Event Log Replication on Cluster Server (MS Server 2003)
Please help me about the EnableEventLogReplication on SERVER 2003. I just saw the recommended on MS support about it.
"If the EnableEventLogReplication registry entry is set to 1, the cluster node replicates events in the event log to all other nodes in the cluster. Tools that monitor multiple
servers, report a single event multiple times, one time from each node. "
I have got the problem about event logs replicates and hard to summary event logs on all nodes. If I want to disable this function I would like to know the effect about this one. it will not replicates events and will not get any worse cases on the server
that my customer using? Could you please advise?
As you mentioned, if you disable EnableEventLogReplication, Event Log Replication will be disable for one or more node in the cluster or the entire cluster. One or more cluster node is down or has experienced a failure, and preventing Event Log Replication
from taking place.
Note: if you disable the replication at a specific node, replication of events from that node to other nodes is disabled. Other nodes that have the EnableEventLogReplication property turned on still replicate to that node. This only replicates the System,
Application and Security event logs.
http://support.microsoft.com/kb/229071/en-us
http://support.microsoft.com/default.aspx?kbid=224969
Similar Messages
-
Event log is not working in Multiform server
Hi ,
We are trying to implement event logging in our application. We have created separate event source for our application. When we testing this our local dev machine it is working without any problem. when I try to test the same in higher environment (QA, Pre-prod)
it is not working. The QA environment is a multi form server. We are able to see the event source in the event viewer, but the logging is not happening. We have tried restarting IIS, restarting the services.
Any suggestion or guidance will be highly appreciated.
Thanks in AdvanceHi GHPMS,
>>We are trying to implement event logging in our application
Do you mean this code as below?
string sSource;
string sLog;
string sEvent;
sSource = "dotNET Sample App";
sLog = "Application";
sEvent = "Sample Event";
if (!EventLog.SourceExists(sSource))
EventLog.CreateEventSource(sSource, sLog);
EventLog.WriteEntry(sSource, sEvent);
EventLog.WriteEntry(sSource, sEvent,
EventLogEntryType.Warning, 234);
Like in following screenshot
>>We are able to see the event source in the event viewer, but the logging is not happening.
Maybe, you also need to check if the
eventlog exist method before you try to crate it new.
You might need check on what account the service is running under, which may make a difference on multi form server and up since they are more stringent on account rights on those environment.
Best regards,
Kristin
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Custom event log is not working in SharePoint server
Hi ,
We are trying to implement event logging in our application. We have created separate event source for our application. When we testing this our local dev machine it is working without any problem. when I try to test the same in higher environment (QA, Pre-prod)
it is not working. The QA environment is a multi form server. We are able to see the event source in the event viewer, but the logging is not happening. We have tried restarting IIS, restarting the services.
Any suggestion or guidance will be highly appreciated.
Thanks in AdvanceLogging should use the SharePoint Unified Logging Services (ULS) infrastructure.
Logging to the Event Viewer requires ADMIN PERMISSION... which is why it works fine in DEV, and not in TEST/PROD.
DO NOT LOG TO THE EVENT VIEWER... OR USE ANY OTHER HOME GROWN CONCOCTION... USE THE LOGGING FRAMEWORK PROVIDED BY THE PLATFORM.
This may help: http://www.sbrickey.com/Tech/Blog/Post/Custom_Logging_in_SharePoint_2010
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs -
Event logs fails to start on Exchange Server 2010
My Exchange server 2010 R2 SP1 Enterprise single server is down. All exchange services fail to start. It appears like the Microsoft Exchange Active Directory Topology service isn't starting which is a dependency for all other services.
The error I get when trying to start this service is:
Windows could not start the Microsoft Exchange Active Directory Topology on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code
-2147024882
To make matters worse, the event viewer is not starting either.
When trying to start the Windows Event Log, I get the error:
Windows could not start the Windows Event Log service on Local Computer. Displays Error code 5
This is running on a Windows Server 2008 R2 SP1 Standard box.
