How to dowload IDS event viewer 4.1?

Similar Messages

• IDS Event viewer error

  Hi All
  Please help me out with this .I am getting attached IDS Event viewer error while trying to install it .Please let me know the probable causes and how to rectify the same
  Regards
  Ankur

  At what stage of installation are you seeing this error?
  It appears that a SSL certificate has expired, or an applet has a digital signature based on a certificate that has recently expired.
  If you can provide recreation steps then we can figure out what certificate is expiring, and determine the next steps in resolving your issue.
  Without knowing anything else my best guess at this point is that the SSL certificate on your sensor has expired. If the sensor has been deployed in your network for over a year, then this jsut could be the standard expiration of the SSL certificate on your sensor. Try conneting from a web browser directly to your sensor. When your web browser connects it should warn you if the sensor certificate is expired. If this is the case then ssh or telnet to the sensor and execute: "tls generat-key" to enforce the creation of a new SSL certificate for your sensor.
  If the error is not from an expired SSL certificate, then it is from other certificate or digital signature and we will need to try and recreate in our lab.
  Once you provide us with re-create steps, then there is something you might try for a short term solution as we try to re-create.
  You might try setting the date/time on your PC to a few days ago. The certificate appears to have expired on April 23rd so setting it back to April 20th may make the error go away. I am not positive this will work, but may be worth a shot if you need access immediately and can't wait a day or 2 as analysis is done. This is not a permanent solution and would just be a temporary workaround as we try to analyze what certificate is expiring.

• How to save all event viewer log files in Windows 7 Professional

  Hello,
  I would like to save all Event Viewer logs from my Windows 7 Professional computer and be able to view them from another computer.  Currently I can only save one log at a time.  Please let me know how I can save all Event Viewer logs
  (Windows Logs, Applications and Service Logs, etc.).
  Thanks,
  Jason

  Hi Jason,
  There is no idea to save all categories log.
  It's recommend you ask in Official Scripting Guys forum for further help:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=ITCG
  Besides that, this thread could be referred:
  http://social.technet.microsoft.com/Forums/en-US/d66c1bd7-0e61-4839-a5f6-cbe29661dccb/how-to-use-script-saving-log-from-event-viewer-into-csv-file?forum=ITCG
  Karen Hu
  TechNet Community Support

• Ids event viewer alarm

  I've many alarms with more than one signature with destination ip address 0.0.0.0 source and destination port 0
  how can I intend these messages?

  Begin by defining an exclusive filter. Specify the source address, which is the network that is generating large numbers of false positives. Specify all signatures so that no alarms are sent to Security Monitor. Next, define an inclusive filter. Specify the same source address but specify Signatures which are the ones that you want to include.

• Event Viewer errors and warnings

  How do I clear Event Viewer errors and warnings?

  This one may help.
  http://technet.microsoft.com/en-us/library/cc722318.aspx
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• CiscoWorks VMS Event Viewer usage compared with MARS

  I've been using VMS Security Monitor Event Viewer to monitor IPS sensors for the past few years. I'm used to the workflow of reviewing events in Event Viewer and then resolving them and sometimes removing them from the grid.
  I'm beginning to use MARS and I'd like to know what the equivalent of resolving and removing from grid in MARS is or is this something you don't do in MARS and you work differently with the events in MARS?
  Thanks in advance

  The actual replacement for the IDS Event Viewer is the IPS Manager Express (IME) and not MARS. If you are looking for real-time monitoring and filtering of events for upto 5 sensors, then IME is the way to go. MARS is more of a SIM/SEM tool that collects logs from 'various' devices and 'correlates' those events into meaningful 'incidents'. It does the same for IPS devices. But you won't see 'every' event in the MARS Incidents page (as every event is not an incident). You have to run a query for that (Historical or real-time).
  Regards
  Farrukh

• Multiple Event Viewer Error Ids, Corrupt Catalogs, System not working right. Please help.

