OSX Event Logging Help
I'm having a bit of an issue with my Macbook Pro where I believe I have someone else logging into it while I'm away.
I'd like to see if I can determine login times for the Mac (so I can parse through and see if it was while I was away or not). I know I've read that the Microsoft Windows Event Viewer equivalent in OSX is the Console, but I'm not quite sure what to search for within the console logs.
Is there a definitive string that will tell me when there was a successful login or unsuccessful login attempt? I started looking for keychain access but it appears to be accessed a lot more frequently than just logins.
On a related note, can I determine when/if a specific application was launched? (specifically Mail.app)?
Thanks much.
SoCalDaveL wrote:
That's great. Never knew that. I was trying to parse through Console logs instead.
Is there a way to tell when a specific app was launched?
no. that info is not logged.
(specifically mail.app)
I would imagine there should be a log for that
no, there isn't.
since it accesses the keychain.
Similar Messages
-
Event Log Help Links No Longer Working?
Have the help links in the Windows XP event log entries been discontinued?
They used to open up the Help and Support Center with further information about the Event Log error if it was available.
For some time now they have all just given a "page not found" error, which then re-directs to Bing with offered results that are no use at all!
This happens now on every XP system I've tried it on.
As a user of Windows 8.1 as well as XP, I'm well aware that the Windows 8 Event Log help links have never worked so far, but the XP ones always did, and despite the looming "End of Support" I can see no reason for all that information to have been
removed.
Any explanation for this?
Thanks, Dave Hawley.Hi - thank you DaveHawley for the report. Just wanted to confirm that I've passed this on to the team that looks after the redirect service behind the "More Info" link.
There have been some major changes in how this redirection works over the years as well as in the last months. The most recent efforts added the option to enable use of the TechNet Wiki [sample]
to allow the community to comment & contribute for a given component. I'm only guessing here, but this might have accidentally impacted XP.
Thanks
Bruno -
HOME HUB - EVENT LOG - Help with translation pleas...
Have just found the event log on the Home Hub and am trying to uderstand what it is telling me. For today, there are many similar entries such as copied below;
VOIP: [2.0A] [XXXXXXXX] [FXS DECT1 DECT2 DECT3 DECT4 DECT5] 200 OK - SIP message received
VOIP: [2.0A] XXXXXXXXX] [] 501 Not Implemented - SIP message sent
VOIP: [2.0A] [kas] [-] REGISTER - SIP message received
Could someone please give me some idea what these entries relate to?
Thanks
EDIT; On reflection, I think the following are better examples of my concern that someone may be hacking into our hub / broadband or does the ' not implemented ' comment mean that the security has kicked in and rejected the attempt?
VOIP: [2.0A] [john] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [john] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [daniel] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [daniel] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [Amanda] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [Amanda] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [andrew] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [andrew] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [jennifer] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [jennifer] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [newuser] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [newuser] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [computer] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [computer] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [calvin] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [calvin] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [charles] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [charles] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [paul] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [paul] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [dave] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [dave] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [steve] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [steve] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [tsinternetusers] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [tsinternetusers] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [tsinternetuser] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [tsinternetuser] [-] REGISTER - SIP message receivededit the post as you're showing your VOIP number (If your BBT number starts 01).
AFAIK it's something to do the hub phone set up BUT I'm not too sure.
DECT 1 to 5 (5 handsets can be registered)
-+-No longer a forum member-+- -
Oracle 10g XE Event Logs - Please help
I'm running 10g XE on a Virtual 2003 Server. My Applicatin Event Logs the following events. I will get up to 20 events per minutes. I have posted the event description. Please advise. Thank you,
The description for Event ID ( 5 ) in Source ( Oracle.xe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: QMNC, xe.
The description for Event ID ( 16 ) in Source ( Oracle.xe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: xe.
The description for Event ID ( 34 ) in Source ( Oracle.xe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: ACTION : 'CONNECT' DATABASE USER: '/' PRIVILEGE : SYSDBA CLIENT USER: NT AUTHORITY\SYSTEM CLIENT TERMINAL: [Server FQDN stated in this area]: 0 .Hi Jab
The last event is something Oracle logs per default. Every time someone logs in with sysdba privileges, it is logged to the event log. Read more in the manual
Security guide, chapter 8
Try to check the parameter
AUDIT_TRAIL
in the database
show parameter AUDIT_TRAIL
If it is set to OS and you have enabled auditing, then more events are written to the event log.
