Big Events.log in $COMMON_TOP/admin/log
Hello,
I have noticed there are always many logs in the $COMMON_TOP/admin/log. Apart from the concurrent managers logs etc, there are those Events.logs which can grow to any size as long as the apps keeps running.
New ones are however created upon restart of apps and I can clear the old ones.
I will like to reduce what is written to the Events.log so that they do not grow too big. Can someone let me how to do this or point me to an article on these logs?
Regards
I have found the solution I wanted and I think it may be useful to someone later and that is why I am posting this.
Those LARGE eventxx.logs under $COMMON_TOP/admin/log are Fulfillment Server logs and looking through them, I don't really know their benefits and I have been deleting them but I can swtich off the loggings now.
This is detailed in the metalink note ID 601375.1
I got this when I came across this link on the internet:
http://newappsdba.blogspot.com/2008/12/huge-eventslog-files-in-applcsfappllog.html
Regards
Edited by: user12191278 on 18-Jan-2010 05:24
Similar Messages
-
Creating a Custom Event Log View Shortcut on a server desktop for an admin
Good morning,
We have a new admin starting and I would like to create custom event log view shortcut on there desktop for each server they need to check. Is there a way to do this in Server 2012 and Server 2008?
I have figured out how to create a shortcut of the Application and System log, but not Custom Views. Thanks.Hi,
Based on my research, you can create a custom view like
this.However, I tried miltiple ways to create a shortcut of the custom view of the event viewer and no result. I can only create a shortcut of the event viewer. You may need a script can achieve that.
Best regards,
Susie -
I'm seeing some strange behavior with our RAID Admin event log. On Friday, I did a rebuild of our one of our RAIDs and, in the event log, there was an entry added that said "RAID Rebuild Started" or something along those lines.
Today I opened RAID Admin and that event entry was gone. All of the other events around it were still there (removing and reinserting a drive, etc.), but not the actual rebuild message (or the subsequent success message).
Is this normal behavior?Yes, that is normal behavior. If there were any problems with the rebuild, you would see error messages in the event log, but the message about starting the rebuild does disappear after the rebuild finishes.
-Phoenix -
Questions about BT Home Hub 4A event log - WIFI c...
Hope someone can help please ?
I had BT inifinity installed 2 weeks ago with the HH 4 (type A) and everything has worked - connection found, no problem.
This week, my ipod touch was unable to join the network but the iphone 5, another ipod and a tablet could connect without a problem. The ipod touch managed to connect to another WIFI used at the property and my work wifi without a problem.
I thought it maybe the ipod touch as it was quite old but that doesn't make sense since it connects fine to other networks. I restored network settings and other options suggested by Apple but to no avail.
I have turned my attention to the Hub. My laptop (older than the ipod touch) gets the connection no problem along with the other devices. I went into the hub management page but I am not smart enough to decifer the event log so would like some help so I can fix this because I thought BT infinity was the better more reliable option?
The ipod touch Wifi IP address is 00:25:00:b7:35:f6.
On the event log, it shows STA before the address - but it shows STA before all the device IP addresses. Should I change this to DCHP ? or is this (Static ? alright)
The Lease on all the devices on the event log is set to 1440 min. (1 day) is that alright too, what does it mean ?
Do I have to keep renewing the lease ? How do I do that ? I read it can be set to 21 days ?
Going back to the IP address on the ipod it shows the Hostname as 00:25:00:B7:35:f6-2 this is different to the IP address with the -2. Could that be a cause of the unable to join network or is it because I attempted to recreate the network on the ipod so its the second version of that host name ?
Is there any setting I can change to fix this because I am concerned the same this will happen to the other devices and then the laptop....
What do I need to do to be able to get my ipod touch to connect to the BT network setting ?
I think its the hub 4A causing the 'block' on the ipod touch not the device and I think its maybe a matter of changing a setting - but then why was it all fine before when Infinity was first installed ?
Lastly my laptop (7 Years old) seems to be attached to the 5GHZ Wireless channel - is that alright ? The other more recent devices are on the 2.4ghz channel (except the ipod touch which isn't on any !!)
Is it alright to turn the hub on / off ? -I am resisting that because I don't want to make the situation worse.
Sorry but what does client disassociated mean and all the BLOCKS - do they relate to firewall ?
Please can you review the event log and my questions ?
