Event log of remote view/control

Similar Messages

• Event Viewer cannot open the event Log or Custom view. Verify that the Event log service is running or query is too long. The instance name passed was not recognized as valid by a WMI data provider(4201).

  "Event Viewer cannot open the event Log or Custom view. Verify that the Event log service is running or query is too long. The instance name passed was not recognized as valid by a WMI data provider(4201)"
  This error keeps cropping up now and again on most of our domain controllers (OS-2008 AND 2008R2)...Usually a restart fixes the issue however the issue repeats and security logs don't generate.
  Any advice on how to fix this issue permanently would be greatly appreciated.

  Please see this: https://social.technet.microsoft.com/Forums/windows/en-US/95987ca3-a1b2-4da6-95b7-d825d06cdac7/error-code-4201-the-instance-name-passed-was-not-recognized-as-valid-by-a-wmi-data-provider?forum=w7itprosecurity
  You can also try rebuilding the WMI repository: http://blogs.technet.com/b/askperf/archive/2009/04/13/wmi-rebuilding-the-wmi-repository.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Minimum rights for remote view/control

  I am in the process of cleaning up rights in my eDirectory because our last Novell admin was quit liberal with assigning rights. What I need to know is what are the minimum rights needed to remote view a workstation and what the minimum rights needed to remote control a workstation. I have been searching Google and the forums for a while with no luck.

  Originally Posted by mbreiden
  On Wed, 30 Jul 2008 15:16:02 GMT, geistc wrote:
  [color=blue]
  write to the action you want to allow
  read to mac address
  DIDAS AG
  Thanks for the quick response.
  I ran through the wizard and then looked at rights it gave the account. It looks like the attributes are as follows:
  Remote Control:
  DM:Remote Control -- write
  WM:Network Address -- read
  Remote View:
  DM:ZEN Remote View -- write
  WM:Network Address -- read
  The only thing I wanted to verify was, do I need to give those rights to the user objects as well as the workstation objects in order for this to work? I know some of the techs use C1 and right-click on the user, then select 'Remote Management'. Just not sure if I need to give rights to the user objects as well since the user will be logged in at the time the tech will be remote controlling/viewing.

• Methods for Remote Event Log Collection (WMI vs RPC vs WinRM)

  Hi,
  I'm currently evaluating several 3rd party tools (SIEMs) to help me with log management in a large (mostly) Windows domain environment. Each tool uses a different approach to collecting the event log from remote systems, and I'd like help understanding the
  pros and cons of each approach. I've dropped this in the scripting forum as the tools are essentially running different scripts and it's this part I would like to understand.
  WMI: An agent installed on a windows server connects to each monitored box and grabs their event logs via WMI. Our legacy SIEM already collects from over 2000 servers using this method.
  RPC: As above, but using RPC. No changes required on the remote machines.
  WinRM: An appliance integrates with AD and collects event logs remotely using WinRM. This is reasonably new to me (i'm a security guy, not a sys admin) but I seem to have to enable an additional remote management tool, and open a new listening port on every
  single machine I want to collect the event log from.
  I read the following blog entry, which seemed to indicate that RPC was the best choice for performance, considering I'm going to be making high frequency connections to over 2000 targets:
  http://blogs.technet.com/b/josebda/archive/2010/04/02/comparing-rpc-wmi-and-winrm-for-remote-server-management-with-powershell-v2.aspx 
  However, everything I have found on the subject of remote event collection seems to suggest that WinRM is the "approved" method for event log collection. The vendor using the WinRM approach is also suggesting that it is the only official MS supported
  way of doing this.
  So I would like to ask, is there a reason that WMI and RPC should not be used for this purpose, since they clearly work and don't require any changes to my environment? Is there some advantage to WinRM that justifies touching my entire estate and opening
  an additional port (increasing my attack surface)?
  Thanks in advance,

