception is appreciated. Thanks
    Import-CSV $importfile | ForEach-Object{
    $samaccountname = $_.sAMAccountName.ToLower() #samaccountname on csv file
    Try {
    $exists = Get-ADUser -LDAPFilter "(sAMAccountName=$samaccountname)" #Filter user by samaccountname
    Catch
    write-host "Users did not exist." #user does not exisit

    To your question:
    "How can I create a new event log every time without saving to the original event log textfile?"
    The answer provided by Mike Laughlin doesn't require you save anything to a text file - so either I'm misunderstanding this follow-up, or you are misunderstanding Mike's post. :)
    To answer your other follow up... try:
    $goodCount = 0
    $badCount = 0
    Import-Csv $importFile | ForEach {
    $SamAccountName = $_.SamAccountName
    try {
    $user = Get-ADUser -Identity $SamAccountName -ErrorAction Stop
    $goodCount++
    } catch {
    Write-EventLog # <-finish this command however you want
    $badCount++
    write-host "Users imported: $goodCount"
    write-host "Users not imported: $badCount"
    G. Samuel Hays, MCT, MCSE 2012, MCITP: Enterprise Admin
    Blog:gsamuelhays.blogspot.com
    twitter:twitter.com/gsamuelhays

  • Seemingly successful install of Exchange 2013 SP1 turns into many errors in event logs after upgrade to CU7

    I have a new Exchange 2013 server with plans to migrate from my current Exchange 2007 Server. 
    I installed Exchange 2013 SP1 and the only errors I saw in the event log seemed to be long standing known issues that did not indicate an actual problem (based on what I read online). 
    I updated to CU7 and now lots of errors have appeared (although the old ones seem to have been fixed so I have that going for me). 
    Currently the Exchange 2013 server is not in use and clients are still hitting the 2007 server.
    Issue 1)
    After each reboot I get a Kernel-EventTracing 2 error.  I cannot find anything on this on the internet so I have no idea what it is.
    Session "FastDocTracingSession" failed to start with the following error: 0xC0000035
    I did read other accounts of this error with a different name in the quotes but still can’t tell what this is or where it is coming from.
    Issue 2)
    I am still getting 5 MSExchange Common 106 errors even after reregistering all of the perf counters per this page:
    https://support.microsoft.com/kb/2870416?wa=wsignin1.0
    One of the perf counters fails to register using the script from the link above.
    66 C:\Program Files\Microsoft\Exchange Server\V15\Setup\Perf\InfoWorkerMultiMailboxSearchPerformanceCounters.xml
    New-PerfCounters : The performance counter definition file is invalid.
    At C:\Users\administrator.<my domain>\Downloads\script\ReloadPerfCounters.ps1:19 char:4
    +    New-PerfCounters -DefinitionFileName $f
    +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo         
    : InvalidData: (:) [New-PerfCounters], TaskException
        + FullyQualifiedErrorId : [Server=VALIS,RequestId=71b6bcde-d73e-4c14-9a32-03f06e3b2607,TimeStamp=12/18/2014 10:09:
       12 PM] [FailureCategory=Cmdlet-TaskException] 33EBD286,Microsoft.Exchange.Management.Tasks.NewPerfCounters
    But that one seems unrelated to the ones that still throw errors. 
    Three of the remaining five errors are (the forum is removing my spacing between the error text so it looks like a wall of text - sorry):
    Performance counter updating error. Counter name is Count Matched LowFidelity FingerPrint, but missed HighFidelity FingerPrint, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The
    exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
       at System.Diagnostics.PerformanceCounter.InitializeImpl()
       at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
       at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
    Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
       at System.Diagnostics.Process.GetProcessById(Int32 processId)
       at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
    Performance counter updating error. Counter name is Number of items, item is matched with finger printing cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown
    is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
       at System.Diagnostics.PerformanceCounter.InitializeImpl()
       at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
       at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
    Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
       at System.Diagnostics.Process.GetProcessById(Int32 processId)
       at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
    Performance counter updating error. Counter name is Number of items in Malware Fingerprint cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown is : System.InvalidOperationException:
    The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
       at System.Diagnostics.PerformanceCounter.InitializeImpl()
       at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
       at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
    Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
       at System.Diagnostics.Process.GetProcessById(Int32 processId)
       at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
    Issue 3)
    I appear to have some issues related to the healthmailboxes. 
    I get MSExchangeTransport 1025 errors for multiple healthmailboxes.
    SMTP rejected a (P1) mail from 'HealthMailbox23b10b91745648819139ee691dc97eb6@<my domain>.local' with 'Client Proxy <my server>' connector and the user authenticated as 'HealthMailbox23b10b91745648819139ee691dc97eb6'. The Active Directory
    lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError
    I reran setup /prepareAD to try and remedy this but I am still getting some.
    Issue 4)
    I am getting an MSExchange RBAC 74 error. 
    (Process w3wp.exe, PID 984) Connection leak detected for key <my domain>.local/Admins/Administrator in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1.
    Issue 5)
    I am getting MSExchange Assistants 9042 warnings on both databases.
    Service MSExchangeMailboxAssistants. Probe Time Based Assistant for database Database02 (c83dbd91-7cc4-4412-912e-1b87ca6eb0ab) is exiting a work cycle. No mailboxes were successfully processed. 2 mailboxes were skipped due to errors. 0 mailboxes were
    skipped due to failure to open a store session. 0 mailboxes were retried. There are 0 mailboxes in this database remaining to be processed.
    Some research suggested this may be related to deleted mailboxes however I have never had any actual user mailboxes on this server. 
    If they are healthmailboxes or arbitration mailboxes that might make sense but I am unsure of what to do on this.
    Issue 6)
    At boot I am getting an MSExchange ActiveSync warning 1033
    The setting SupportedIPMTypes in the Web.Config file was missing. 
    Using default value of System.Collections.Generic.List`1[System.String].
    I don't know why but this forum is removing some of my spacing that would make parts of this easier to read.