Many thanks
angie 2601
The time frame is 3.55am 8/8/2013 - 7.16 am 8/8/2013
(Latest (7.16am) at the top
Message
07:16:39, 08AUG
(1224785.050000) Admin login successful by 192.168.1.64 on HTTP (1224766.610000) Admin login FAILED by 192.168.1.64 on HTTP (1224648.050000) New GUIsession from IP 192.168.1.64
(1224466.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disassociated
(1224362.750000) lease for IP 192.168.1.65 renewed by host Unknown d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1224362.750000) Device connected: Hostname:Unknown-d8:d1:cb:ec:a6:feiP:
192.168.1.65 MAC:d8:dl:cb:ec:a6:fe lease time: 1440 min. link rate:90.0 Mbps
(1224362.690000) Lease requested
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
(1224241.150000) lease for IP 192.168.1.64 renewed by host FAMILY (MAC
00:13:02:de:6d:e6). Lease duration:1440 min
(1224241.150000) Device connected: Hostname: FAMii.Y IP:192.168.1.64 MAC:
00:13:02:de:6d:e6 Lease time: 1440 min. link rate: 54.0 Mbps
(1224241.090Cl00) Lease requested
wlan1TA 00:13:02:de:6d:e6 IEEE 802.11:Client associated
OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:34905->31.13.72.38:443 on ppp1)
(1223644.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
wlanl: STA d8:d1:cb:ec:a6:-fe IEEE 802.11:CHent diSassociated
(1223489.390000) Lease for IP 192.168.1.65 renewed by host Unknown d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1223489.380000) Device connected:Hostname:Unknown-d8:dl:cb:ec:a6:fe IP:
192.168.1.65 MAC: d kd1:cb ec:-a6-:fe Lease time: 1440 min. Link rare: 90.0 Mbps
(1223489.330000) Lease requested
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client associated wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disasSociated
wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
OUT;BLOCK [9] Packet i valid in connection (TCP
192.168.1.66:34375->31.13.72.38:443 on pppl)
l'N':BLOCK [16-} Remote administration {ICMP type 8 code 0
117.1.42.94->86.182.228.205 on ppp1)
IN: BLOCK [9] Packet invalid in connection (TCP
31.13.72.33:443->86.182.228.205:44156 on ppp1) IN: BLOCK [9] Packet invalid in connection (TCP
31.13.72.33:443->86.182.228.205:36615 on ppp1)
OUT: BLOCK [9] Packet invalid in connection (TCP
192.1-68.1.68:49476->173.252.103.16:443 OR ppp1)
BLOCKED 5 more packets (because of Packet invalid in connection) OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.68:49443->95.100.195.205:443 on ppp1)
OUT:BLOCK {9] PaCket invalid in connection (TCP
192.168.1.68:49438->95.100.194.217:443 on ppp1)
IN:BLOCK [9] Packet invalid in connection (TCP
95.100.194.217:443->86.182.228.205:49444 on ppp1)
(1222111.810000) Lease for IP 192.168.1.68 renewed by host Unknown-
70:56:81:46:bf:d9 (MAC 70:56:81:46:bf:d9).Lease duration:1440 min
(1222111.810000) Device connected:Hostname:Unknown-70:56:81:46:bf:d9 IP:,
192.168.1.68 MAC:70:56:8:t:46:bf:d9lease time:1440 min. Link rate:52.0 Mbps
(1222111.750000) Lease requested .-
wlanO: STA 70:56:81:46:bf:d9 IEEE 802.11: Client associated • (1222093.690000) Device dlsconn: Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168. MAC: 00:25:00:b7:35:f6 wlanoTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66-:43272->31.13.72.33:443 on ppp1)
221969.130000) lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
(1221969.130000} Devicconnected: Hostname·:Unknowwoo·:25:00:b7 35:f6-2
IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1221969.070000) Lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
(1220365.290000) Device disconnected: Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
(1220348.230000) Lease for IP 192.168.1.67 renewed by host Unlmown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6).lease duration: 1440 min
(1220348.230000) Device connected: Hostname:Unknown-00:25:00:b7:35:f6-2
IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1220348.170000) lease requested
wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
IN: BLOCK f16] Remote administration (TCP
123.151.42.61:12233->86.182.228.205:8080 on ppp1) OUT: BLOCK [9] Packet invalid in connection (TCP
:t92.Hi8.1.66:53813->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:43989->31.13.72.33:443 on ppp1)
IN: BLOCK [16] Remote administration (ICMP type 8 rode 0
2.7.251.109.227->86.182.228.205 on pppl)
(1216770.650000) Device disconnected:Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6
OUT:BLOCK [9j Packet invalid in connection (TCF
192.168.1.67:49180->74.125.136.109:993 on ppp1)
wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
(1216753.280000) Lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
(1216753.270000) Device connected: Hostname: Unknown-00:25:00:b7:35:f6-2