   Since I could not find a list of the Event Ids that was accurate at all or not too general as to be useless and Microsoft won't let us know how to fix these ourselves without having a programming degree, I am begging for help from anyone who can help
  me get my computer working right again. I have some important things to get done which I can't do without my computer working. I have tried to get what I could get but I am blocked from many files which makes it difficult to get info. Please help. I appreciate
  any help I can get. Thank you,
  WhiteFox42
  I am not sure which one is more important.
  Event id 20
  Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 for x64-based Systems
  (KB2468871).
  Event id 11
  Possible Memory Leak.  Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 476) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)].  [allocate(all_nodes)] parameters are always
  reallocated; if the original pointer contained the address of valid memory, that memory will be leaked.  The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (20).  User Action: Contact your application
  vendor for an updated version of the application.
  Event id 455
  taskhost (1348) WebCacheLocal: Error -1811 (0xfffff8ed) occurred while opening logfile R:\User\App Data\Roaming\Microsoft\Templates\Local\Microsoft\Windows\WebCache\V01.log.
  Event Xml:
  Event id 505
  wuaueng.dll (1012) SUS20ClientDataStore: An attempt to open the compressed file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" for read / write access failed because it could not be converted to a normal file.  The open file operation
  will fail with error -4005 (0xfffff05b).  To prevent this error in the future you can manually decompress the file and change the compression state of the containing folder to uncompressed.  Writing to this file when it is compressed is not supported.
  Event id 513
  Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object
  Event id 1000
  Faulting application name: IEXPLORE.EXE, version: 11.0.9600.16428, time stamp: 0x525b664c
  Faulting module name: IEFRAME.dll, version: 11.0.9600.16476, time stamp: 0x52944cf2
  Exception code: 0xc0000005
  Fault offset: 0x00025f1d
  Faulting process id: 0x1854
  Faulting application start time: 0x01cf0735f0e5f0c7
  Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  Faulting module path: C:\Windows\system32\IEFRAME.dll
  Report Id: e3dc1e9a-733f-11e3-b920-00215a2af202
  Event id 1000
  Faulting application name: msiexec.exe, version: 5.0.7601.17514, time stamp: 0x4ce79d93
  Faulting module name: msvcrt.dll, version: 7.0.7601.17744, time stamp: 0x4eeb033f
  Exception code: 0xc0000005
  Fault offset: 0x00000000000035e1
  Faulting process id: 0x1030
  Faulting application start time: 0x01cf01b77867a358
  Faulting application path: C:\Windows\system32\msiexec.exe
  Faulting module path: C:\Windows\system32\msvcrt.dll
  Report Id: f7253b17-6daa-11e3-b944-00215a2af202
  Event id 1002
  Computer:      w7mar-64  "I don't know why it has computer as this when it should not be."
  Description:
  The IP address lease 192.168.200.195 for the Network Card with network address 0x08002742F261 has been denied by the DHCP server 192.168.200.1 (The DHCP Server sent a DHCPNACK message).
  Event id 1008
  The Windows Search Service is starting up and attempting to remove the old search index {Reason: Index Corruption}.
  Event id 1008
  Computer:      w7mar-64
  Description:
  An errorUser:          LOCAL SERVICE
   occurred in initializing the interface. The error code is: 0x2.
  Event id 1014
  User:          NETWORK SERVICE
  Computer:    
  Description:
  Name resolution for the name wpad.westell.com timed out after none of the configured DNS servers responded.
  Event id 1015
  User:          N/A
  Computer:      w7mar-64
  Description:
  Event ID 1013 for the Windows Search Service has been suppressed 7 time(s) since 12:04:10 PM. This event is used to suppress Windows Search Service events that have occurred frequently within a short period of time.  See Event ID 1013 for further details
  on this event.
  Event id 1015
  Failed to connect to server. Error: 0x8007043C
  Event id 1018
  The description for Event ID 1018 from source EvntAgnt cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  Event id 1020
  Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.
  Event id 1028
  Windows Installer has determined that its configuration data cache folder was not secured properly. The owner of the key must be either Local System or Builtin\Administrators. The existing folder will be deleted and re-created with the appropriate security
  settings.
  Event id 1101
  .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to compile: System.Web.Entity.Design, Version=3.5.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil . Error code = 0x80010108
  Event id 1500
  The description for Event ID 1500 from source SNMP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  Event id 1530
  Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 
  Event id 1530
  Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  
   DETAIL -
   6 user registry handles leaked from \Registry\User\S-1-5-21-2959539970-205720217-4182857889-1000:
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Microsoft\Internet Explorer\Main
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Policies
  Event id 3028
  Context: Windows Application, SystemIndex Catalog
  Details:
      The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
  Event id 3029
  Context: Windows Application, SystemIndex Catalog
  Details:
      The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
  Event id 3036
  The content source <csc://{S-1-5-21-2959539970-205720217-4182857889-1001}/> cannot be accessed.
  Event id 3036
  No protocol handler is available. Install a protocol handler that can process this URL type.  (HRESULT : 0x80040d37) (0x80040d37)
  Event id 4104
  Description:
  The backup was not successful. The error is: Access is denied. (0x80070005).
  Event id 4228
  TCP/IP has chosen to restrict the scale factor due to a network condition.  This could be related to a problem in a network device and will cause  degraded throughput.
  Event id 4321
  The name "WHITEFOXPC     :0" could not be registered on the interface with IP address 192.168.1.21. The computer with the IP address 192.168.1.19 did not allow the name to be claimed by this computer.
  Event id 4373
  The description for Event ID 4373 from source NtServicePack cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  Event id 4879
  MSDTC encountered an error (HR=0x80000171) while attempting to establish a secure connection with system WHITEFOXPC.
  Event id 6000
  The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
  Event id 6006
  The winlogon notification subscriber <TrustedInstaller> took 186 second(s) to handle the notification event (CreateSession).
  Event id 7000
  The Windows Audio service failed to start due to the following error:
  A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view
  the service configuration and the account configuration.
  Event id 7001
  The Computer Browser service depends on the Server service which failed to start because of the following error:
  The dependency service or group failed to start.
  Event id 7010
  The index cannot be initialized.
  Details:
      The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
  Event id 7023
  The Block Level Backup Engine Service service terminated with the following error:
  %%-2147024713
  Event id 7024
  The Windows Search service terminated with service-specific error %%-1073473535.
  Event id 7026
  The following boot-start or system-start driver(s) failed to load:
  aswKbd
  aswRvrt
  aswSnx
  aswSP
  aswTdi
  aswVmm
  discache
  spldr
  Wanarpv6
  Event id 7030 & 7031
  The dldw_device service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
  Event id 7032
  The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Installer service, but this action failed with the following error:
  An instance of the service is already running.
  Event id 7040
  The search service has detected corrupted data files in the index {id=4700}. The service will attempt to automatically correct this problem by rebuilding the index.
  Event id 7042
  The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.
  Details:
      The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
  Event id 8210
  An unspecified error occurred during System Restore: (Installed Java 7 Update 45). Additional information: 0x80070003.
  Event id  9000
  The Windows Search Service cannot open the Jet property store.
  Details:
      0x%08x (0xc0041800 - The content index database is corrupt.  (HRESULT : 0xc0041800))
  Event id 10005
  DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server:
  {000C101C-0000-0000-C000-000000000046}
  Event id 10010
  15 of these with different server codes which I can't copy unless I copy all the details.
  The server {3EEF301F-B596-4C0B-BD92-013BEAFCE793} did not register with DCOM within the required timeout.
  Event id 12348
  Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{8e79517c-6c41-11e3-b621-cb03f0618d54}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning
  properly.  Check security on the volume, and try the operation again.
  Event id 15006
  9 of these.
  Description:
  Owner of the log file or directory \SystemRoot\System32\LogFiles\HTTPERR\httperr1.log is invalid. This could be because another user has already created the log file or the directory.
  Event id 31004
  33 of tese.
  The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
  The End.
  Kimberly D. White-Fox