Any assistance is appreciated.When trying to start the Windows Event Log, I get the error:
Windows could not start the Windows Event Log service on Local Computer. Displays Error code 5
Hi,
Based on this error, this problem happens if any of the following conditions are true:
The built-in security group EventLog does not have permissions on the folder %SystemRoot%\System32\winevt\Logs
The Local Service account does not have default permissions on the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability
To solve this problem, we need to restore the default permissions in the list below on %SystemRoot%\System32\winevt\logs.
Authenticated user - List folder/read data, Read attributes, Read Extended attributes, Read permissions
Administrators - Full control
SYSTEM - Full control
EventLog - Full control
Please try the following methods:
Method 1
To restore the default permissions on folder %SystemRoot%\System32\winevt\logs, follow these steps.
Right-click on %SystemRoot%\System32\winevt\logs and select Properties.
Select the Security tab.
Click Edit button and click the Add button in the permissions dialog box.
In Select users, computers, or Groups dialog box ensure that under object types Built in Security Principals and the location as local computer name is selected.
Enter the object name as "NT SERVICE\EventLog" without quotes. And click OK. This group should have full control on the folder.
Once EventLog group is added add the rest of the groups with above mentioned permissions.
Method 2
Identify a Windows Server 2008 machine with default permissions.
Click Start, and then type cmd in the Start Search box.
In the search results list, right-click Command Prompt, and then click Run as Administrator.
When you are prompted by User Account Control, click Continue.
Type the command CD %SystemRoot%\SYSTEM32.
Once the working directory is changed to %SystemRoot%\SYSTEM32 type the command icacls winevt\* /save acl /T.
This will save a file named ACL in %SystemRoot%\SYSTEM32. Copy this file to the C: drive on the problem computer.
On the problem computer, open command prompt with administrator privileges (refer to previous steps 1-3).
Change the working directory to %SystemRoot%\SYSTEM32.
Execute the command icacls winevt\ /restore acl.
Default permissions on the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability should be:
CREATOR OWNER - Full control
SYSTEM - Full control
LOCAL SERVICE - Query Value, Set Value, Create Subkey, Notify and Delete
Administrators - Full control
Users - Read
To set the permission on this registry key:
Click the Start menu, select Run and type Regedit.
Go to the location HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability.
From the Edit menu click Permissions.
Add the permissions for the accounts as listed above.
In addition, Exchange 2010 SP1 and SP2 are end of support.
https://support.microsoft.com/en-us/lifecycle/search/default.aspx?alpha=exchange%20server%202010&Filter=FilterNO
Best Regards.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Lynn-Li
TechNet Community Support -
DFSN-Server ID 516 Flooding Event Log
Good Day,
Since setting up a Server 2012 server as a DFS root the Administrative Events log is getting flooded with DFSN-Server ID 516 warning events. We have multiple name spaces and we get a message for each every 15 minutes, so for our 6 name spaces
that is over 500 messages a day.
DFSN service has started performing complete refresh of metadata for namespace <DFS-Root>. This task can take time if the namespace has large number of folders and may delay namespace administration operations.
Although I found one solution on the Russian Technet forum DFSN-Server EventID 516 this disables the entire DFSN-Server
Admin log, so if there are any problems with the refresh they will not appear.
The main cause of the problem appears to be that the 516 Events have a Warning level 3 for something that should be Information level 4. There is no reason for a warning to be issued for what is a regular update process.
Thanks,
JamesWhat bothers me is that those events mention only "started a complete refresh", but they never mention so far completing one ... weird...
Thank you Microsoft (sarcasm).
If you look directly at the log, you'll see this message is quickly followed by ID 517 which states it has completed the refresh. Event 517 is an informational event, so it won't display in the default "Administrative Events" filter.
My suggestion to Microsoft: Change the severity on ID 516 to Informational. I don't believe
anyone would consider this routine refresh a warning-level concern!!
yes, you are right. sorry for super late reply, but I was swamped in company move and server upgrades, new installations, new IP phone system, new IP cams, site-to-site VPN, new faster firewall for new faster Internet link, NAT config changes ... man ...
a bit too much for a single person to manage sometimes ...