IP: 192.168.1.67 MAC: 00:25.:00-:.b7.:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1216753.220000) lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client assodat
OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:55944->23.21.78.229:443 on ppp1)
OUT: BLOCK [9J Packet invafid in connection (TCP
192.168.1.66:34794->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:41441->31.13.72.33:443 on ppp1)
{1213176.020000) Device disconnected:.Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC:00:25:00:b7:35:f6 wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client disassociated
(1213158.410000) Lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min _./:\ (1213158.400000) Device connected:Hostname:Unknown-00:25:00:b7:35:ftt.Y IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min.Unk rate: 54.0
Mbps
(1213158.340000) Lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client associated
OUT:BLOCK (9] Packet invalid in connection (TCP
192.168.1.66:59767->176.34.180.243:443 on ppp1) OUT;BLOCK [9] P.acket invalid in connection {TCP
192.168.1.66:56075->31.13.72.33:443 on ppp1) OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66 581:1:0->31.13.72.33:443 on ppp1)
BL.OCKED 2 more packets (because of Packet invalid in connection) OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:56251->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:36959->31.13.72.33:443 on ppp1)
BlOCKED 1more packets (because of Packet invalid in connection)It could be that the Ipod touch is having problems with both the 2.4GHz and 5GHz frequencies being named the same. If you give them separate SSids it may help. ie add a 5 to the 5GHz SSid.
If you do this you will need to re-connect all your devices that can see both frequencies to both SSids so that they will swap between the frequencies seamlessly when ever they need to
See link how to change SSid.
http://bt.custhelp.com/app/answers/detail/a_id/44504/related/1/session/L2F2LzEvdGltZS8xMzc1OTY2ODIxL...
Once you have changed the SSid I would delete the network connection on the Ipod touch and start again. -
Exception write to event log when user not found in active directory
I'm trying to use a exception to write to a event log to show which user did not get imported from my csv file. Any help to write this exception is appreciated. Thanks
Import-CSV $importfile | ForEach-Object{
$samaccountname = $_.sAMAccountName.ToLower() #samaccountname on csv file
Try {
$exists = Get-ADUser -LDAPFilter "(sAMAccountName=$samaccountname)" #Filter user by samaccountname
Catch
write-host "Users did not exist." #user does not exisitTo your question:
"How can I create a new event log every time without saving to the original event log textfile?"
The answer provided by Mike Laughlin doesn't require you save anything to a text file - so either I'm misunderstanding this follow-up, or you are misunderstanding Mike's post. :)
To answer your other follow up... try:
$goodCount = 0
$badCount = 0
Import-Csv $importFile | ForEach {
$SamAccountName = $_.SamAccountName
try {
$user = Get-ADUser -Identity $SamAccountName -ErrorAction Stop
$goodCount++
} catch {
Write-EventLog # <-finish this command however you want
$badCount++
write-host "Users imported: $goodCount"
write-host "Users not imported: $badCount"
G. Samuel Hays, MCT, MCSE 2012, MCITP: Enterprise Admin
Blog:gsamuelhays.blogspot.com
twitter:twitter.com/gsamuelhays -
I have a new Exchange 2013 server with plans to migrate from my current Exchange 2007 Server.
I installed Exchange 2013 SP1 and the only errors I saw in the event log seemed to be long standing known issues that did not indicate an actual problem (based on what I read online).
I updated to CU7 and now lots of errors have appeared (although the old ones seem to have been fixed so I have that going for me).
Currently the Exchange 2013 server is not in use and clients are still hitting the 2007 server.
Issue 1)
After each reboot I get a Kernel-EventTracing 2 error. I cannot find anything on this on the internet so I have no idea what it is.
Session "FastDocTracingSession" failed to start with the following error: 0xC0000035
I did read other accounts of this error with a different name in the quotes but still can’t tell what this is or where it is coming from.
Issue 2)
I am still getting 5 MSExchange Common 106 errors even after reregistering all of the perf counters per this page:
https://support.microsoft.com/kb/2870416?wa=wsignin1.0
One of the perf counters fails to register using the script from the link above.
66 C:\Program Files\Microsoft\Exchange Server\V15\Setup\Perf\InfoWorkerMultiMailboxSearchPerformanceCounters.xml
New-PerfCounters : The performance counter definition file is invalid.