Best wishes,
Kennie
The description for Event ID ( 34 ) in Source ( Oracle.xe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: ACTION : 'CONNECT' DATABASE USER: '/' PRIVILEGE : SYSDBA CLIENT USER: NT AUTHORITY\SYSTEM CLIENT TERMINAL: Server FQDN stated in this area: 0 . -
Help with the event log in the type B hub
I have probs with broadband slowing down and also with link going down a number of times again (it recovers quickly)
I just wanted to confirm that the message in trhe event log in the type B hub:-
(134558.700000) RTNL: Received ERROR reply 'No such process' for message type 0x19
was the link dropping.
Can anybody confirm this and does anyone know if/where the messages are documented?
Thanks in advance
Banzdoes nobody have any comments on this
Mods - please help
banz
ps this is my last bump - I will give up after this -
[UNSOLVED] Event Log Custom XML Query Filtering Help
I've looked at a few different posts but I must be missing something because what I'm constructing isn't working.
Here's the XML code of an example event:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="ERAS WCF" />
<EventID Qualifiers="0">0</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-07-09T20:32:51.000000000Z" />
<EventRecordID>899070</EventRecordID>
<Channel>Application</Channel>
<Computer>server.f.q.d.n</Computer>
<Security />
</System>
- <EventData>
<Data>User [email protected] has submitted 'Get BIOS Information' operation from servername to computername.f.q.d.n.</Data>
</EventData>
</Event>
This is my query:
<QueryList>
<Query Id="0">
<Select Path="Application">*[EventData[Data and (Data='computername' or Data='ip.add.re.ss')]]</Select>
</Query>
</QueryList>
I always get 0 results, even if I take stabs in the dark:
*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]
*[EventData[Data and (Data='*computername*')]]
*[EventData[Data and (Data='%computername%')]]
I used this post as my guide for filtering based on content: http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
Also:
I hope this is the right place for this question. This said to post in the server
forums, but in
the server forums, it said to post here.
I happen to be doing this on a server, but it could just as easily be a desktop.Hello,
Thanks for posting question to this forum. Since this forum is related with XPath, what I can do is to help you validate your XPath query. With your query, I tested them with my computer, however, all of them could load event record correctly:
Query:*[EventData[Data and (Data='Office12AssertTimer' or Data='6.3.9600.17031')]]
Result:
Query:*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]
Result:
So your XPath query is ok. Do you have a try to use the same query to filter the event log to check if there are records with another computer? I am wondering if there is something wrong with your current computer.
And since the XPath is ok, I would like suggest you posting it to the server forum to see if there are others looking into it.
Regards.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Need Help to extract information from Windows Security Event log
Hi Everyone,
My challenge is to create a script that queries the Security event log for event id 4624 , logon type 2 and 10, then export the result to file, hopefully tab limited.
I need the time - date - User Account - Workstation - IP address - Logon Type.
I have had a go, checking out other advice from other questions, but i'm just not getting what I want.
Kind regards,
AndrewA good point to start is get-eventlog with where clauses.
For example:
get-eventlog -log security | where {$_.eventID -eq 4624}
So you want to get the entire security log, and then filter it client side? (Some of these logs can be massive).
I would recommend Get-WinEvent with -FilterHashTable (Filter on the left) which will filter against the log directly.
http://blogs.technet.com/b/heyscriptingguy/archive/2011/01/24/use-powershell-cmdlet-to-filter-event-log-for-easy-parsing.aspx
You might have admin rights issues accessing the security logs.
You're right - my answer was only a first step to try "get-command *event" and eventually get-help..... -
HOME HUB - EVENT LOG - TECHNICAL HELP PLEASE
Hello. I am trying to investigate why my BB usage is so high and have come across some recorded event entries in the 'event log' which I would like explained. Is there an expert/moderator who can help please? What I am trying to establish is whether these entries could mean that there are outside users, using our broadband via P2P/Skype etc?. Many thanks. n.b None of the names are known to me.