  Please provide a copy of your System Information file. Type System Information in the Search Box above the start Button and press the ENTER key
  (alternative is Select Start, All Programs, Accessories, System Tools, System Information). Select File, Export and give the file a name noting where it is located. The system creates a new System Information file each time system information is accessed.
  You need to allow a minute or two for the file to be fully populated before exporting a copy. Please upload to your Sky Drive, share with everyone and post a link here. Please say if the report has been obtained in safe mode.
  Please upload and share with everyone copies of your System and Application logs from your Event Viewer to your Sky Drive and post a link here.
  To access the System log select Start, Control Panel, Administrative Tools, Event Viewer, from the list in the left side of the window select Windows
  Logs and System. Place the cursor on System, select Action from the Menu and Save All Events as (the default evtx file type) and give the file a name. Do the same for the Applications log. Do not provide filtered files.
  For help with Sky Drive see paragraph 9.3:
  http://www.gerryscomputertips.co.uk/MicrosoftCommunity1.htm
  Some Event Viewer reports are generated solely because the computer is in safe mode or safe mode with networking. You have at least one example of this in your long list. If you do not see the same report for a time when
  the computer was in normal mode then it can be disregarded.
  You will find some general advice on interpreting Event Viewer reports here:
  http://www.gerryscomputertips.co.uk/syserrors5.htm
  Hope this helps, Gerry

• How can I view my photos in "Events" like in iPhoto? How can I create events?  I have 55,000 photos and 1700 events so the only way I can possibly manage my photos is using events that are one slide in size.

  I have 55,000 images organized into about 1700 events. The only reasonable way to view my library is using events in iPhoto where each event has one image That still leaves 1700 images to sort through but that is a lot easier than 55,000 images.  In the side bar is a folder with "iPhoto Events" but those views still show all of the slides.  How can I create events and view my photos as events as in iPhoto?  Events are critical for large libraries and has been my primary way to sort images.
  Thanks!