At C:\Users\administrator.<my domain>\Downloads\script\ReloadPerfCounters.ps1:19 char:4
+ New-PerfCounters -DefinitionFileName $f
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo
: InvalidData: (:) [New-PerfCounters], TaskException
+ FullyQualifiedErrorId : [Server=VALIS,RequestId=71b6bcde-d73e-4c14-9a32-03f06e3b2607,TimeStamp=12/18/2014 10:09:
12 PM] [FailureCategory=Cmdlet-TaskException] 33EBD286,Microsoft.Exchange.Management.Tasks.NewPerfCounters
But that one seems unrelated to the ones that still throw errors.
Three of the remaining five errors are (the forum is removing my spacing between the error text so it looks like a wall of text - sorry):
Performance counter updating error. Counter name is Count Matched LowFidelity FingerPrint, but missed HighFidelity FingerPrint, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The
exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
at System.Diagnostics.PerformanceCounter.InitializeImpl()
at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
at System.Diagnostics.Process.GetProcessById(Int32 processId)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Performance counter updating error. Counter name is Number of items, item is matched with finger printing cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown
is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
at System.Diagnostics.PerformanceCounter.InitializeImpl()
at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
at System.Diagnostics.Process.GetProcessById(Int32 processId)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Performance counter updating error. Counter name is Number of items in Malware Fingerprint cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown is : System.InvalidOperationException:
The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
at System.Diagnostics.PerformanceCounter.InitializeImpl()
at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
at System.Diagnostics.Process.GetProcessById(Int32 processId)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Issue 3)
I appear to have some issues related to the healthmailboxes.
I get MSExchangeTransport 1025 errors for multiple healthmailboxes.
SMTP rejected a (P1) mail from 'HealthMailbox23b10b91745648819139ee691dc97eb6@<my domain>.local' with 'Client Proxy <my server>' connector and the user authenticated as 'HealthMailbox23b10b91745648819139ee691dc97eb6'. The Active Directory
lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError
I reran setup /prepareAD to try and remedy this but I am still getting some.
Issue 4)
I am getting an MSExchange RBAC 74 error.
(Process w3wp.exe, PID 984) Connection leak detected for key <my domain>.local/Admins/Administrator in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1.
Issue 5)
I am getting MSExchange Assistants 9042 warnings on both databases.
Service MSExchangeMailboxAssistants. Probe Time Based Assistant for database Database02 (c83dbd91-7cc4-4412-912e-1b87ca6eb0ab) is exiting a work cycle. No mailboxes were successfully processed. 2 mailboxes were skipped due to errors. 0 mailboxes were
skipped due to failure to open a store session. 0 mailboxes were retried. There are 0 mailboxes in this database remaining to be processed.
Some research suggested this may be related to deleted mailboxes however I have never had any actual user mailboxes on this server.
If they are healthmailboxes or arbitration mailboxes that might make sense but I am unsure of what to do on this.
Issue 6)
At boot I am getting an MSExchange ActiveSync warning 1033
The setting SupportedIPMTypes in the Web.Config file was missing.
Using default value of System.Collections.Generic.List`1[System.String].
I don't know why but this forum is removing some of my spacing that would make parts of this easier to read.Hi Eric
Yes I have uninstalled and reinstalled Exchange 2013 CU7 for the 3<sup>rd</sup> time.
I realize you said one issue per forum thread but since I already started this thread with many issues I will at least post what I have discovered on them in case someone finds their way here from a web search.
I have an existing Exchange 2007 server in the environment so I am unable to create email address policies that are defined by “recipient container”.
If I try and do so I get “You can't specify the recipient container because legacy servers are detected.”
So I cannot create a normal email address policy and restrict it to an OU without resorting to some fancy filtering.
Instead what I have done is use PS to modify extensionAttribute1 (otherwise known as Custom Attribute 1 to exchange) for all of my users.
I then applied an address policy to them and gave it the highest priority.
Then I set a default email address policy for the entire organization.
After reinstalling Exchange all of my system mailboxes were created with the internal domain name.
So issue number 3 above has not come up.
For issue number one above I have created a new thread:
https://social.technet.microsoft.com/Forums/office/en-US/7eb12b89-ae9b-46b2-bd34-e50cd52a4c15/microsoftwindowskerneleventtracing-error-2-happens-twice-at-boot-ex2013cu7?forum=exchangesvrdeploy
For issue number four I have posted to this existing thread where there is so far no resolution:
https://social.technet.microsoft.com/Forums/exchange/en-US/2343730c-7303-4067-ae1a-b106cffc3583/exchange-error-id-74-connection-leak-detected-for-key?forum=exchangesvradmin
Issue number Five I have managed to recreate and get rid of in more than one way.
