Event Log missing

Similar Messages

• Event log entries missing in PoSh but visible in Eventvwr

  Hi,
  I've noticed the following issue on about 10 out of 2500 computers which run a script on our domain, so its minor, but I'd like to understand why its happening.
  When I query the event log using the eventvwr GUI I can filter on event ID 7001 and all the events list fine. However when I run 'get-eventlog -logname system -instanceid 7001' it shows all the events except the last 3 or so most recent ones (which are visible
  in the GUI).
  I've cross referenced this with an event visible in the GUI that had an EventRecordID of 32029. But when querying this via PowerShell 'get-eventlog -logname system -index 32029' it returns 'no matches found'.
  Its a weird problem, because if I was to query to logs in a few hours time after a few more people have logged on/off the computer then the event would show in PowerShell, but the new most recent ones wouldn't.
  Is there a caching mechanism at work, and if so how could I disable it? Its interesting that these machines are all built from the same WDS image with the same GPO's applied but only a very small percentage exhibit this issue, all other machines show recent
  event logs in PowerShell instantly.
  I should also mention that these are all Windows 7 x64 computers.
  Any help appreciated.
  Thanks,
  Phil

  Hi,
  Based on my understanding, only some of your computers have this issue. And when use WMI, we could query all of the events, but when use powershell command, some logs are missing.
  I would like to know that when we use 'get-eventlog -logname system -instanceid 7001| out-file c:\result.txt', how many logs are there?
  What I think it may caused by there are so many logs information, and could not be dispalyed out. We may try some other logs also.
  Regards,
  Yan Li
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Since applying Feb 2013 Sharepoint 2010 CUs - Critical event log entries for Blob cache and missing images

  Hi,
  Since applying the February 2013 SharePoint 2010 updates, we are getting lots of entries in our event logs along the following:
  Content Management     Publishing Cache         
  5538     Critical 
  An error occurred in the blob cache.  The exception message was 'The system cannot find the file specified. (Exception from HRESULT: 0x80070002)’
  In pretty much all of these cases the image/ file in question that is reported in the ULS logs as missing is not actually in the collaboration site, master page / html etc so the fix needs to go back to the site owner to make the correction to avoid
  the 404 (if they make it!). This has only started happening, I believe since feb 2013 sp2010 cumulative updates updates
  I didn’t see this mentioned as a change / in the Fix list of the February updates. i.e. it flags up a critical error in our event logs. So with a lot of sites and a lot of missing images your event log can quickly fill up.
  Obviously you can suppress them in the monitoring -> web content management ->publishing cache = none & none which is not ideal.
  So my question is... are others seeing this and was a change made by Microsoft to flag a 404 missing image / file up a critical error in event log when blob cache is enabled?
  If i log this with MS they will just say, you need to fix it up the missing files in the site but would be nice to know this had changed prior! I also deleted and recreated the blob cache and this made no diffference
  thanks
  Brad

  I'm facing the same error on our SharePoint 2013 farm. We are on Aug 2013 CU and if the Dec CU (which is supposed to be the latest) doesn't solve it then what else could be done.
  Some users started getting the message "Server is busy now try again later" with a corelation id. I looked up ULS with that corelation id and found these two errors in addition to hundreds of "Micro Trace Tags (none)" and "forced
  due to logging gap":
  "GetFileFromUrl: FileNotFoundException when attempting get file Url /favicon.ico The system cannot find the file specified. (Exception from HRESULT: 0x80070002)"
  "Error in blob cache. System.IO.FileNotFoundException: The system cannot find the file specified. (Exception from HRESULT: 0x80070002)"
  "Unable to cache URL /FAVICON.ICO.  File was not found" 
  Looks like this is a bug and MS hasn't fixed it in Dec CU..
  "The opinions expressed here represent my own and not those of anybody else"

• Missing VSS System Writer and CAPI2 error in Event Log

  Hello,
  I'm having problems with making full system backup of Windows 2008 R2 x64. It looks like this is related to missing VSS System Writer. When I'm running command "vssadmin list writers" there is no System Writer in writers list and in event log CAPI2 error (event ID 513) is showing with this description:
  Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
  Details:
  TraverseDir : Unable to push subdirectory.
  System Error:
  Unspecified error
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
  <EventID Qualifiers="0">513</EventID>
  <Version>0</Version>
  <Level>2</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8080000000000000</Keywords>
  <TimeCreated SystemTime="2010-03-14T01:06:35.639125000Z" />
  <EventRecordID>207975</EventRecordID>
  <Correlation />
  <Execution ProcessID="968" ThreadID="11588" />
  <Channel>Application</Channel>
  <Computer>System3</Computer>
  <Security />
  </System>
  <EventData>
  <Data>Details: TraverseDir : Unable to push subdirectory. System Error: Unspecified error</Data>
  </EventData>
  </Event>
  any idea what could be wrong?
  Thanks in advance