  Hi,
  I'm aware of the push method, and may indeed move to it in time, although I'm just as likely to install a 3rd party agent on the machines to perform this role with greater functionality and manageability for the same effort. I've only seen organisations
  using commercial agents (snare, splunk, etc) or WMI for log collection in practice, so I don't think I'm the only one with reservations about it.
  Anything that involves making configuration changes to a large and very varied estate is not something to do lightly. Particularly if alternatives exist that don't require this change to be carried out immediately. That is why I'm looking to properly understand
  the pros and cons of these "legacy" approaches for use as an interim solution if nothing more.
  Pulling probably is more resource intensive, although I've not seen an actual comparison, but it's not really that fragile in my experience. If a single pull fails, you just collect the logs you missed at the next pull cycle in a few seconds/minutes.
  All logs are pulled directly into a SIEM for analysis, so that part is covered.
  Anyway, I appreciate the input, but I'm still holding out for concrete reasons to move away from WMI/RPC or to embrace WinRM. Bear in mind I'm considering fixing something that doesn't look broken to me!
  Cheers,

• Cannot open eventlog service on computer '.'. (Windows Event Log service doesn't exist)

  This problem used to be solved after moving a computer object into the appropriate OU and restarting, and if that didn't work, it used to be solved when uninstalling and reinstalling Microsoft FEP (restarts in-between).  Now, the only way to access
  event logs is by logging in as a domain admin, or by accessing event logs through remote manage.
  If a machine object is added to the domain, dropped into the computers container, and restarted, we get this error when going into Computer Management:
  "Cannot open eventlog service on computer '.'."
  The original problem was noticed on our VMs, but I also tried it with a Lenovo Windows 7 build out of the box, added it to our domain, and the problem occurred. When our desktops are built, SCCM's task manager drops it into the appropriate OU immediately,
  so desktops don't have issues.  With VMs, they are dropped into the computers container and restarted, so once this problem occurs, it almost never leaves.  SOMETIMES, removing it from the domain solves the problem, but not always.
  I've tried all of the suggestions I've seen online and none of them have worked, such as cleaning up the policies (through registry, and the appropriate system folders), adding the proper NTFS permissions on the RtBackup folder and %SystemRoot%\System32\winevt\logs, netsh
  winsock reset, cleanboot, etc.
  I did notice that I'm unable to find the NT Service\EventLog user group. I wanted to add it to %systemroot%\system32\winevt\logs, but the group cannot be found on the local computer. Even if that's the problem, why is it missing?
  It doesn't seem like anyone else on the internet gets this exact error.

  Hi Kate!
  Yes, the Windows Event Log service is missing. I had already tried your method (#3), and I did try it again. This is the error I get:
  "The specified service already exists."
  If you check services.msc, it's still not there. If you try to start the Event Viewer, the same error comes up:
  Cannot open eventlog service on computer '.'.
  Hi, 
  Please check for the existence of this key. If not found, create a *.reg file from another machine and import.
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
  Then, check the issue again.
  If this doesn't work, let's run System file checker tool to repair system:
  Run SFC command in elevated command prompt
  SFC /scannow
  Any error message, please post here to let me know.
  Keep post.
  Kate Li
  TechNet Community Support

• OpsMgr EventId 26007 on Domain Controllers "The EventLog service reported that the Security event log on computer ' ' is corrupt."

  Hi,
  We are receiving several eventids '26007' from the OpsMgr log on our Domain Controllers, also eventids '26008' with similar description are logged
  The EventLog service reported that the Security event log on computer '<Domain Controller Computer>' is corrupt. The Windows Event Log Provider will attempt to recover by re-opening log.
  I'll appreciate any suggestion in order to solve this issue.
  Regards.

  I guess this issue is caused by event ID 4661 is corrupted in security event log.
  Please check if you have many 4661 events in security event log and XML view cannot be viewed.
  Running the below command on DC will disable the auditing of the SAM Object access. This should stop the Event ID 4661 from being logged which should stop the Alert regarding corrupt Event log:
  auditpol /set /subcategory:"SAM" /success:disable /failure:disable
  Regards,

• Unconfigured VG Ports Show Event Log Errors

  Unconfigured ports on a VG224 or VG248 show up in the Callmanager's Event Log as Stop Errors. Any way to suppress or filter these? I have roughly a hundred voice gateways with countless unassigned ports. It makes the Event log unusable to viewing other status.