If I create a new database in ECP and set the database and log paths where I want, then this error will appear.
If I create the database in the default location and then use EMS to move it and set the log path, then the error will not appear.
The error will also appear (along with other errors) if I delete the health mailboxes and let them get recreated by restarting the server or the Health Manager service.
If I then go and set the retention period for deleted mailboxes to 0 days and wait a little while, these will all go away.
So my off hand guess is that these are caused by orphaned system mailboxes.
For issue number six I have posted to this existing thread where there is so far no resolution:
https://social.technet.microsoft.com/Forums/exchange/en-US/dff62411-fad8-4d0c-9bdb-037374644845/event-1033-msexchangeactivesync-warning?forum=exchangesvrmobility
So for the remainder of this thread we can try and tackle issue number two which is the perf counters.
The exact same 5 perf counter were coming up and this had been true each time I have uninstalled and reinstalled Exchange 2013CU7.
Actually to be more accurate a LOT of perf counter errors come up after the initial install, but reloading the perf counters using the script I posted above reduces it to the same five.
Using all of your suggestions so far has not removed these 5 remaining errors either. Since there is no discernible impact other than these errors at boot I am not seriously bothered by them but as will all event log errors, I would prefer
to make them go away if possible. -
Allow Non-Administrator accounts to create event sources and write to event logs
We are setting up BizTalk 2013 in Windows Server 2012 and one of the requirements is to allow the service account to create sources and write in event logs (Application) of the BizTalk servers. We have found what it seems to be a simple solution for this
without giving service accounts local admin rights.
Give Full control for the following registry keys to the service accounts or groups to allow creating of event sources and write to event logs:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
Note: when changing permissions for EventLog key, the child keys will inherit the permissions by default except Security key which must be done manually.
Initial tests using a .net test app seems to work as expected. New event sources are being created in the event logs and writing to the event logs after that works perfectly.
The above method has been deployed in production and this is the most suitable solution for us.Hi Keong6806,
Thanks a lot for posting and sharing here.
Do you have any other questions regarding this topic? If not I would change the type as 'Discussion' then.
Best Regards,
Elaine
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
DFSN-Server ID 516 Flooding Event Log
Good Day,
Since setting up a Server 2012 server as a DFS root the Administrative Events log is getting flooded with DFSN-Server ID 516 warning events. We have multiple name spaces and we get a message for each every 15 minutes, so for our 6 name spaces
that is over 500 messages a day.
DFSN service has started performing complete refresh of metadata for namespace <DFS-Root>. This task can take time if the namespace has large number of folders and may delay namespace administration operations.
Although I found one solution on the Russian Technet forum DFSN-Server EventID 516 this disables the entire DFSN-Server
Admin log, so if there are any problems with the refresh they will not appear.
The main cause of the problem appears to be that the 516 Events have a Warning level 3 for something that should be Information level 4. There is no reason for a warning to be issued for what is a regular update process.
Thanks,
JamesWhat bothers me is that those events mention only "started a complete refresh", but they never mention so far completing one ... weird...
Thank you Microsoft (sarcasm).
If you look directly at the log, you'll see this message is quickly followed by ID 517 which states it has completed the refresh. Event 517 is an informational event, so it won't display in the default "Administrative Events" filter.
My suggestion to Microsoft: Change the severity on ID 516 to Informational. I don't believe
anyone would consider this routine refresh a warning-level concern!!
yes, you are right. sorry for super late reply, but I was swamped in company move and server upgrades, new installations, new IP phone system, new IP cams, site-to-site VPN, new faster firewall for new faster Internet link, NAT config changes ... man ...
a bit too much for a single person to manage sometimes ...
anyways, I didn't see the 517 events in "Custom Views - Administrative Events" that's why I was alerted with a flood of 516 (there is 1 every 12 minutes), can't understand why MS would drop one informational event (categorized wrongly as warning)
and not add the other one stating it was completed right after (because it's still informational only) ... I finally found the following 517's when I went to the tree of Apps and Services Logs - MS - Win - DFSN-Server - Admin ... it's kinda buried down there
very annoying it still is in end of October, especially then I am troubleshooting a non-replication conditions without any errors between two DFS servers (also DC roles installed) running 2012R2. Ended up removing DFS from secondary DC (VM actually) and
building a new DFS dedicated VM with fixed sized disks on Hyper-V 2012 R2 server, hoping it resolves the issue when replication would just stop without error creating a huge file count (and content!) mismatch over time... a flood of meaningless events in administrative
logs in not helping with troubleshooting ... -
Homehub 3.0 Wireless Event Log messages
Hello,
Can anyone tell me what event log messages like the following mean?