    Hi Eric
    Yes I have uninstalled and reinstalled Exchange 2013 CU7 for the 3<sup>rd</sup> time. 
    I realize you said one issue per forum thread but since I already started this thread with many issues I will at least post what I have discovered on them in case someone finds their way here from a web search.
    I have an existing Exchange 2007 server in the environment so I am unable to create email address policies that are defined by “recipient container”. 
    If I try and do so I get “You can't specify the recipient container because legacy servers are detected.”
     So I cannot create a normal email address policy and restrict it to an OU without resorting to some fancy filtering. 
    Instead what I have done is use PS to modify extensionAttribute1 (otherwise known as Custom Attribute 1 to exchange) for all of my users. 
    I then applied an address policy to them and gave it the highest priority. 
    Then I set a default email address policy for the entire organization. 
    After reinstalling Exchange all of my system mailboxes were created with the internal domain name. 
    So issue number 3 above has not come up. 
    For issue number one above I have created a new thread:
    https://social.technet.microsoft.com/Forums/office/en-US/7eb12b89-ae9b-46b2-bd34-e50cd52a4c15/microsoftwindowskerneleventtracing-error-2-happens-twice-at-boot-ex2013cu7?forum=exchangesvrdeploy
    For issue number four I have posted to this existing thread where there is so far no resolution:
    https://social.technet.microsoft.com/Forums/exchange/en-US/2343730c-7303-4067-ae1a-b106cffc3583/exchange-error-id-74-connection-leak-detected-for-key?forum=exchangesvradmin
    Issue number Five I have managed to recreate and get rid of in more than one way. 
    If I create a new database in ECP and set the database and log paths where I want, then this error will appear. 
    If I create the database in the default location and then use EMS to move it and set the log path, then the error will not appear. 
    The error will also appear (along with other errors) if I delete the health mailboxes and let them get recreated by restarting the server or the Health Manager service. 
    If I then go and set the retention period for deleted mailboxes to 0 days and wait a little while, these will all go away. 
    So my off hand guess is that these are caused by orphaned system mailboxes.
    For issue number six I have posted to this existing thread where there is so far no resolution:
    https://social.technet.microsoft.com/Forums/exchange/en-US/dff62411-fad8-4d0c-9bdb-037374644845/event-1033-msexchangeactivesync-warning?forum=exchangesvrmobility
    So for the remainder of this thread we can try and tackle issue number two which is the perf counters. 
    The exact same 5 perf counter were coming up and this had been true each time I have uninstalled and reinstalled Exchange 2013CU7. 
    Actually to be more accurate a LOT of perf counter errors come up after the initial install, but reloading the perf counters using the script I posted above reduces it to the same five. 
    Using all of your suggestions so far has not removed these 5 remaining errors either.  Since there is no discernible impact other than these errors at boot I am not seriously bothered by them but as will all event log errors, I would prefer
    to make them go away if possible.