  Telnet to the VG248 and disable the port. If you leave them enabled, with no DIDs on them, or unregistered, they will sit there and peg your CCM constantly wanting to register. I just found that out.
  Enable the next open port on the VG248?s. If possible, fill up on VG248, move to the next one.
  To enable a port:
  i. Telnet to VG248
  ii. Login
  iii. Configure
  iv. Login with the #CCM pw
  v. Scroll to Telephony then Port Specific Parameters, then select ?enabled port? to disable it
  vi. Change your status from Disable to Enable (hit enter for menu to select Enable)
  vii. Esc out until it exits the logout menu.

• Forwarded events log empty

  Hi all,
  I have a frustrating issue with forwarded events log which still empty when I change the location of this one to the D partition rather than the defaut setting C: (it works fine in C:)
  once I change the location in the proerties of forwarded events to D: a new log is created but still empty.
  Any ideas, please, Thanks

  Hi Justin, 
  I checked the file key in the registry and I have well the new location set as value (D:\forwardedEvts.evtx)
  In the event viewer, on the forwarded events I have this message "event
  viewer cannot open the event log or custom view. verify that event log service is running or query is too long. access is denied (5)"
  Thanks,

• [Server 2008R2] Filter event logs for logged in users from clients on domain

  Hi All,
  I am looking for a script which can be run on a domain controller to check which user accounts logged in on the domain. I am looking for both the username and client. Reason why I need this is to check where service accounts are used.
  Thanks.
  Kind regards,
  Bart
  Bart Timmermans | Consultant at inovativ
  Follow me @
  My Blog | Linkedin |
  Twitter
  Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

  Hi Bart,
  To parse the event log, you can refer to the cmdlet "Get-WinEvent", and how to use this cmdlet to parse event log, please check this article, you can also add the "-computername" to query event log from remote computers:
  Use PowerShell Cmdlet to Filter Event Log for Easy Parsing
  To monitor the logon history, please check this function to start:
  function Get-Win7LogonHistory {
  $logons = Get-EventLog Security -AsBaseObject -InstanceId 4624,4647 |
  Where-Object { ($_.InstanceId -eq 4647) -or (($_.InstanceId -eq 4624) -and ($_.Message -match "Logon Type:\s+2")) -or (($_.InstanceId -eq 4624) -and ($_.Message -match "Logon Type:\s+10")) }
  $poweroffs = Get-EventLog System -AsBaseObject -InstanceId 41
  $events = $logons + $poweroffs | Sort-Object TimeGenerated
  if ($events) {
  foreach($event in $events) {
  # Parse logon data from the Event.
  if ($event.InstanceId -eq 4624) {
  # A user logged on.
  $action = 'logon'
  $event.Message -match "Logon Type:\s+(\d+)" | Out-Null
  $logonTypeNum = $matches[1]
  # Determine logon type.
  if ($logonTypeNum -eq 2) {
  $logonType = 'console'
  } elseif ($logonTypeNum -eq 10) {
  $logonType = 'remote'
  } else {
  $logonType = 'other'
  # Determine user.
  if ($event.message -match "New Logon:\s*Security ID:\s*.*\s*Account Name:\s*(\w+)") {
  $user = $matches[1]
  } else {
  $index = $event.index
  Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
  } elseif ($event.InstanceId -eq 4647) {
  # A user logged off.
  $action = 'logoff'
  $logonType = $null
  # Determine user.
  if ($event.message -match "Subject:\s*Security ID:\s*.*\s*Account Name:\s*(\w+)") {
  $user = $matches[1]
  } else {
  $index = $event.index
  Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
  } elseif ($event.InstanceId -eq 41) {
  # The computer crashed.
  $action = 'logoff'
  $logonType = $null
  $user = '*'
  # As long as we managed to parse the Event, print output.
  if ($user) {
  $timeStamp = Get-Date $event.TimeGenerated
  $output = New-Object -Type PSCustomObject
  Add-Member -MemberType NoteProperty -Name 'UserName' -Value $user -InputObject $output
  Add-Member -MemberType NoteProperty -Name 'ComputerName' -Value $env:computername -InputObject $output
  Add-Member -MemberType NoteProperty -Name 'Action' -Value $action -InputObject $output
  Add-Member -MemberType NoteProperty -Name 'LogonType' -Value $logonType -InputObject $output
  Add-Member -MemberType NoteProperty -Name 'TimeStamp' -Value $timeStamp -InputObject $output
  Write-Output $output
  } else {
  Write-Host "No recent logon/logoff events."
  Get-Win7LogonHistory
  Refer to:
  https://github.com/pdxcat/Get-LogonHistory/blob/master/Get-LogonHistory.ps1
  If there is anything else regarding this issue, please feel free to post back.
  If you have any feedback on our support, please click here.
  Best Regards,
  Anna Wang
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Remote Control and Remote View Problem