3 consecutive beacons have not been transmitted
I'm getting these about once every 20 minutes. Smart Wireless is enabled.
A couple of days ago Wireless became unstable, devices connecting and reconnecting repeatedly. The Wireless light was randomly flashing on and off (Blue) every few seconds. I had to restart the homehub (which I didn't really want to do, as I was still within my first 10 days, with Infinity). But after the restart, the admin password had changed. I assumed it was reset to the original one, but that was also not recognised. I had to do a password override to get access.
Ever since then Wireless has been behaving itself but I'm still left with these strange event log messages - google comes up with nothing.
Any ideas?Hi BRunner and welcome
Although I've not had opportunity to obtain one of these hubs (BT are you listening), as I'm still on the hub 2, I'll try to help you out with this...
It looks like the hub is reporting that it can't transmit the wireless signal on the chosen channels, why, I'm not too sure
(this might be due to the design (how 'Smart Wifi' works), or dare I say it, the hub could be faulty!!!!!)
Firstly, download either inSSIDer2 (Windows) or istumbler (MAC) - take care when installing, uncheck any 'additional freebies' as they're not needed.
Either will show all the wireless SSIDs in your area. As I use inSSIDer2, I'll explain what to do using this one, I guess itsumbler would be similar (not a MAC man, yet!)
Disconnect from your own hub, run inSSIDer and monitor any SSIDs, I recently noticed that 2 of my neighbours (VM) routers appears to grab channel 1 upto channel 7!
This keeps changing and they keep fighting with each other. As this was affecting me, I've moved to channel 8. This can be manually set via the hub manager, but you'd probably need to switch off 'Smart Wifi'
Ideally, take a screenshot of the results BUT remove ANY wireless SSID's, it's the channels in use that's important.
-+-No longer a forum member-+- -
SQL Server monitoring error event log 4001
hello Experts ,
We have SCOM 2012 R2 environment ,I have installed SQL SERVER MPs 6.5.0.1 and installed SCOM agent on some of SQL Server. Some of the SQL Server are monitoring working properly not all SQL Server but getting error for some of SQL Server in event log
Event :4001
Management Group: SCOMMgtGroup. Script: Main Module: CPUUsagePercentDataSource.ps1 :
Computer Name = 'MHSSCOM01.memnet.org' WMI = 'ComputerManagement11' Service Name = 'MSSQLSERVER' SQL Instance Name = 'MSSQLSERVER'
Exception calling "Fill" with "1" argument(s): "The user does not have permission to perform this action."Error occured during CPU Usage for SQL Instances data source executing.
Computer:MHSSCOM01
Reason: Exception calling "Fill" with "1" argument(s): "The user does not have permission to perform this action."
also not getting Database information within the SQL Server instances for these SQL Server within "Instances Summary "
for resolution ,I have created a Run as account (windows)for SQL monitoring then associated it with Run as profile with SQL Server default account,Discovery account and Monitoring account and distribute it securely to each SQL Server health service object
.The run as account have added to local admin group on each SQL server.
How to resolved the event log error and how to get database information for all instances of sql server.
Thanks
RICHAHi,
It seems like that the action account that run the script does not have enough permissions on the monitored SQL server, I would like to suggest you follow the below link to check your runas account configuration:
http://blogs.technet.com/b/kevinholman/archive/2010/09/08/configuring-run-as-accounts-and-profiles-in-r2-a-sql-management-pack-example.aspx
And make sure the action account also have SQL admin account to the SQL server.
Here is also a link that may be helpful for you:
http://blogs.technet.com/b/momteam/archive/2014/05/12/kb-event-4001-in-the-operations-manager-log-during-sql-server-2012-monitoring.aspx
Regards,
Yan Li
Regards, Yan Li -
This problem used to be solved after moving a computer object into the appropriate OU and restarting, and if that didn't work, it used to be solved when uninstalling and reinstalling Microsoft FEP (restarts in-between). Now, the only way to access
event logs is by logging in as a domain admin, or by accessing event logs through remote manage.
If a machine object is added to the domain, dropped into the computers container, and restarted, we get this error when going into Computer Management:
"Cannot open eventlog service on computer '.'."
The original problem was noticed on our VMs, but I also tried it with a Lenovo Windows 7 build out of the box, added it to our domain, and the problem occurred. When our desktops are built, SCCM's task manager drops it into the appropriate OU immediately,
so desktops don't have issues. With VMs, they are dropped into the computers container and restarted, so once this problem occurs, it almost never leaves. SOMETIMES, removing it from the domain solves the problem, but not always.