  I had a problem a couple of months ago when iPhotos suddenly rearranged the order of my Events (Why won't iPhoto let me arrange my photos?) .  I was told "Use albums not events - events are not a good way to organize - albums and folder are designed for organisation and are very flexible".
  Haha!  I should have paid attention and read between the lines!  My iPhotos were highly organised groupings - not according to date but the way I wanted them - and it was so easy to do!  I see now that if I had them all in albums, as per the Apple Apologist suggestion, I wouldn't have this unholy mess I have been left with just to make iPhone & iCloud users happy.  I am now going through Photos and making Albums (of what used to be in my Events)  ... maybe I'll get this finished before they do another non user friendly update!

• How do you split clips in the event viewer in iMovie '11?

  I'm using iMovie '11 and have imported a very long movie (over an hour from VCR Tape) that I want to split into multiple events, however the "Split Clip" option is grayed out. How can I split a large event into smaller events?

  I have discovered a round-about way to split large events from comments in this forum, so apologies, and or thanks to other posters.
  You can split events by deleting (and discarding) a single frame at the point where you want to split the two clips. It's processor intensive (takes a while to do), but it works.
  1.) In the Event Viewer, click to select where you want to split the event.
  2.) Drag the yellow handles to make the selection as small as possible (1 frame?). If you drag the thumbnail display slider to the left to show only 1/2 second intervals, it helps when selecting a single frame.
  3.) Right click and select "Reject Selection". The clip is now split.
  4.) When you've completed all of your clip splitting, select "Show: Rejected Only" at the bottom of the Event Viewer to show all of the rejected frames.
  5.) Click on "Move Rejected to Trash". This operation could take a while.
  That should be it.
  Hope this helps.

• How to enable the Exchange 2010 Admin Audit logs in Event Viewer

  How to enable the Exchange 2010 Admin Audit(Mailbox Auditing) logs in Event Viewer.
  - Sivashankar. Please mark as answer/useful if my contribution is helpful

  Hi Siva,
  We could execute the command below to view Administrator Audit Logging settings:
  Get-AdminAuditLogConfig
  If it is not enabled, please run the command below:
  Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
  In addition, here are some references for you to utilize this feature:
  Configure Administrator Audit Logging :
  http://technet.microsoft.com/en-us/library/dd335109(v=exchg.141).aspx
  Search the Administrator Audit Log :
  http://technet.microsoft.com/en-us/library/ff459262(v=exchg.141).aspx
  Regards,
  Rebecca Tu
  TechNet Community Support

• Errors for excel - excel service unavailable. Event Viewer has error event ids - 5239 and 5231.

  Errors for excel - excel service unavailable. Event Viewer has error event ids - 5239 and 5231. 
  We restart the excel service app and it solves. Looking for permanent solution.
  Regards,
  Kunal

  To resolved the issue do a simple restart. 
  Restart the server
  Before restarting, verify that this problem occurs often. It may be an intermittent problem that is automatically corrected and does not require you to restart the server.
  If the problem occurs often, restart the server running Excel Services Application.
  If the problem continues to occur often, and restarting the server did not correct the problem, confirm that the hardware of the server is functioning correctly, or reinstall Excel Services Application and re-add the server to the server farm.
  Here's the article with the explanation: Error communicating with Excel Services
  Application - Events 5231 5239 5240
  Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply.

• How to read event viewer

  I want to view all events as we can see through event viewer in administrative tool in control panel using a java program
  how can i view application ,security ,system and w3c events as in events viewer in java program ???

  Hi
  AEM data is stored in SCOM, you can use sql commands to connect to SCOM db and get required data.
  refer below for how to run sql query from PowerShell
  http://technet.microsoft.com/en-us/library/cc281720.aspx
  for SQL query for AEM refer below link
  http://blog.scomfaq.ch/2013/05/14/scom-2012-custom-aem-reports/
  http://blogs.technet.com/b/kevinholman/archive/2007/10/18/useful-operations-manager-2007-sql-queries.aspx
  Note : you can retrieve AEM data from scom sdk but it will overload scom server, however scom sdk run sql query to get required data. you can use sql PowerShell commands to achieve the same
  Regards
  sridhar v

• How does one clear Custom Views (Administrative Events) in the Event Viewer?