  Hello ,
  Based on the research, the VSS System Writer runs in the context of CryptSvc service on Windows Server 2008. To make the system writer works normally, please open services
  console to verify that the Cryptographic Services logon as the credentials of the "Network Service" account.
  The VSS system writer can be missing due to several reasons,  to isolate this issue, please refer to the following steps to boot the problematic server with clean
  boot mode to perform the test.
  Steps: Clean Boot
  1. On a problematic server perform a clean boot and check if the issue still exists
  2. Click Start->Run...->type msconfig and press Enter
  3. Click Services tab and select Hide All Microsoft Services and Disable All third party Services.
  4. Click Startup tab and Disable All startup items
  5. Click OK and choose Restart
  After the server reboot, please run "vssadmin list writers" to check if the "System Writer" can be displayed.
  If the issue still exists, please open a CMD prompt as Run As Administrator and type the following commands to see if it the system writer will be occure.
  CD c:\windows\system32
  Takeown /f %windir%\winsxs\filemaps\* /a
  icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
  icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
  icacls %windir%\winsxs\filemaps\*.* /grant "BUILTIN\Users:(RX)"
  Moreover, based on the experience, it has been reported that there is some permissions issue which can cause this kind of issue. Please follow the steps below and check
  if it can be helpful.
  On domain controller
  1. Open Active Directory Users and Computers
  2. Click View and then "Advanced features"
  3. Right Click built and click properties.
  4. Click security tab.
  5. Grant read permission to 'Authenticated Users'
  6. Click Apply and OK.
  7. Restart Cryptographic Services.
  Note: By Default, it should have read permission for the system to take system state backup.
  Hope this can be helpful.
  MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin

• Lots of Anyconnect Error Message in Windows Event Log

  Hi Community.
  We have lots of Anyconnect Error Messages in the Windows Event Log. Following two examples.
  Can anyone tell me why these errors appears and how do I fix them ? I already installed the newest Anyconnect on my machine.
  Thanks in advance and Kind Regards Patrick
  Example 1
    <Provider Name="acvpnagent" />
    <EventID Qualifiers="9216">2</EventID>
    <Keywords>0x80000000000000</Keywords>
    <EventRecordID>97564</EventRecordID>
    <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
  - <EventData>
    <Data>Function: CNetEnvironment::logProbeFailure File: .\NetEnvironment.cpp Line: 1432 Invoked Function: CHttpProbeAsync::SendProbe Return Code: -27066354 (0xFE63000E) Description: HTTP_PROBE_ASYNC_ERROR_CANNOT_CONNECT HTTP (host: 109.164.211.237)</Data>
    </EventData>
  Example 2
    <Provider Name="acvpnagent" />
    <EventID Qualifiers="9216">2</EventID>
    <Keywords>0x80000000000000</Keywords>
    <EventRecordID>97565</EventRecordID>
    <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
  - <EventData>
    <Data>Function: CNetEnvironment::TestAccessToSG File: .\NetEnvironment.cpp Line: 1385 Invoked Function: CNetEnvironment::analyzeHttpResponse Return Code: -28966899 (0xFE46000D) Description: NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could not contact target</Data>
    </EventData>

  HI and welcome to Discussions,
  in my personal opinion there is not much for you to worry about.
  The 'Windows Tool for the elimination of malware' is nothing you miss as long as you have a decent Anti-Virus Software running.
  The update for the IE 7 might be missing an installed IE 7, which can do by downloading it yourself from Microsofts webpage.
  If you don't use the IE but something like Firefox or Opera or Safari, than don't bother with these update.
  Stefan

• Seemingly successful install of Exchange 2013 SP1 turns into many errors in event logs after upgrade to CU7