  Hi,
  I work at a High School running Netware 6.0 SP5 and Zen works 4.01 ir7.
  Remote Control and Remote View works great but I noticed one problem.
  We have a logo of the school that is forced down on to the desktop when a
  user logs in through group policies. This logo works perfect for the
  desktop wall paper and loads every time a user logs in.
  When I Remote Control or Remote View a computer the users desktop wall
  paper turns from the logo being forced down through group policies to the
  desktop to a blue desktop wall paper.
  I would prefer the desktop wall paper staying the schools logo when I
  Remote Control or Remote View because if the desktop wall paper changes to
  the blue color I mentioned above when I Remote Control or Remote View the
  users computer, they will know that someone is taking over their computer
  which sometimes we dont want them knowing.
  We have Windows 98SE computer running Novell Client 3.4 and we have some
  computers running Windows XP Professional SP1 and Windows XP Professional
  SP2 both running Novell Client 4.91 SP2.
  The Remote Control and Remote View problem of the desktop wall paper
  changing on the users computer occurs on all operating systems mentioned
  above.
  Is there a solution to my above problem? When Remote Controlling and
  Remote Viewing someone's computer I don't want the desktop wall paper to
  change.
  Thanks!

  Bpilon,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at
  http://support.novell.com.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• N8 as remote control and life remote viewer for wi...

  I am going to buy wifi camera. I would like to use my N8 as remote control and life remote viewer.
  Is there any software for N8 Belle ?

  You need to contact the camera manufacturer and ask them if they are releasing an app for the N8 for that purpose. 

• Creating a Custom Event Log View Shortcut on a server desktop for an admin

  Good morning,
  We have a new admin starting and I would like to create custom event log view shortcut on there desktop for each server they need to check. Is there a way to do this in Server 2012 and Server 2008?
   I have figured out how to create a shortcut of the Application and System log, but not Custom Views. Thanks.

  Hi,
  Based on my research, you can create a custom view like
  this.However, I tried miltiple ways to create a shortcut of the custom view of the event viewer and no result. I can only create a shortcut of the event viewer. You may need a script can achieve that.
  Best regards,
  Susie

• Essential event viewer bugs with "Forwarded Events" log in Windows Server 2008 R2 and Windows 7