anyways, I didn't see the 517 events in "Custom Views - Administrative Events" that's why I was alerted with a flood of 516 (there is 1 every 12 minutes), can't understand why MS would drop one informational event (categorized wrongly as warning)
and not add the other one stating it was completed right after (because it's still informational only) ... I finally found the following 517's when I went to the tree of Apps and Services Logs - MS - Win - DFSN-Server - Admin ... it's kinda buried down there
very annoying it still is in end of October, especially then I am troubleshooting a non-replication conditions without any errors between two DFS servers (also DC roles installed) running 2012R2. Ended up removing DFS from secondary DC (VM actually) and
building a new DFS dedicated VM with fixed sized disks on Hyper-V 2012 R2 server, hoping it resolves the issue when replication would just stop without error creating a huge file count (and content!) mismatch over time... a flood of meaningless events in administrative
logs in not helping with troubleshooting ... -
I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
Default Domain Controllers Policy
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation SuccessHi Lawrence,
After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
setting was applied successfully.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
Microsoft sql server extended event log file
Dears
Sorry for my below questions if it is very beginner level.
In my implementation I have cluster SQL 2012 on Windows 2012; I am using MountPoints since I have many Clustered Disks.
My MountPoint Size is only 3 GB; My Extended event log are growing fast and it is storing in the MountPoint Drive directly (Path: F:\MSSQL11.MSSQLSERVER\MSSQL\Log).
What is the best practice to work with it? (is it to keep all Extended events? or recirculate? or to shrink? or to store in DB?)
Is there any relation between SQL truncate and limiting the size of Extended event logs?
How can I recirculate this Extended Events?
How can I change the default path?
How can I stop it?
and in case I stop it, does this means to stop storing SQL event in Windows event Viewer?
Thank youAfter a lot of checking, I have found below:
My Case:
I am having SQL Failover Cluster Instances "FCI" and I am using Mount-Points to store my Instances.
I am having 2 Passive Copies for each FCI.
In my configuration I choose to store the Root Instance which include the logs on Mount-Point.
My Mount Point is 2 GB Only, which became full after few days of deployment.
Light Technical Information:
The Extended Event Logs files are generated Coz I have FCI, in single SQL Installation you will not find this files.
The File Maximum size will be 100 MB.
The Files start circulating after it become 10 Full Files.
If you have the FCI installed as 1 Active 2 Passive, and you are doing failover between the nodes, then you will expect to see around 14 - 30 copy of this file.
Based on above information you will need to have around 100 MB * 10 Files Per Instance copy * 3 Since in my case I have 1 Active and 2 passive instances which will = 3000 MB
So in my case My Mount-Point was 2 GB, which become full coz of this SQLDIAG Logs.
Solution:
I extended my mount point by 3 GB coz I am storing this logs on it.
In case you will need to change SQLDIAG Extended Logs Size to 50 MB for example and place to F:\Logs, then you will need below commands:
ALTER SERVER CONFIGURATION SET DIAGNOSTICS LOG OFF;
ALTER SERVER CONFIGURATION
SET DIAGNOSTICS LOG MAX_SIZE = 50 MB;
ALTER SERVER CONFIGURATION
SET DIAGNOSTICS LOG PATH = 'F:\logs';
ALTER SERVER CONFIGURATION SET DIAGNOSTICS LOG ON;
After that you will need to restart the FCI from SQL Server Configuration Manager or Failover Cluster Manager.
I wish you will find this information helpful if it is your case.
Regards -
How to write to windows event logs from determinations-server under IIS
This is just an FYI technical bit of information I wish someone had shared with me before I started trying to write OPA errors to the windows event log... Most problems writing to the windows event log from log4net occur because of permissions. Some problems are because determinations-server does not have permissions to create some registry entries. Some problems cannot be resolved unless specific registry entry permissions are actually changed. We had very little consistency with the needed changes across our servers, but some combination of the following would always get the logging to the windows event log working.
To see log4net errors as log4net attempts to utilize the windows event log, temporarily add the following to the web.config:
<appSettings>
<!-- uncomment the following line to send diagnostic messages about the log configuration file to the debug trace.