  I have a new Exchange 2013 server with plans to migrate from my current Exchange 2007 Server. 
  I installed Exchange 2013 SP1 and the only errors I saw in the event log seemed to be long standing known issues that did not indicate an actual problem (based on what I read online). 
  I updated to CU7 and now lots of errors have appeared (although the old ones seem to have been fixed so I have that going for me). 
  Currently the Exchange 2013 server is not in use and clients are still hitting the 2007 server.
  Issue 1)
  After each reboot I get a Kernel-EventTracing 2 error.  I cannot find anything on this on the internet so I have no idea what it is.
  Session "FastDocTracingSession" failed to start with the following error: 0xC0000035
  I did read other accounts of this error with a different name in the quotes but still can’t tell what this is or where it is coming from.
  Issue 2)
  I am still getting 5 MSExchange Common 106 errors even after reregistering all of the perf counters per this page:
  https://support.microsoft.com/kb/2870416?wa=wsignin1.0
  One of the perf counters fails to register using the script from the link above.
  66 C:\Program Files\Microsoft\Exchange Server\V15\Setup\Perf\InfoWorkerMultiMailboxSearchPerformanceCounters.xml
  New-PerfCounters : The performance counter definition file is invalid.
  At C:\Users\administrator.<my domain>\Downloads\script\ReloadPerfCounters.ps1:19 char:4
  +    New-PerfCounters -DefinitionFileName $f
  +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo         
  : InvalidData: (:) [New-PerfCounters], TaskException
      + FullyQualifiedErrorId : [Server=VALIS,RequestId=71b6bcde-d73e-4c14-9a32-03f06e3b2607,TimeStamp=12/18/2014 10:09:
     12 PM] [FailureCategory=Cmdlet-TaskException] 33EBD286,Microsoft.Exchange.Management.Tasks.NewPerfCounters
  But that one seems unrelated to the ones that still throw errors. 
  Three of the remaining five errors are (the forum is removing my spacing between the error text so it looks like a wall of text - sorry):
  Performance counter updating error. Counter name is Count Matched LowFidelity FingerPrint, but missed HighFidelity FingerPrint, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The
  exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Performance counter updating error. Counter name is Number of items, item is matched with finger printing cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown
  is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Performance counter updating error. Counter name is Number of items in Malware Fingerprint cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown is : System.InvalidOperationException:
  The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Issue 3)
  I appear to have some issues related to the healthmailboxes. 
  I get MSExchangeTransport 1025 errors for multiple healthmailboxes.
  SMTP rejected a (P1) mail from 'HealthMailbox23b10b91745648819139ee691dc97eb6@<my domain>.local' with 'Client Proxy <my server>' connector and the user authenticated as 'HealthMailbox23b10b91745648819139ee691dc97eb6'. The Active Directory
  lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError
  I reran setup /prepareAD to try and remedy this but I am still getting some.
  Issue 4)
  I am getting an MSExchange RBAC 74 error. 
  (Process w3wp.exe, PID 984) Connection leak detected for key <my domain>.local/Admins/Administrator in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1.
  Issue 5)
  I am getting MSExchange Assistants 9042 warnings on both databases.
  Service MSExchangeMailboxAssistants. Probe Time Based Assistant for database Database02 (c83dbd91-7cc4-4412-912e-1b87ca6eb0ab) is exiting a work cycle. No mailboxes were successfully processed. 2 mailboxes were skipped due to errors. 0 mailboxes were
  skipped due to failure to open a store session. 0 mailboxes were retried. There are 0 mailboxes in this database remaining to be processed.
  Some research suggested this may be related to deleted mailboxes however I have never had any actual user mailboxes on this server. 
  If they are healthmailboxes or arbitration mailboxes that might make sense but I am unsure of what to do on this.
  Issue 6)
  At boot I am getting an MSExchange ActiveSync warning 1033
  The setting SupportedIPMTypes in the Web.Config file was missing. 
  Using default value of System.Collections.Generic.List`1[System.String].
  I don't know why but this forum is removing some of my spacing that would make parts of this easier to read.