  • Allow Non-Administrator accounts to create event sources and write to event logs

    We are setting up BizTalk 2013 in Windows Server 2012 and one of the requirements is to allow the service account to create sources and write in event logs (Application) of the BizTalk servers. We have found what it seems to be a simple solution for this
    without giving service accounts local admin rights.
    Give Full control for the following registry keys to the service accounts or groups to allow creating of event sources and write to event logs:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
    Note: when changing permissions for EventLog key, the child keys will inherit the permissions by default except Security key which must be done manually.
    Initial tests using a .net test app seems to work as expected. New event sources are being created in the event logs and writing to the event logs after that works perfectly.
    The above method has been deployed in production and this is the most suitable solution for us.

    Hi Keong6806,
    Thanks a lot for posting and sharing here.
    Do you have any other questions regarding this topic? If not I would change the type as 'Discussion' then.
    Best Regards,
    Elaine
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • DFSN-Server ID 516 Flooding Event Log

    Good Day,
     Since setting up a Server 2012 server as a DFS root the Administrative Events log is getting flooded with DFSN-Server ID 516 warning events. We have multiple name spaces and we get a message for each every 15 minutes, so for our 6 name spaces
    that is over 500 messages a day.
    DFSN service has started performing complete refresh of metadata for namespace <DFS-Root>. This task can take time if the namespace has large number of folders and may delay namespace administration operations.
    Although I found one solution on the Russian Technet forum DFSN-Server EventID 516 this disables the entire DFSN-Server
    Admin log, so if there are any problems with the refresh they will not appear.
    The main cause of the problem appears to be that the 516 Events have a Warning level 3 for something that should be Information level 4. There is no reason for a warning to be issued for what is a regular update process.
    Thanks,
    James

    What bothers me is that those events mention only "started a complete refresh", but they never mention so far completing one ... weird...
    Thank you Microsoft (sarcasm).
    If you look directly at the log, you'll see this message is quickly followed by ID 517 which states it has completed the refresh.  Event 517 is an informational event, so it won't display in the default "Administrative Events" filter.
    My suggestion to Microsoft:  Change the severity on ID 516 to Informational.  I don't believe
    anyone would consider this routine refresh a warning-level concern!!
    yes, you are right. sorry for super late reply, but I was swamped in company move and server upgrades, new installations, new IP phone system, new IP cams, site-to-site VPN, new faster firewall for new faster Internet link, NAT config changes ... man ...
    a bit too much for a single person to manage sometimes ...
    anyways, I didn't see the 517 events in "Custom Views - Administrative Events" that's why I was alerted with a flood of 516 (there is 1 every 12 minutes), can't understand why MS would drop one informational event (categorized wrongly as warning)
    and not add the other one stating it was completed right after (because it's still informational only) ... I finally found the following 517's when I went to the tree of Apps and Services Logs - MS - Win - DFSN-Server - Admin ... it's kinda buried down there
    very annoying it still is in end of October, especially then I am troubleshooting a non-replication conditions without any errors between two DFS servers (also DC roles installed) running 2012R2. Ended up removing DFS from secondary DC (VM actually) and
    building a new DFS dedicated VM with fixed sized disks on Hyper-V 2012 R2 server, hoping it resolves the issue when replication would just stop without error creating a huge file count (and content!) mismatch over time... a flood of meaningless events in administrative
    logs in not helping with troubleshooting ...

  • Homehub 3.0 Wireless Event Log messages

    Hello,
    Can anyone tell me what event log messages like the following mean?
    3 consecutive beacons have not been transmitted
    I'm getting these about once every 20 minutes.  Smart Wireless is enabled.
    A couple of days ago Wireless became unstable, devices connecting and reconnecting repeatedly. The Wireless light was randomly flashing on and off (Blue) every few seconds.  I had to restart the homehub (which I didn't really want to do, as I was still within my first 10 days, with Infinity).  But after the restart, the admin password had changed.  I assumed it was reset to the original one, but that was also not recognised.  I had to do a password override to get access.
    Ever since then Wireless has been behaving itself but I'm still left with these strange event log messages - google comes up with nothing.
    Any ideas?