Debug trace can be seen when attached to IIS in a debugger, or it can be redirected to a file, see
http://logging.apache.org/log4net/release/faq.html in the section "How do I enable log4net internal debugging?" -->
<add key="log4net.Internal.Debug" value="true"/>
</appSettings>
<system.diagnostics>
<trace autoflush="true">
<listeners>
<add
name="textWriterTraceListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="logs/InfoDSLog.txt" />
</listeners>
</trace>
</system.diagnostics>
To add an appender for the windows event viewer, try the following in the log4net.xml:
<appender name="EventLogAppender" type="log4net.Appender.EventLogAppender" >
<param name="ApplicationName" value="OPA" />
<param name="LogName" value="OPA" />
<param name="Threshold" value="all" />
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
</layout>
<filter type="log4net.Filter.LevelRangeFilter">
<levelMin value="WARN" />
<levelMax value="FATAL" />
</filter>
</appender>
<root>
<level value="warn"/>
<appender-ref ref="EventLogAppender"/>
</root>
To put the OPA logs under the Application Event Log group, try this:
Create an event source under the Application event log in Registry Editor. To do this, follow these steps:
1. Click Start, and then click Run.
2. In the Open text box, type regedit.
3. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
4. Right-click the Application subkey, point to New, and then click Key.
5. Type OPA for the key name.
6. Close Registry Editor.
To put the OPA logs under a custom OPA Event Log group (as in the demo appender above), try this:
Create an event log in Registry Editor. To do this, follow these steps:
1. Click Start, and then click Run.
2. In the Open text box, type regedit.
3. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
4. Right-click the eventlog subkey, point to New, and then click Key.
5. Type OPA for the key name.
6. Right-click the new OPA key and add a new DWORD called "MaxSize" and set it to "1400000" which is about 20 Meg in order to keep the log file from getting too large.
7. The next steps either help or sometimes cause an error, but you can try these next few steps... If you get an error about a source already existing, then you can delete the key.
8. Right-click the OPA subkey, point to New, and then click Key.
9. Type OPA for the key name.
10. Close Registry Editor.
You might need to change permissions so OPA can write to the event log in Registry Editor. If you get permission errors, try following these steps:
1. Click Start, and then click Run.
2. In the Open text box, type regedit.
3. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
4. Right-click the EventLog key, select Permissions.
5. In the dialog that pops up, click Add...
6. Click Advanced...
7. Click Locations... and select the current machine by name.
8. Click Find Now
9. Select both the Network user and IIS_IUSERS user and click OK and OK again. (We never did figure out which of those two users was the one that fixed our permission problem.)
10. Change the Network user to have Full Control
11. Click Apply and OK
To verify OPA Logging to the windows event logs from Determinations-Server:
Go to the IIS determinations-server application within Server Manager.
Under Manage Application -> Browse Application click the http link to pull up the local "Available Services" web page that show the wsdl endpoints.
Select the /determinations-server/server/soap.asmx?wsdl link
Go to the URL and remove the "?wsdl" from the end of the url and refresh. This will throw the following error into the logs:
ERROR Oracle.Determinations.Server.DSServlet [(null)] - Invalid get request: /determinations-server/server/soap.asmx
That error should show up in the windows event log, OR you can get a message explaining why security stopped you in "logs/InfoDSLog.txt" if you used the web.config settings from above.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363648(v=vs.85).aspx
Edited by: Paul Fowler on Feb 21, 2013 9:45 AMThanks for sharing this information Paul.
-
Windows update KB2964444 broke Event Logging Service and SQL Agent Service on Windows Server 2008 R2
I got the following problem:
I discovered that on my Windows Server 2008R2 machine the event logging stopped working on 04/May/2014 at 03:15.
Also, SQL Agent Service won't run
The only change that day was security
update KB2964444 - Security
Update for Internet Explorer 11 for Windows Server 2008 R2for x64-based Systems, that was installed exactly 04/May/2014 at 03:00. Apparently, that's what broke my machine...
When I try to start Windows Event Log via net
start eventlog or via Services
panel, I get an error:
C:\Users\Administrator>net start eventlog
The Windows Event Log service is starting.
The Windows Event Log service could not be started.
A system error has occurred.
System error 2 has occurred.
The system cannot find the file specified.