VOIP: [2.0A] [john] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [john] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [daniel] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [daniel] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [Amanda] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [Amanda] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [andrew] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [andrew] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [jennifer] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [jennifer] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [newuser] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [newuser] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [computer] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [computer] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [calvin] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [calvin] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [charles] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [charles] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [paul] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [paul] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [dave] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [dave] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [steve] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [steve] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [tsinternetusers] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [tsinternetusers] [-] REGISTER - SIP message received
13:31:32 16 Aug
VOIP: [2.0A] [tsinternetuser] [] 501 Not Implemented - SIP message sent
13:31:32 16 Aug
VOIP: [2.0A] [tsinternetuser] [-] REGISTER - SIP message receivedDitto - http://community.bt.com/t5/BB-in-Home/I-guess-this-is-not-normal/m-p/12705#M7403
(note this was on 03/04/10 after I had manually turned OFF BBT).
IanC did provide a plausible reason on the above link
-+-No longer a forum member-+- -
Help Needed-bt home hub 2.0 event log messages
Hi, Please can someone have a look at the event log messages below. Is someone trying to hack me? there are loads more of these messages i've only copy and pasted a few of them.
many thanks in advance.
12:32:02 30 Sep
VOIP: [2.0A] [guest1] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [guest] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [guest] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [office12345] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [office12345] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [office1234] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [office1234] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [office123] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [office123] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [office12] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [office12] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [office1] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [office1] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [office] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [office] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [admin12345] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [admin12345] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [admin1234] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [admin1234] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [admin123] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [admin123] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [admin12] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [admin12] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [admin1] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [admin1] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [admin] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [admin] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [administrator] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [administrator] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [4260011834] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [4260011834] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [Administrator] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [Administrator] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [3942121793] [] 501 Not Implemented - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [3942121793] [-] REGISTER - SIP message received
12:32:02 30 Sep
VOIP: [2.0A] [100] [] 404 Not Found - SIP message sent
12:32:02 30 Sep
VOIP: [2.0A] [100] [-] OPTIONS - SIP message received
12:32:01 30 Sep
SNTP Synchronised to server: 213.123.26.170
11:45:07 30 Sep
VOIP: [2.0A] [100] [] 404 Not Found - SIP message sent
11:45:07 30 Sep
VOIP: [2.0A] [100] [-] OPTIONS - SIP message received
11:32:01 30 Sep
SNTP Synchronised to server: 213.123.20.170
11:28:34 30 Sep
VOIP: [2.0A] [100] [] 404 Not Found - SIP message sent
11:28:34 30 Sep
VOIP: [2.0A] [100] [-] OPTIONS - SIP message received
Solved!
Go to Solution.Hi JM7HUB and welcome,
No, you're not being hacked. It's to do with BTHub phone (Broadband Talk - BBT) and the hub, in your case the hub 2A.
It's a test that BT seem to carry out, normally (IIRC) after a reboot of the hub or possibly at random times - it's been a long time since I used BBT. I'll guess there are some random names mentioned on some of the other VOIP events?
If you don't use a BBT, you can turn this off by entering the hub manager - type bthomehub.home or 192.164.1.254 in to your browser, click settings, advanced settings, continue to adavnced settings, telephony - there should be an option there to turn it off. This should then stop the events.
edit. The telephone light on the hub will go out, but any registered hub phone should still operate as a 'normal' phone using your landline number.
-+-No longer a forum member-+- -
Model of MFP = HP LaserJet M4555h MFP = CE738A
With fax accessory for HP LaserJet MFP Analog 500 = CE737A
Firmware Datecode = 20120623
Firmware Revision = 2200643_228339
The inital issue was receiving faxes, so I updated the firmware to the above listed. In the event log it shows since the firmware was updated on Nov 7th the following:
The device keeps prompting to restart the printer.... I haven't been able to screen capture the message off the device yet... on the Information tab through the EWS it's shown: "An unexpected error occurred. We apologize for the inconvenience. Please try again." What is that suppose to mean?
Faxing has stopped working completely....
Can you tell me if this means the firmware is corrupt and show be re-loaded?
Or suggest what my next steps would be?
Anything is helpful...Thanks HP Seeker.Hello, you can also try a partial clean and reload the latest firmware, see if that will work.
-
How to write to windows event logs from determinations-server under IIS
This is just an FYI technical bit of information I wish someone had shared with me before I started trying to write OPA errors to the windows event log... Most problems writing to the windows event log from log4net occur because of permissions. Some problems are because determinations-server does not have permissions to create some registry entries. Some problems cannot be resolved unless specific registry entry permissions are actually changed. We had very little consistency with the needed changes across our servers, but some combination of the following would always get the logging to the windows event log working.