    Hi BRunner and welcome
    Although I've not had opportunity to obtain one of these hubs (BT are you listening), as I'm still on the hub 2, I'll try to help you out with this...
    It looks like the hub is reporting that it can't transmit the wireless signal on the chosen channels, why, I'm not too sure
    (this might be due to the design (how 'Smart Wifi' works), or dare I say it, the hub could be faulty!!!!!)
    Firstly, download either inSSIDer2 (Windows) or istumbler (MAC) - take care when installing, uncheck any 'additional freebies' as they're not needed.
    Either will show all the wireless SSIDs in your area. As I use inSSIDer2, I'll explain what to do using this one, I guess itsumbler would be similar (not a MAC man, yet!)
    Disconnect from your own hub, run inSSIDer and monitor any SSIDs, I recently noticed that 2 of my neighbours (VM) routers appears to grab channel 1 upto channel 7!
    This keeps changing and they keep fighting with each other. As this was affecting me, I've moved to channel 8. This can be manually set via the hub manager, but you'd probably need to switch off 'Smart Wifi'
    Ideally, take a screenshot of the results BUT remove ANY wireless SSID's, it's the channels in use that's important.
    -+-No longer a forum member-+-

  • SQL Server monitoring error event log 4001

    hello Experts ,
    We have SCOM 2012 R2 environment ,I have installed SQL SERVER MPs 6.5.0.1 and installed SCOM agent on some of SQL Server. Some of the SQL Server are monitoring working properly not all SQL Server but getting error  for some of SQL Server in event log
    Event :4001
    Management Group: SCOMMgtGroup. Script: Main Module: CPUUsagePercentDataSource.ps1 : 
    Computer Name = 'MHSSCOM01.memnet.org' WMI = 'ComputerManagement11' Service Name = 'MSSQLSERVER' SQL Instance Name = 'MSSQLSERVER'
    Exception calling "Fill" with "1" argument(s): "The user does not have permission to perform this action."Error occured during CPU Usage for SQL Instances data source executing.
    Computer:MHSSCOM01 
    Reason: Exception calling "Fill" with "1" argument(s): "The user does not have permission to perform this action."
    also not getting Database information within the SQL Server instances for these SQL Server within "Instances Summary "
    for resolution ,I have created a Run as account (windows)for SQL monitoring then associated it with Run as profile with SQL Server default account,Discovery account and Monitoring account and distribute it securely to each SQL Server health service object
    .The run as account have  added to local admin group on each SQL server.
    How to resolved the event log error and how to get database information for all instances of sql server.
    Thanks
    RICHA

    Hi,
    It seems like that the action account that run the script does not have enough permissions on the monitored SQL server, I would like to suggest you follow the below link to check your runas account configuration:
    http://blogs.technet.com/b/kevinholman/archive/2010/09/08/configuring-run-as-accounts-and-profiles-in-r2-a-sql-management-pack-example.aspx
    And make sure the action account also have SQL admin account to the SQL server.
    Here is also a link that may be helpful for you:
    http://blogs.technet.com/b/momteam/archive/2014/05/12/kb-event-4001-in-the-operations-manager-log-during-sql-server-2012-monitoring.aspx
    Regards,
    Yan Li
    Regards, Yan Li

  • Cannot open eventlog service on computer '.'. (Windows Event Log service doesn't exist)

    This problem used to be solved after moving a computer object into the appropriate OU and restarting, and if that didn't work, it used to be solved when uninstalling and reinstalling Microsoft FEP (restarts in-between).  Now, the only way to access
    event logs is by logging in as a domain admin, or by accessing event logs through remote manage.
    If a machine object is added to the domain, dropped into the computers container, and restarted, we get this error when going into Computer Management:
    "Cannot open eventlog service on computer '.'."
    The original problem was noticed on our VMs, but I also tried it with a Lenovo Windows 7 build out of the box, added it to our domain, and the problem occurred. When our desktops are built, SCCM's task manager drops it into the appropriate OU immediately,
    so desktops don't have issues.  With VMs, they are dropped into the computers container and restarted, so once this problem occurs, it almost never leaves.  SOMETIMES, removing it from the domain solves the problem, but not always.
    I've tried all of the suggestions I've seen online and none of them have worked, such as cleaning up the policies (through registry, and the appropriate system folders), adding the proper NTFS permissions on the RtBackup folder and %SystemRoot%\System32\winevt\logs, netsh
    winsock reset, cleanboot, etc.
    I did notice that I'm unable to find the NT Service\EventLog user group. I wanted to add it to %systemroot%\system32\winevt\logs, but the group cannot be found on the local computer. Even if that's the problem, why is it missing?
    It doesn't seem like anyone else on the internet gets this exact error.