I tried:
restarted the OS (virtual on the host's VMWare).
re-checked the settings in services menu -they are like in the link.
checked the identity in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog -
the identity is NT
AUTHORITY\LocalService
gave all Authenticated Users full access to C:\Windows\System32\winevt\Logs
ran fc /scannow - Windows Resource Protection did not find any integrity violations.
went to the file %windir%\logs\cbs\cbs.log -
all clean, [SR] Repairing 0 components
EDIT: Uninstalled the recent system updates and rebooted - didn't help
EDIT: Sysinternals Process Monitor results when running start service from services panel (procmon in elevated mode):
filters:
process name is svchost.exe : include
operation contains TCP : exclude
the events captured are:
21:50:33.8105780 svchost.exe 772 Thread Create SUCCESS Thread ID: 6088
21:50:33.8108848 svchost.exe 772 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
21:50:33.8109134 svchost.exe 772 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8109302 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services REPARSE Desired Access: Read
21:50:33.8109497 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services SUCCESS Desired Access: Read
21:50:33.8110051 svchost.exe 772 RegCloseKey HKLM SUCCESS
21:50:33.8110423 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8110705 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Desired Access: Read
21:50:33.8110923 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8111257 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS Desired Access: Read
21:50:33.8111547 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services SUCCESS
21:50:33.8111752 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS
21:50:33.8111901 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
21:50:33.8112148 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS
21:50:33.8116552 svchost.exe 772 Thread Exit SUCCESS Thread ID: 6088, User Time: 0.0000000, Kernel Time: 0.0000000
NOTE: previoulsy, for
21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
I also got NAME
NOT FOUND error ,so I created the new string value for the Parameters with
the name ServiceDll and
data %SystemRoot%\System32\wevtsvc.dll (copied
from the upper HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog key)
and this event now is
21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
I also checked for the presence of wevtsvc.dll in
the place and it's there.
Also, I tried to capture all events with path containing 'event' and
got following events firing every several seconds:
21:38:38.9185226 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Tag NAME NOT FOUND Length: 16
21:38:38.9185513 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\DependOnGroup NAME NOT FOUND Length: 268
21:38:38.9185938 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Group NAME NOT FOUND Length: 268
Also, I tried to capture all the events containing 'file',
excluding w3wp.exe,
chrome.exe, wmiprvse.exe, wmtoolsd.exe, System and it shows NO attempts to access any file ih the time I try to start
the event logger (if run from cmd - there are several hits by net executable,
not present if run from the panel).
What can be done?Hi,
I don’t found the similar issue, if you have the IE 11 please try to update system automatic or install the MS14-029 update.
The related KB:
MS14-029: Security update for Internet Explorer 11 for systems that do not have update 2919355 (for Windows 8.1 or Windows Server 2012 R2) or update 2929437 (for Windows 7
SP1 or Windows Server 2008 R2 SP1) installed: May 13, 2014
http://support.microsoft.com/kb/2961851/en-us
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Hi,
I want to create a event log server at my data center, I mean, I want to collect the event logs from all my servers and manage the logs centrally, please guide me the steps for this.
Swaprakash..Hi,
I want to create a event log server at my data center, I mean, I want to collect the event logs from all my servers and manage the logs centrally, please guide me the steps for this.
Swaprakash..
If your Enterprise uses SCOM for monitoring, you can easily
configure and deploy Audit Collection Reporting (ACS) to pull events from servers based on specific criteria.
You can also manually configure event forwarding/subscriptions. Here's a
link on how.
Only when the above two options are impossible will I start to look at a scripting solution, using
Get-Eventlog or
Get-WinEvent cmdlets. -
Hi,
I am monitoring AD server from SCOM 2012 R2. My management server goes into waning state. When i run Health explorer then it come back in the healthy state but after some time it again goes into warning state. After seeing alert i found that a alert is coming
again and again i.e. Operations Manager Failed to Access the Windows Event Log.The description of alert is mention below
The Windows Event Log Provider is still unable to open the DhcpAdminEvents event log on computer 'nc2vws12ad5.corp.nathcorp.com'.
The Provider has been unable to open the DhcpAdminEvents event log for 64080 seconds.
Most recent error details: The RPC server is unavailable.
Please suggest me how to resolve this so that my management server will again come back in healthy state.
Thanks
AbhishekHi Abhishek,
As i mentioned earlier the Alert resolution says the same points.
Can you give details on the below ?
Is there really a log named "Dhcpadminevents" in the MS's Event viewer ?