I've tried all of the suggestions I've seen online and none of them have worked, such as cleaning up the policies (through registry, and the appropriate system folders), adding the proper NTFS permissions on the RtBackup folder and %SystemRoot%\System32\winevt\logs, netsh
winsock reset, cleanboot, etc.
I did notice that I'm unable to find the NT Service\EventLog user group. I wanted to add it to %systemroot%\system32\winevt\logs, but the group cannot be found on the local computer. Even if that's the problem, why is it missing?
It doesn't seem like anyone else on the internet gets this exact error.Hi Kate!
Yes, the Windows Event Log service is missing. I had already tried your method (#3), and I did try it again. This is the error I get:
"The specified service already exists."
If you check services.msc, it's still not there. If you try to start the Event Viewer, the same error comes up:
Cannot open eventlog service on computer '.'.
Hi,
Please check for the existence of this key. If not found, create a *.reg file from another machine and import.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
Then, check the issue again.
If this doesn't work, let's run System file checker tool to repair system:
Run SFC command in elevated command prompt
SFC /scannow
Any error message, please post here to let me know.
Keep post.
Kate Li
TechNet Community Support -
Help Needed-bt home hub 2.0 event log messages
Hi, Please can someone have a look at the event log messages below. Is someone trying to hack me? there are loads more of these messages i've only copy and pasted a few of them.
many thanks in advance.
12:32:02 30 Sep
VOIP: [2.0A] [guest1] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [guest] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [guest] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [office12345] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [office12345] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [office1234] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [office1234] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [office123] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [office123] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [office12] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [office12] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [office1] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [office1] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [office] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [office] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [admin12345] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [admin12345] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [admin1234] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [admin1234] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [admin123] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [admin123] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [admin12] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [admin12] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [admin1] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [admin1] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [admin] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [admin] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [administrator] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [administrator] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [4260011834] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [4260011834] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [Administrator] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [Administrator] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [3942121793] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [3942121793] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [100] [] 404 Not Found - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [100] [-] OPTIONS - SIP message received
12:32:01 30 Sep
SNTP Synchronised to server: 213.123.26.170
11:45:07 30 Sep
VOIP: [2.0A] [100] [] 404 Not Found - SIP message sent
11:45:07 30 Sep
VOIP: [2.0A] [100] [-] OPTIONS - SIP message received
11:32:01 30 Sep
SNTP Synchronised to server: 213.123.20.170
11:28:34 30 Sep
VOIP: [2.0A] [100] [] 404 Not Found - SIP message sent
11:28:34 30 Sep
VOIP: [2.0A] [100] [-] OPTIONS - SIP message received
Solved!
Go to Solution.Hi JM7HUB and welcome,
No, you're not being hacked. It's to do with BTHub phone (Broadband Talk - BBT) and the hub, in your case the hub 2A.
It's a test that BT seem to carry out, normally (IIRC) after a reboot of the hub or possibly at random times - it's been a long time since I used BBT. I'll guess there are some random names mentioned on some of the other VOIP events?
If you don't use a BBT, you can turn this off by entering the hub manager - type bthomehub.home or 192.164.1.254 in to your browser, click settings, advanced settings, continue to adavnced settings, telephony - there should be an option there to turn it off. This should then stop the events.
edit. The telephone light on the hub will go out, but any registered hub phone should still operate as a 'normal' phone using your landline number.
-+-No longer a forum member-+- -
Custom event log is not working in SharePoint server
Hi ,
We are trying to implement event logging in our application. We have created separate event source for our application. When we testing this our local dev machine it is working without any problem. when I try to test the same in higher environment (QA, Pre-prod)
it is not working. The QA environment is a multi form server. We are able to see the event source in the event viewer, but the logging is not happening. We have tried restarting IIS, restarting the services.
Any suggestion or guidance will be highly appreciated.
Thanks in AdvanceLogging should use the SharePoint Unified Logging Services (ULS) infrastructure.
Logging to the Event Viewer requires ADMIN PERMISSION... which is why it works fine in DEV, and not in TEST/PROD.
DO NOT LOG TO THE EVENT VIEWER... OR USE ANY OTHER HOME GROWN CONCOCTION... USE THE LOGGING FRAMEWORK PROVIDED BY THE PLATFORM.