  To my general experience, Windows event viewer is one of the most problematic, faulty management tools in the case of extensive use of its more sophisticated capabilities. The sole description as well as reproduction of some entangled failures would require
  remarkable effort.
  With the "Forwarded Events" log however, the situation becomes particularly worse in that even simple functionality fails and workarounds are difficult to find. That’s what I’ll describe here in order to share my experience with interested users.
  For precision: I’ve extensively used event viewer on a German Windows Server 2008 R2 SP1 (Windows SBS 2011 Standard SP1). The bugs I found on that system, I could reproduce on a German Windows 7 Professional 64-Bit SP1, too.
  Problem 1: Failure of even simple event filtering
  To reproduce this problem, execute these steps on a test machine with any of the two OS mentioned above:
  (i) To prepare log contents, do either of the following:
  (a) populate some events to your local "Forwarded Events" log (most simply by subscribing events from other logs of the same machine; stop subscription if you have collected some events)
  Or
  (b) copy a non-empty log file "ForwardedEvents.evtx" from another machine (with any of the two OS mentioned above) to your test machine and open the file in event viewer.
  (ii) Navigate to your "Forwarded Events" test log and open the filtering dialog. In the "Includes/Excludes Event IDs" field, type: 1-9000. Click OK.
  (iii) Look at the results pane: Surprise, 0 Events! Do you really have no event IDs between 1 and 9000 in your test log?
  (iv) Another example, if you have forwarded security events in your test log: Clear filter, if any previous filter is in place. Open the filtering dialog. In "Keywords" sub-dialog, choose "Audit Success". Click OK.
  (v) Look at the results pane: Surprise, 0 Events! Do you really have no successful security monitoring events in your test log?
  I’ll finish here. If you have a rich variety of events in your test log available, let your imagination run wild to test around. Finally include some simple manually created or modified XPath filters on the XML tab of the filtering dialog. I promise, you’ll
  find a lot of additional strange results.
  Problem 2: Cannot save manually selected events to .evtx file
  Navigate to your "Forwarded Events" test log. In the results pane, select one or more events by highlighting them by mouse clicks. In context menu, choose "Save selected events". In the "save as" dialog, choose file type *.evtx
  and save your file. Open the newly created file in event viewer. Result: Surprise, no events inside the new file!
  Have more fun with forwarded events
  Helmut

  Did you mean that right click Forwarded Event and select "Filter Current Log..."? Since I can filter correct event vai the "Filter Current Log..." in my Lab environment.
  Hi Justin,
  yes, I mean "Filter Current Log ... " (in my German systems: "Aktuelles Protokoll filtern ... ").
  What do you mean with "my Lab environment" exactly?
  In the meantime, I performed additional tests. I copied the "ForwardedEvents.evtx" test file from Server 2008 R2 resp. Windows 7 to
  (i) German Windows 8 Pro 64-Bit RTM
  (ii) German Windows 8.1 Pro 64-Bit, up-to-date
  in order to view and filter the file there.
  Results: Same event viewer problem on Windows 8 RTM, but correct behavior on Windows 8.1!
  Best regards, Helmut

• Create an Event log entry in Event Viewer in Windows 7, when processor exceeds a set percentage of usage

  Hi, I am trying to create an Event log entry in Event viewer in Windows 7 when the processor exceeds a set percentage of usage. I have unsuccessfully tried doing this through a Data Collection Set in the User Defined folder to monitor CPU usage
  and to trigger an Alert and log an entry when the CPU exceeds a set percentage of usage.  Any suggestions, and please if possible keep them simple and easy to follow, I am not to familar with Windows 7.  

  Hi, I am trying to create an Event log entry in Event viewer in Windows 7 when the processor exceeds a set percentage of usage. I have unsuccessfully tried doing this through a Data Collection Set in the User Defined folder to monitor CPU usage
  and to trigger an Alert and log an entry when the CPU exceeds a set percentage of usage.  Any suggestions, and please if possible keep them simple and easy to follow, I am not to familar with Windows 7.  

• Control how much of an event shows in Month view

  How do you control how much of the body text of an event shows in month view? Sometimes it only shows part, and I want it to show more.

  Hi Erich,
  You can call a method of another Controller directly this way:
  sap.ui.controller("namespace.Controllername").method();
  Another, and more decoupled, option would be to use eventing and sap.ui.core.EventBus. You can find more info on this SCN thread:
  Eventing in MVC