Did you recently configure any new alert where you mentioned "Dhcpadminevents"
as a event log location ?
If yes then what is the target you selected for the rule / monitor there ?
Can you post the results for analysis ?
Gautam.75801 -
Errors in event log of Secondary DPM server protecting replicas on Primary
Hello again
I have two DPM servers, one situated on-site (primary) and one situated off-site (secondary). Protection jobs seem to be running correctly on both servers in that the jobs complete and I am able to restore data from the backups. I use the primary server
to make the initial backups of critical systems and data (Exchange MDB's etc) and the secondary server to backup those replicas off-site in case of primary site loss or DPM system loss.
The primary server is a physical server and the secondary server is a virtual server. Both DPM servers have their DPM databases stored on one physical SQL server that is in the primary site.
Basically what is happening is that every day our virtual machines are snapshotted (secondary DPM server included) and everyday the snapshot of the secondary DPM server fails. I see the following to entries in the event log of the secondary server.
Error 1:
WARNING
Source: MSDPM
Event ID: 955
The description for Event ID 955 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
The consistency check resulted in the following changes to SQL Server Agent schedules: Schedules added: 2 Schedules removed: 2 Schedules updated: 0.
Problem Details:
<ConsistencyCheck><__System><ID>26</ID><Seq>27861</Seq><TimeCreated>22/05/2014 23:01:31</TimeCreated><Source>SchedulerImpl.cs</Source><Line>719</Line><HasError>True</HasError></__System><Tags><JobSchedule
/></Tags></ConsistencyCheck>
the message resource is present but the message is not found in the string/message table
Error 2
ERROR
Source: MSDPM
Event ID: 4212
The description for Event ID 4212 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
DpmWriter service encountered an error during PrepareBackup as more than one component is selected for backup in the same snapshot set. Select a single DPM replica for backup and try the operation again.
Problem Details:
<DpmWriterEvent><__System><ID>30</ID><Seq>7</Seq><TimeCreated>23/05/2014 00:30:45</TimeCreated><Source>d:\btvsts\21011\private\product\tapebackup\dpswriter\vssfunctionality.cpp</Source><Line>438</Line><HasError>True</HasError></__System><DetailedCode>4212</DetailedCode></DpmWriterEvent>
the message resource is present but the message is not found in the string/message table
These two events are followed by another event from VMWare Tools everyday
Error 3:
WARNING
Source: VMWare Tools
Event ID: 1000
[ warning] [vmvss:vmvss] CVmSnapshotRequestor::CheckWriterStatus():1536: writer DPM Writer in failed state: res = 0x800423f4, err = 0x1, error =
Has anyone come across this before? Currently I am not quite sure what is going wrong and whether it is actually related to snapshots failing, but I want to try to fix these errors first and see what happens.
RegardsYour ar using VMware for Virtualization?
Are you trying to do an online Backup of the VM, think that will not work?
One thing i wonder, your have installed second DPM if Site one fails or goes done, but SQL for DPM2 is in Site one? try to move SQL to external site for DPM 2
Seidl Michael | http://www.techguy.at |
twitter.com/techguyat | facebook.com/techguyat -
KB fix for print document name in event logs on Server 2012 and Server 2012R2
It appears as though the requested corrections to the documentation where never honored
Note After you apply the hotfix or update, you can show the printed document name in the event by enabling a specific Group Policy.
The policy name:
Computer Configuration \ Administrative Templates \ Printers
Allow job name in event logs
The Windows 8 / Server 2012 fix is:
Event ID 307 does not show the printed document name in Windows
http://support.microsoft.com/kb/2938013/en-us
2012R2 is in the April Roll up.
Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 Update: April 2014
http://support.microsoft.com/kb/2919355/en-us
Alan Morris Windows Printing TeamIn my simple test, I see that the Group-Policy does exist on 2012R2 but not for 2012.
I isolated the registry changes so I can update a 2012 only system... that text is below.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\Printers]
"ShowJobTitleInEventLogs"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers]
"ShowJobTitleInEventLogs"=dword:00000001
I hope this helps others out since it took sometime to narrow this down. Thank you. -
Print document's name in Event Log ID #307 on Server 2012
Creating a new printer server using Windows Server 2012. Everything is working out fine so far, however I just ran into one problem that didn't happen in our Server 2008R2 print server.