  Windows Logs and Applications and Services Logs have a "clear log" option; however, I am puzzled how to edit/delete Administrative Events?Eighter from Decatur, county seat of Wise (of course it's in Texas)

  Ronnie Vernon said: Hi p010ne
  The Custom View / Administrative Events is a compilation of all the other event logs in the Event Viewer.
  Entries in this log will be removed when the log where the event originated from is cleared.
  Hope this helps.
  Ronnie Vernon MVP
  I thought that was the case; however, I cleared all the other logs! This is an example of an entry in this log: Log Name:      Microsoft-Windows-Dhcpv6-Client/AdminSource:        Microsoft-Windows-DHCPv6-Client
  Date:          1/17/2009 7:52:33 AM
  Event ID:      1001
  Task Category: Address Configuration State Event
  Level:         Error
  Keywords:      
  User:          LOCAL SERVICE
  Computer:      Windows7
  Description:
  Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0x000129F558C5.  The following error occurred: 0x79. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-DHCPv6-Client" Guid="{6A1F2B00-6A90-4C38-95A5-5CAB3B056778}" />
      <EventID>1001</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>3</Task>
      <Opcode>74</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2009-01-17T13:52:33.858398400Z" />
      <EventRecordID>202</EventRecordID>
      <Correlation />
      <Execution ProcessID="1088" ThreadID="864" />
      <Channel>Microsoft-Windows-Dhcpv6-Client/Admin</Channel>
      <Computer>Windows7</Computer>
      <Security UserID="S-1-5-19" />
    </System>
    <EventData>
      <Data Name="HWLength">6</Data>
      <Data Name="HWAddress">000129F558C5</Data>
      <Data Name="StatusCode">121</Data>
    </EventData>
  </Event>
  When I search for "Microsoft-Windows-DHCPv6-Client" I do not find that file?
  OK, I found the entrys in the Microsoft section (DHCPv6-Client) and am able to clear them there! 
  Eighter from Decatur, county seat of Wise (of course it's in Texas)

• How to interpret Event Viewer reference to "\Device\Harddisk3\DR3"

  My Win 7 Event Viewer is showing error messages saying
  > The driver detected a controller error on \Device\Harddisk3\DR3.
  and I need to relate that to a particular drive.  Is "DR3" = "Disk 3" in the Disk Management console?  If not, how do I determine the unit responsible for the error?

  I think you should forget about the "DR3" and just look at "Harddisk3" instead. On this computer the Harddisk number corresponds to the Disk number in Disk Management.
  Looking in both "Globals" and "Devices" in Winobj, I think that \Device\Harddisk3 is a namespace and DR3 seems to represent the device (Harddisk3) within that namespace.
  As noticed by Fleet Command in the afore-mentioned thread, removing and replugging a USB drive increments the "DR" number - for example, \Device\Harddisk7\DR7 becomes \Device\Harddisk7\DR8 and then \Device\Harddisk7\DR9 etc.
  Also, my System drive (\Device\Harddisk0\DR0) and my RAM drive (\Device\Harddisk5\DR0) both use "DR0"
  Looking at the partition entries for all drives in "Devices", Partition0 seems to always be a symbolic link to the drive itself eg HardDisk3\Partition0 points to Harddisk3\DR3 (try double clicking on Partition0). Also, GPT drives seem to have another
  extra partition listed. For example, in the Devices screenshot below Partition 0 through 5 are listed. After discounting Partiton0, that still leaves 5 partitions. The drive actually only has 4 partitions. All my GPT drives are the same - they show an extra
  partition - yet all the MBR drives show the "correct" number (but maybe there is another explanation).
  Anyway, most of my drives have a unique number of partitions and, at least on this computer, at this moment, the "Harddisk" number corresponds with the drive index as shown the left hand side of the bottom half of Disk Management - ie \Device\Harddisk3
  corresponds to Disk 3
  Double clicking on PhysicalDrive3 in the Globals section of Winobj (as below)
  Brings you here

• IDSMC 2.0.1 How to see the total IDS Events in Database

  If I:
  1.
  In "Security Monitor" - "Data Management" - "Database" - "Rules" specify a trigger condition "Notify via e-mail" and set the trigger action "Total IDS events in database exceed" to 50000
  2.
  Then in the "Security Monitor" - "Monitor" - "Events" - Lanch Event Viewer with "Event Start Time" set to "At Earliest".
  3.
  And deletes all events from database. Then after a while the trigger action for 50000 IDS events is triggered and send the e/mail notification even though I only see a few thousand event in the in the Security Monitor.
  4. Is this a bug (that the Security Monitor only show a few thousand events) or is the another way to see the total number of IDS events in the database ?
  Thanks
  Gert

  This document should explain it better,
  http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon20/ug/ch04.htm#wp322337