  Hi Eric
  Yes I have uninstalled and reinstalled Exchange 2013 CU7 for the 3^rd time. 
  I realize you said one issue per forum thread but since I already started this thread with many issues I will at least post what I have discovered on them in case someone finds their way here from a web search.
  I have an existing Exchange 2007 server in the environment so I am unable to create email address policies that are defined by “recipient container”. 
  If I try and do so I get “You can't specify the recipient container because legacy servers are detected.”
   So I cannot create a normal email address policy and restrict it to an OU without resorting to some fancy filtering. 
  Instead what I have done is use PS to modify extensionAttribute1 (otherwise known as Custom Attribute 1 to exchange) for all of my users. 
  I then applied an address policy to them and gave it the highest priority. 
  Then I set a default email address policy for the entire organization. 
  After reinstalling Exchange all of my system mailboxes were created with the internal domain name. 
  So issue number 3 above has not come up. 
  For issue number one above I have created a new thread:
  https://social.technet.microsoft.com/Forums/office/en-US/7eb12b89-ae9b-46b2-bd34-e50cd52a4c15/microsoftwindowskerneleventtracing-error-2-happens-twice-at-boot-ex2013cu7?forum=exchangesvrdeploy
  For issue number four I have posted to this existing thread where there is so far no resolution:
  https://social.technet.microsoft.com/Forums/exchange/en-US/2343730c-7303-4067-ae1a-b106cffc3583/exchange-error-id-74-connection-leak-detected-for-key?forum=exchangesvradmin
  Issue number Five I have managed to recreate and get rid of in more than one way. 
  If I create a new database in ECP and set the database and log paths where I want, then this error will appear. 
  If I create the database in the default location and then use EMS to move it and set the log path, then the error will not appear. 
  The error will also appear (along with other errors) if I delete the health mailboxes and let them get recreated by restarting the server or the Health Manager service. 
  If I then go and set the retention period for deleted mailboxes to 0 days and wait a little while, these will all go away. 
  So my off hand guess is that these are caused by orphaned system mailboxes.
  For issue number six I have posted to this existing thread where there is so far no resolution:
  https://social.technet.microsoft.com/Forums/exchange/en-US/dff62411-fad8-4d0c-9bdb-037374644845/event-1033-msexchangeactivesync-warning?forum=exchangesvrmobility
  So for the remainder of this thread we can try and tackle issue number two which is the perf counters. 
  The exact same 5 perf counter were coming up and this had been true each time I have uninstalled and reinstalled Exchange 2013CU7. 
  Actually to be more accurate a LOT of perf counter errors come up after the initial install, but reloading the perf counters using the script I posted above reduces it to the same five. 
  Using all of your suggestions so far has not removed these 5 remaining errors either.  Since there is no discernible impact other than these errors at boot I am not seriously bothered by them but as will all event log errors, I would prefer
  to make them go away if possible.

• Vmware.log missing information

  Hi!
  I was wondering if somebody can please enlighten me, I have noticed some of the information is missing from vmware.log file on the VM.
  For eg: I am investigating if there was any problem on 2015-03-12T15:00:00 but the log is stopping  at 2015-03-12T13:18:50 and then continues onto the next day to 2015-03-13T08:23:54.?
  The log file is over 1GiB and the VM is a mail server with DAG. Any help or pointers would be greatly appreciated.
  Thanks in advance.

  Hi,
  According to your description, your audit log may have some entries which are lost. Firstly, I’d like to confirm if all results can be get after you set the search level.
  Based on my research, Administrator audit logging relies on Active Directory replication to replicate the configuration settings you specify to the domain controllers in your organization. Depending on your replication settings, the changes you make may
  not be immediately applied to all servers running Exchange 2010 in your organization. Thus, if there are multiple AD sites, we can check if there is something wrong with AD replication.
  Additionally, we can also check if there is any related error in your event log.
  Thanks,
  Angela Shi
  TechNet Community Support

• Cannot open eventlog service on computer '.'. (Windows Event Log service doesn't exist)

  This problem used to be solved after moving a computer object into the appropriate OU and restarting, and if that didn't work, it used to be solved when uninstalling and reinstalling Microsoft FEP (restarts in-between).  Now, the only way to access
  event logs is by logging in as a domain admin, or by accessing event logs through remote manage.
  If a machine object is added to the domain, dropped into the computers container, and restarted, we get this error when going into Computer Management:
  "Cannot open eventlog service on computer '.'."
  The original problem was noticed on our VMs, but I also tried it with a Lenovo Windows 7 build out of the box, added it to our domain, and the problem occurred. When our desktops are built, SCCM's task manager drops it into the appropriate OU immediately,
  so desktops don't have issues.  With VMs, they are dropped into the computers container and restarted, so once this problem occurs, it almost never leaves.  SOMETIMES, removing it from the domain solves the problem, but not always.
  I've tried all of the suggestions I've seen online and none of them have worked, such as cleaning up the policies (through registry, and the appropriate system folders), adding the proper NTFS permissions on the RtBackup folder and %SystemRoot%\System32\winevt\logs, netsh
  winsock reset, cleanboot, etc.
  I did notice that I'm unable to find the NT Service\EventLog user group. I wanted to add it to %systemroot%\system32\winevt\logs, but the group cannot be found on the local computer. Even if that's the problem, why is it missing?
  It doesn't seem like anyone else on the internet gets this exact error.