This may help: http://www.sbrickey.com/Tech/Blog/Post/Custom_Logging_in_SharePoint_2010
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs -
VSS snapshot of 1.1TB is ending after few hours with timeout. No errors in event log
Hello,
does someone have experienced issue where starting making snapshot (forum GUI or command line) is taking a lot of time and then it just ends with timeout?
I have scenario on virtualised Windows Web Server 2008 R2 where backup is being made by Idera Backup Software but since it relies on VSS Snapshots then we can just skip this point because making snapshots from directly Windows command line or drive preferences/GUI
is ending with timeout for this single drive after few hours. Affected system has 3 drives: C - 95GB, D-1.06TB and E-120GB. C and E can be backuped correctly and only drive D has problems. System is updated with latest drivers vssadmin for writers returns
list without any errors and snapshot for drive D which ends with timeout is not generating any error in event log. I wanted to configure VSS trace like it is being instructed on this site:
http://publib.boulder.ibm.com/infocenter/tsminfo/v6/index.jsp?topic=%2Fcom.ibm.itsm.tshoot.doc%2Ft_pdg_traceprfrm.html
but I don't see any trace.txt file on given location. If I remove drive D from backup process it ends without errors. System was restarted many times. Only thing which is visible in windows Event log (application part) is that "The VSS service is shutting
down due to idle timeout." about 4 hours after snapshot making proces is starting.
I've contacted Idera backup about this but they can't help too much if Windows snapshot process is failing. They suggested that something can be wrong with this drive but since this is virtualised machine and all of my VM are being stored on RAID10 disk
array connected to my server using fiber connections then I don't think that this is hardware issue (especially when other two drives are located on the same LUN on disk array).
Any suggestions?
RegardsHi,
Do you create VMs on Hyper-V or VMWare? Based on research, possible causes could be:
1. Files changes in the volume is very huge. So the shadow size may be big and the current shadow storage my not able to hold it. And that’s cause the shadow copy creation failure.
2. The I/O in D drive is heavy and make the shadow copy I/O failed.
3. Server is too busy to handle the request.
4. The disk is heavily defragment.
Please refer to the articles to troubleshoot the issue:
Time-out errors occur in Volume Shadow Copy service writers, and shadow copies are lost during backup and during times when there are high levels of input/output
http://support.microsoft.com/kb/826936/en-us
VSS timeouts during backup? What could contribute to that?
https://blogs.technet.com/b/askpfeplat/archive/2012/09/12/vss-timeouts-during-backup-check-fragmentation.aspx
Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Seeing multiple DCOM errors generating event ID 10016 in System Event log
Hi there. Our current SharePoint server running Windows Server 2003, Standard Edition SP1 and not on the domain is getting it's event logs filled up every 15 minutes to an hour with the following DCOM error:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: 26/11/2014
Time: 4:31:30 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: xxx-xxx
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp
I have attempted the following fix to add the local admin account to the security permissions under the following service: 61738644-F196-11D0-9953-00C04FD919C1 which was what Microsoft recommended from looking at a few random google results which had no
effect and caused the same error to continue to happen.
We run Windows SharePoint Services WSS 3.0 on this server which is our primary intranet server.
Has this happened to anyone else and what would you suggest we do to fix it?Hi Steven,
The results of trying this generated the same DCOM error again at the early hours of this morning as it's always done.
The exact error generated from the server is listed below:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: 3/12/2014
Time: 4:31:30 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: HAL-SPS
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Given this machine isn't on the domain and we have to log into it as local administrator, the local administrator account has been granted local launch and local activation permissions under IIS WAMREG admin on the server.
Was this the correct account, or should I have granted permissions to another account?
SB.
Maybe you are looking for
-
please help me with this im very upset and need help figuering out what im supposed to do anmd i need to get all of my music and every thing back sooo plesae help me it would be amzinfg and if u could email me at [email protected] and help me fix m
-
'User is Locked' error while trying to start initial load
While trying to start initial load of objects using R3AS, I am receiving error msg 'User is locked'. This rfc user is a dialog user with SAP_ALL. I even tried replicating using a new user, but ended up with same error. The user is not locked but stil
-
Hi Guys!XD Another problem is came: I am getting use the oracle statement "storage", cause I'm establishing how much all tables are big... but... the 10g version,maybe , doesn't support this statement? It seems to be like this... I'd like to know if
-
When I open Mozilla Thunderbird on the top bar all I have now are the pin symbol, Unread, contact,Tags and attachment. I no longer have the option to write email or look in my contacts . Also main settings option is no longer at top right hand corner
-
How should I transport my imac without the box
I am going to take my imac home with me for the summer but i cant find the box. What is the best way to transport it with out paying for an expensive iLugger?