When looking at print jobs that have completed under: event logs --> Microsoft --> Windows --> PrintService --Operational, I have noticed that Event ID 307 is not displaying the printed document's name in Server 2012 (it did for Server 2008R2).
In Server 2012, the document name simply displays as "Print Document" instead of displaying the document's name.
Anyone have any ideas on how to get the document's name to properly display in the event logs?
Thanks for any help.Hi Alan,
I have configured a Server 2012 R2 standard as print server to manage printers and Monitor the print usage of users, however I am not getting the Print logs (Event Log ID 307) in the default event logs directory on the print Server.
I perform some search and come to know that it’s a known problem in Server 2012 and there is Hotfix available. I installed the Hotfix mentioned here
http://support2.microsoft.com/kb/2938013/en-us , but still logs are not getting generated.
I also made the below setting for the logs.
Creating Registry entry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\Printers] "ShowJobTitleInEventLogs"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers] "ShowJobTitleInEventLogs"=dword:00000001
The policy name: Computer Configuration \ Administrative Templates \ Printers
Allow job name in event logs
Keep printed Docs setting is also enabled on all the printers installed on Print Server.
Noting seems to be working here or am i doing something wrong here.
Regards
Mukesh -
SQL Server monitoring error event log 4001
hello Experts ,
We have SCOM 2012 R2 environment ,I have installed SQL SERVER MPs 6.5.0.1 and installed SCOM agent on some of SQL Server. Some of the SQL Server are monitoring working properly not all SQL Server but getting error for some of SQL Server in event log
Event :4001
Management Group: SCOMMgtGroup. Script: Main Module: CPUUsagePercentDataSource.ps1 :
Computer Name = 'MHSSCOM01.memnet.org' WMI = 'ComputerManagement11' Service Name = 'MSSQLSERVER' SQL Instance Name = 'MSSQLSERVER'
Exception calling "Fill" with "1" argument(s): "The user does not have permission to perform this action."Error occured during CPU Usage for SQL Instances data source executing.
Computer:MHSSCOM01
Reason: Exception calling "Fill" with "1" argument(s): "The user does not have permission to perform this action."
also not getting Database information within the SQL Server instances for these SQL Server within "Instances Summary "
for resolution ,I have created a Run as account (windows)for SQL monitoring then associated it with Run as profile with SQL Server default account,Discovery account and Monitoring account and distribute it securely to each SQL Server health service object
.The run as account have added to local admin group on each SQL server.
How to resolved the event log error and how to get database information for all instances of sql server.
Thanks
RICHAHi,
It seems like that the action account that run the script does not have enough permissions on the monitored SQL server, I would like to suggest you follow the below link to check your runas account configuration:
http://blogs.technet.com/b/kevinholman/archive/2010/09/08/configuring-run-as-accounts-and-profiles-in-r2-a-sql-management-pack-example.aspx
And make sure the action account also have SQL admin account to the SQL server.
Here is also a link that may be helpful for you:
http://blogs.technet.com/b/momteam/archive/2014/05/12/kb-event-4001-in-the-operations-manager-log-during-sql-server-2012-monitoring.aspx
Regards,
Yan Li
Regards, Yan Li
Maybe you are looking for
-
XA error when starting WLS6.1(SP2) with XA connection pools
I am running WLS6.1 on HPUX11 with an Oracle Database 8.1.7. I am using the XA jDriver/Oracle for my connection pools but when I start the server I get the following error:- <Apr 25, 2002 6:10:21 PM BST> <Error> <JDBC> <neptune.xenicom.net> <myserver
-
Hello, I received the question to add a button or new field on the standard webdynpro PLM result screen. The user want's to be able to open the OAF from the result screen. (This is standard only possible when selecting a document out of the result li
-
Is there a free screen recorder for Tiger that also records audio
-
My iCloud email won't open Get error message" MFmessage error domain 1032
my Icloud email won't open. Getting error message MFmessage error domain 1032. How do I correct it?
-
I NEED TO CHANGE THE SECURITY QUESTION BUT DON'T KNOW WHERE TO GO TO CHANGE THEM