  Hi Kate!
  Yes, the Windows Event Log service is missing. I had already tried your method (#3), and I did try it again. This is the error I get:
  "The specified service already exists."
  If you check services.msc, it's still not there. If you try to start the Event Viewer, the same error comes up:
  Cannot open eventlog service on computer '.'.
  Hi, 
  Please check for the existence of this key. If not found, create a *.reg file from another machine and import.
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
  Then, check the issue again.
  If this doesn't work, let's run System file checker tool to repair system:
  Run SFC command in elevated command prompt
  SFC /scannow
  Any error message, please post here to let me know.
  Keep post.
  Kate Li
  TechNet Community Support

• Methods for Remote Event Log Collection (WMI vs RPC vs WinRM)

  Hi,
  I'm currently evaluating several 3rd party tools (SIEMs) to help me with log management in a large (mostly) Windows domain environment. Each tool uses a different approach to collecting the event log from remote systems, and I'd like help understanding the
  pros and cons of each approach. I've dropped this in the scripting forum as the tools are essentially running different scripts and it's this part I would like to understand.
  WMI: An agent installed on a windows server connects to each monitored box and grabs their event logs via WMI. Our legacy SIEM already collects from over 2000 servers using this method.
  RPC: As above, but using RPC. No changes required on the remote machines.
  WinRM: An appliance integrates with AD and collects event logs remotely using WinRM. This is reasonably new to me (i'm a security guy, not a sys admin) but I seem to have to enable an additional remote management tool, and open a new listening port on every
  single machine I want to collect the event log from.
  I read the following blog entry, which seemed to indicate that RPC was the best choice for performance, considering I'm going to be making high frequency connections to over 2000 targets:
  http://blogs.technet.com/b/josebda/archive/2010/04/02/comparing-rpc-wmi-and-winrm-for-remote-server-management-with-powershell-v2.aspx 
  However, everything I have found on the subject of remote event collection seems to suggest that WinRM is the "approved" method for event log collection. The vendor using the WinRM approach is also suggesting that it is the only official MS supported
  way of doing this.
  So I would like to ask, is there a reason that WMI and RPC should not be used for this purpose, since they clearly work and don't require any changes to my environment? Is there some advantage to WinRM that justifies touching my entire estate and opening
  an additional port (increasing my attack surface)?
  Thanks in advance,

  Hi,
  I'm aware of the push method, and may indeed move to it in time, although I'm just as likely to install a 3rd party agent on the machines to perform this role with greater functionality and manageability for the same effort. I've only seen organisations
  using commercial agents (snare, splunk, etc) or WMI for log collection in practice, so I don't think I'm the only one with reservations about it.
  Anything that involves making configuration changes to a large and very varied estate is not something to do lightly. Particularly if alternatives exist that don't require this change to be carried out immediately. That is why I'm looking to properly understand
  the pros and cons of these "legacy" approaches for use as an interim solution if nothing more.
  Pulling probably is more resource intensive, although I've not seen an actual comparison, but it's not really that fragile in my experience. If a single pull fails, you just collect the logs you missed at the next pull cycle in a few seconds/minutes.
  All logs are pulled directly into a SIEM for analysis, so that part is covered.
  Anyway, I appreciate the input, but I'm still holding out for concrete reasons to move away from WMI/RPC or to embrace WinRM. Bear in mind I'm considering fixing something that doesn't look broken to me!
  Cheers,

• Home Hub 3 - no event log for a month

  I tried and failed to access the Hub Manager home page yesterday.
  I tried several PCs / operating systems / browsers without success.
  Eventually, I rebooted the router and managed to access the page.
  Having logged in I found that no entries had been added to the event log since the early hours of November 18th (just over a month ago) although the broadband has been working fine.
  Has anybody else had similar experiences? As a generally paranoid individual I am not too happy that there are missing event log items!!
  Thanks
  Brian

  Hi oldbak,
  Is this issue still apparent? Have you tried resetting the hub?
  Chris
  BT Mod team
  If you like a post, or want to say thanks for a helpful answer, please click on the Ratings star on the left-hand side of the post.
  If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’.