    Hi Kate!
    Yes, the Windows Event Log service is missing. I had already tried your method (#3), and I did try it again. This is the error I get:
    "The specified service already exists."
    If you check services.msc, it's still not there. If you try to start the Event Viewer, the same error comes up:
    Cannot open eventlog service on computer '.'.
    Hi, 
    Please check for the existence of this key. If not found, create a *.reg file from another machine and import.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
    Then, check the issue again.
    If this doesn't work, let's run System file checker tool to repair system:
    Run SFC command in elevated command prompt
    SFC /scannow
    Any error message, please post here to let me know.
    Keep post.
    Kate Li
    TechNet Community Support

  • Help Needed-bt home hub 2.0 event log messages

    Hi, Please can someone have a look at the event log messages below. Is someone trying to hack me? there are loads more of these messages i've only copy and pasted a few of them.
    many thanks in advance.
    12:32:02 30 Sep
    VOIP: [2.0A] [guest1] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [guest] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [guest] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [office12345] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [office12345] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [office1234] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [office1234] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [office123] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [office123] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [office12] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [office12] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [office1] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [office1] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [office] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [office] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [admin12345] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [admin12345] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [admin1234] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [admin1234] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [admin123] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [admin123] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [admin12] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [admin12] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [admin1] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [admin1] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [admin] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [admin] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [administrator] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [administrator] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [4260011834] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [4260011834] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [Administrator] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [Administrator] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [3942121793] [] 501 Not Implemented - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [3942121793] [-] REGISTER - SIP message received
    12:32:02 30 Sep
    VOIP: [2.0A] [100] [] 404 Not Found - SIP message sent
    12:32:02 30 Sep
    VOIP: [2.0A] [100] [-] OPTIONS - SIP message received
    12:32:01 30 Sep
    SNTP Synchronised to server: 213.123.26.170
    11:45:07 30 Sep
    VOIP: [2.0A] [100] [] 404 Not Found - SIP message sent
    11:45:07 30 Sep
    VOIP: [2.0A] [100] [-] OPTIONS - SIP message received
    11:32:01 30 Sep
    SNTP Synchronised to server: 213.123.20.170
    11:28:34 30 Sep
    VOIP: [2.0A] [100] [] 404 Not Found - SIP message sent
    11:28:34 30 Sep
    VOIP: [2.0A] [100] [-] OPTIONS - SIP message received
    Solved!
    Go to Solution.

    Hi JM7HUB and welcome,
    No, you're not being hacked. It's to do with BTHub phone (Broadband Talk - BBT) and the hub, in your case the hub 2A.
    It's a test that BT seem to carry out, normally (IIRC) after a reboot of the hub or possibly at random times - it's been a long time since I used BBT. I'll guess there are some random names mentioned on some of the other VOIP events?
    If you don't use a BBT, you can turn this off by entering the hub manager - type bthomehub.home or 192.164.1.254 in to your browser, click settings, advanced settings, continue to adavnced settings, telephony - there should be an option there to turn it off. This should then stop the events.
    edit. The telephone light on the hub will go out, but any registered hub phone should still operate as a 'normal' phone using your landline number.
    -+-No longer a forum member-+-

  • Custom event log is not working in SharePoint server

    Hi ,
    We are trying to implement event logging in our application. We have created separate event source for our application. When we testing this our local dev machine it is working without any problem. when I try to test the same in higher environment (QA, Pre-prod)
    it is not working. The QA environment is a multi form server. We are able to see the event source in the event viewer, but the logging is not happening. We have tried restarting IIS, restarting the services. 
    Any suggestion or guidance will be highly appreciated.
    Thanks in Advance

    Logging should use the SharePoint Unified Logging Services (ULS) infrastructure.
    Logging to the Event Viewer requires ADMIN PERMISSION... which is why it works fine in DEV, and not in TEST/PROD.
    DO NOT LOG TO THE EVENT VIEWER... OR USE ANY OTHER HOME GROWN CONCOCTION... USE THE LOGGING FRAMEWORK PROVIDED BY THE PLATFORM.
    This may help: http://www.sbrickey.com/Tech/Blog/Post/Custom_Logging_in_SharePoint_2010
    Scott Brickey
    MCTS, MCPD, MCITP
    www.sbrickey.com
    Strategic Data Systems - for all your SharePoint needs

  • VSS snapshot of 1.1TB is ending after few hours with timeout. No errors in event log

    Hello,
    does someone have experienced issue where starting making snapshot (forum GUI or command line) is taking a lot of time and then it just ends with timeout?
    I have scenario on virtualised Windows Web Server 2008 R2 where backup is being made by Idera Backup Software but since it relies on VSS Snapshots then we can just skip this point because making snapshots from directly Windows command line or drive preferences/GUI
    is ending with timeout for this single drive after few hours. Affected system has 3 drives: C - 95GB, D-1.06TB and E-120GB. C and E can be backuped correctly and only drive D has problems. System is updated with latest drivers vssadmin for writers returns
    list without any errors and snapshot for drive D which ends with timeout is not generating any error in event log. I wanted to configure VSS trace like it is being instructed on this site:
    http://publib.boulder.ibm.com/infocenter/tsminfo/v6/index.jsp?topic=%2Fcom.ibm.itsm.tshoot.doc%2Ft_pdg_traceprfrm.html
    but I don't see any trace.txt file on given location. If I remove drive D from backup process it ends without errors. System was restarted many times. Only thing which is visible in windows Event log (application part) is that "The VSS service is shutting
    down due to idle timeout." about 4 hours after snapshot making proces is starting.
    I've contacted Idera backup about this but they can't help too much if Windows snapshot process is failing. They suggested that something can be wrong with this drive but since this is virtualised machine and all of my VM are being stored on RAID10 disk
    array connected to my server using fiber connections then I don't think that this is hardware issue (especially when other two drives are located on the same LUN on disk array).
    Any suggestions?
    Regards

    Hi,
    Do you create VMs on Hyper-V or VMWare? Based on research, possible causes could be:
    1. Files changes in the volume is very huge. So the shadow size may be big and the current shadow storage my not able to hold it. And that’s cause the shadow copy creation failure. 
    2. The I/O in D drive is heavy and make the shadow copy I/O failed. 
    3. Server is too busy to handle the request.
    4. The disk is heavily defragment.
    Please refer to the articles to troubleshoot the issue:
    Time-out errors occur in Volume Shadow Copy service writers, and shadow copies are lost during backup and during times when there are high levels of input/output
    http://support.microsoft.com/kb/826936/en-us
    VSS timeouts during backup? What could contribute to that?
    https://blogs.technet.com/b/askpfeplat/archive/2012/09/12/vss-timeouts-during-backup-check-fragmentation.aspx
    Regards,
    Mandy
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Seeing multiple DCOM errors generating event ID 10016 in System Event log

    Hi there. Our current SharePoint server running Windows Server 2003, Standard Edition SP1 and not on the domain is getting it's event logs filled up every 15 minutes to an hour with the following DCOM error:
    Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10016
    Date:  26/11/2014
    Time:  4:31:30 AM
    User:  NT AUTHORITY\NETWORK SERVICE
    Computer: xxx-xxx
    Description:
    The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
    {61738644-F196-11D0-9953-00C04FD919C1}
     to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.
    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp
    I have attempted the following fix to add the local admin account to the security permissions under the following service: 61738644-F196-11D0-9953-00C04FD919C1 which was what Microsoft recommended from looking at a few random google results which had no
    effect and caused the same error to continue to happen.
    We run Windows SharePoint Services WSS 3.0 on this server which is our primary intranet server.
    Has this happened to anyone else and what would you suggest we do to fix it?

    Hi Steven,
    The results of trying this generated the same DCOM error again at the early hours of this morning as it's always done.
    The exact error generated from the server is listed below:
    Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10016
    Date:  3/12/2014
    Time:  4:31:30 AM
    User:  NT AUTHORITY\NETWORK SERVICE
    Computer: HAL-SPS
    Description:
    The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
    {61738644-F196-11D0-9953-00C04FD919C1}
     to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.
    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Given this machine isn't on the domain and we have to log into it as local administrator, the local administrator account has been granted local launch and local activation permissions under IIS WAMREG admin on the server.
    Was this the correct account, or should I have granted permissions to another account?
    SB.

Maybe you are looking for