• [UNSOLVED] Event Log Custom XML Query Filtering Help

  I've looked at a few different posts but I must be missing something because what I'm constructing isn't working.
  Here's the XML code of an example event:
  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  - <System>
  <Provider Name="ERAS WCF" />
  <EventID Qualifiers="0">0</EventID>
  <Level>4</Level>
  <Task>0</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2014-07-09T20:32:51.000000000Z" />
  <EventRecordID>899070</EventRecordID>
  <Channel>Application</Channel>
  <Computer>server.f.q.d.n</Computer>
  <Security />
  </System>
  - <EventData>
  <Data>User [email protected] has submitted 'Get BIOS Information' operation from servername to computername.f.q.d.n.</Data>
  </EventData>
  </Event>
  This is my query:
  <QueryList>
  <Query Id="0">
  <Select Path="Application">*[EventData[Data and (Data='computername' or Data='ip.add.re.ss')]]</Select>
  </Query>
  </QueryList>
  I always get 0 results, even if I take stabs in the dark:
  *[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]
  *[EventData[Data and (Data='*computername*')]]
  *[EventData[Data and (Data='%computername%')]]
  I used this post as my guide for filtering based on content: http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
  Also:
  I hope this is the right place for this question.  This said to post in the server
  forums, but in
  the server forums, it said to post here.
  I happen to be doing this on a server, but it could just as easily be a desktop.

  Hello,
  Thanks for posting question to this forum. Since this forum is related with XPath, what I can do is to help you validate your XPath query. With your query, I tested them with my computer, however, all of them could load event record correctly:
  Query:*[EventData[Data and (Data='Office12AssertTimer' or Data='6.3.9600.17031')]]
  Result:
  Query:*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]
  Result:
  So your XPath query is ok. Do you have a try to use the same query to filter the event log to check if there are records with another computer? I am wondering if there is something wrong with your current computer.
  And since the XPath is ok, I would like suggest you posting it to the server forum to see if there are others looking into it.
  Regards.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Windows could not start the Cluster Service on Local computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code 2.

  Dear Technet,
  Windows could not start the Cluster Service on Local computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code 2.
  My cluster suddenly went disappear. and tried to restart the cluster service. When trying to restart service this above mention error comes up.
  even i tried to remove the cluster through power-shell still couldn't happen because of cluster service not running.
  Help me please.. thank you.
  Regards
  Shamil

  Hi,
  Could you confirm which account when you start the cluster service? The Cluster service is a service that requires a domain user account.
  The server cluster Setup program changes the local security policy for this account by granting a set of user rights to the account. Additionally, this account is made a member
  of the local Administrators group.
  If one or more of these user rights are missing, the Cluster service may stop immediately during startup or later, depending on when the Cluster service requires the particular
  user right.
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• No event logs when RAID fails in Server 2008 and R2

  From what I'm finding out (by web searching) they forgot to include event logging in Server 2008 for when a Windows software RAID fails in some way such as missing disk, failed redundancy, etc. This is REALLY annoying as I was trying to setup email notifications
  for when this happens so I can fix it. I'm just using this on my servers at home, so I'm not big on the idea of spending a lot of money on a hardware RAID, it just does some simple network file sharing and streaming and software RAID is fine. Is there anyway
  to get this to work properly, like it used to?! Hotfix? Sacrifice a small animal? Free third-party tools that would work if nothing else? Would a MOM server be able to notify me? (been considering setting up one of those and SCCM to mess with)

  Thanks guys for chiming in. The only way Microsoft will know this is a big deal (you would think they would, but apparently not), is for people to complain. I found this out myself when I was trying to set up event triggered tasks to email on low disk space
  and RAID failure, only to find no events are created on RAID failures!
  I have setup a SCOM 2007 R2 server in my testing environment. It registers and alerts me for low disk space just fine, but the availability monitor is not tripped when I break a RAID volume. I have tried offlining a disk, which results in failed redundancy,
  and also shutting down the VM and removing a drive, and neither seems to trip an alert. Do I have to do something to get it to monitor correctly?

• PowerShell - Mining Remote Event Log / Hanging...

  I'm mining remote event logs on multiple machines to find a series of events.  I've put together a script that requests the event log name and start date (earliest date to begin the log export).
  For some reason, the process seems to hang after writing to the file and not proceed to the next machine.
  If someone could peek at this script and tell me if I missed something obvious, I'd greatly appreciate it.
  # Event Log Check
  # Get list of computers from specified file
  $machines = get-content -path "C:\Command Prompt\CheckEvent_NETLOGON\ComputerList.txt"
  $LogName = read-host "Enter Log Name to Query"
  $startdate = read-host "Enter Start Date (mm/dd/yy)"
  # Begin Looping through File
  $count =2
  foreach ($machine in $machines)
  $enddate = get-date
  $shortend = get-date -format MM-dd-yy.HH.mm
  $machinename = (Get-WmiObject win32_computersystem -ComputerName $machine).Name
  write-host "Starting $machine query."
  Get-Eventlog -Logname $LogName -ComputerName $machine -after $startdate -before $enddate | select TimeGenerated,MachineName,EventID,Source,UserName | export-csv -delimiter "`t" -path "C:\Command Prompt\CheckEvent_NETLOGON\results\$machinename.$logname.$shortend.ttx"
  write-host "$machine complete. Next..."
  $count++
  Thanks so much!
  Ben Adler

  These two lines were wrong:
  $enddate = get-date
  $shortend = get-date
  -format MM-dd-yy.HH.mm
  You may also need to check the date format.
  I would use an interval.  Ask for how many days to retrieve and calculate
  $numdays=7
  $before=[datetime]::Today
  $after=$before.AddDays(-$numdays)
  If you are all Vista or later use Get-WinEvent.  It is faster and indexes most values.
  \_(ツ)_/

• Remote desktop fails, can still connect to event log and services.

   I am unable for some reason to remote into a machine that I've been able to before.  This occurred after it installed automatic updates.  At the moment I can connect to
  services and the event log from another machine with the same credentials, but I can't log onto the machine itself.  Is there any way to reset this info or such.  This machine is a part of a domain and can read credentials from the domain controller. 
  I also do know that remote desktop is enabled.
  The following error occurs in the even log on the affected machine.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          2013-03-21 10:28:23 AM
  Event ID:      5061
  Task Category: System Integrity
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      ****
  Description:
  Cryptographic operation.
  Subject:
      Security ID:        SYSTEM
      Account Name:        ****$
      Account Domain:        *******
      Logon ID:        0x3e7
  Cryptographic Parameters:
      Provider Name:    Microsoft Software Key Storage Provider
      Algorithm Name:    RSA
      Key Name:    TSSecKeySet1
      Key Type:    Machine key.
  Cryptographic Operation:
      Operation:    Decrypt.
      Return Code:    0xc000000d
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>5061</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12290</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2013-03-21T14:28:23.339874500Z" />
      <EventRecordID>937125</EventRecordID>
      <Correlation />
      <Execution ProcessID="500" ThreadID="548" />
      <Channel>Security</Channel>
      <Computer>**********</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SubjectUserSid">S-1-5-18</Data>
      <Data Name="SubjectUserName">*******$</Data>
      <Data Name="SubjectDomainName">********</Data>
      <Data Name="SubjectLogonId">0x3e7</Data>
      <Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
      <Data Name="AlgorithmName">RSA</Data>
      <Data Name="KeyName">TSSecKeySet1</Data>
      <Data Name="KeyType">%%2499</Data>
      <Data Name="Operation">%%2484</Data>
      <Data Name="ReturnCode">0xc000000d</Data>
    </EventData>
  </Event>

   
  Hi,
  The following methods could be used to resolve some of the most common problems.
  Potential issues that may be seen:
  1.) Remote Desktop endpoint is missing
  Each virtual machine that is created should have a remote desktop endpoint for the VM at port 3389. If this endpoint is deleted then a new endpoint must be created. The public port can be any available port number. The private port (the port on the VM) must
  be 3389.
  2.) RDP fails with error: "The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support."
  RDP connection may fail when there are cached credentials. Please see the following article to resolve this problem:
  http://www.c-sharpcorner.com/uploadfile/ae35ca/windows-azure-fixing-reconnect-remote-desktop-error-the-specified-user-name-does-not-exist-verif/
  3.) Failure to connect to uploaded VHD
  When a VHD is uploaded to Windows Azure you must make sure that Remote Desktop is enabled on the VHD and an apporopriate firewall rule is enabled on the VM to open port 3389 (Remote Desktop port).
  Hope this helps!
  Regards.
  Vivian Wang
  TechNet Community Support