To see log4net errors as log4net attempts to utilize the windows event log, temporarily add the following to the web.config:
<appSettings>
<!-- uncomment the following line to send diagnostic messages about the log configuration file to the debug trace.
Debug trace can be seen when attached to IIS in a debugger, or it can be redirected to a file, see
http://logging.apache.org/log4net/release/faq.html in the section "How do I enable log4net internal debugging?" -->
<add key="log4net.Internal.Debug" value="true"/>
</appSettings>
<system.diagnostics>
<trace autoflush="true">
<listeners>
<add
name="textWriterTraceListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="logs/InfoDSLog.txt" />
</listeners>
</trace>
</system.diagnostics>
To add an appender for the windows event viewer, try the following in the log4net.xml:
<appender name="EventLogAppender" type="log4net.Appender.EventLogAppender" >
<param name="ApplicationName" value="OPA" />
<param name="LogName" value="OPA" />
<param name="Threshold" value="all" />
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
</layout>
<filter type="log4net.Filter.LevelRangeFilter">
<levelMin value="WARN" />
<levelMax value="FATAL" />
</filter>
</appender>
<root>
<level value="warn"/>
<appender-ref ref="EventLogAppender"/>
</root>
To put the OPA logs under the Application Event Log group, try this:
Create an event source under the Application event log in Registry Editor. To do this, follow these steps:
1. Click Start, and then click Run.
2. In the Open text box, type regedit.
3. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
4. Right-click the Application subkey, point to New, and then click Key.
5. Type OPA for the key name.
6. Close Registry Editor.
To put the OPA logs under a custom OPA Event Log group (as in the demo appender above), try this:
Create an event log in Registry Editor. To do this, follow these steps:
1. Click Start, and then click Run.
2. In the Open text box, type regedit.
3. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
4. Right-click the eventlog subkey, point to New, and then click Key.
5. Type OPA for the key name.
6. Right-click the new OPA key and add a new DWORD called "MaxSize" and set it to "1400000" which is about 20 Meg in order to keep the log file from getting too large.
7. The next steps either help or sometimes cause an error, but you can try these next few steps... If you get an error about a source already existing, then you can delete the key.
8. Right-click the OPA subkey, point to New, and then click Key.
9. Type OPA for the key name.
10. Close Registry Editor.
You might need to change permissions so OPA can write to the event log in Registry Editor. If you get permission errors, try following these steps:
1. Click Start, and then click Run.
2. In the Open text box, type regedit.
3. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
4. Right-click the EventLog key, select Permissions.
5. In the dialog that pops up, click Add...
6. Click Advanced...
7. Click Locations... and select the current machine by name.
8. Click Find Now
9. Select both the Network user and IIS_IUSERS user and click OK and OK again. (We never did figure out which of those two users was the one that fixed our permission problem.)
10. Change the Network user to have Full Control
11. Click Apply and OK
To verify OPA Logging to the windows event logs from Determinations-Server:
Go to the IIS determinations-server application within Server Manager.
Under Manage Application -> Browse Application click the http link to pull up the local "Available Services" web page that show the wsdl endpoints.
Select the /determinations-server/server/soap.asmx?wsdl link
Go to the URL and remove the "?wsdl" from the end of the url and refresh. This will throw the following error into the logs:
ERROR Oracle.Determinations.Server.DSServlet [(null)] - Invalid get request: /determinations-server/server/soap.asmx
That error should show up in the windows event log, OR you can get a message explaining why security stopped you in "logs/InfoDSLog.txt" if you used the web.config settings from above.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363648(v=vs.85).aspx
Edited by: Paul Fowler on Feb 21, 2013 9:45 AMThanks for sharing this information Paul.
-
Windows update KB2964444 broke Event Logging Service and SQL Agent Service on Windows Server 2008 R2
I got the following problem:
I discovered that on my Windows Server 2008R2 machine the event logging stopped working on 04/May/2014 at 03:15.
Also, SQL Agent Service won't run
The only change that day was security
update KB2964444 - Security
Update for Internet Explorer 11 for Windows Server 2008 R2for x64-based Systems, that was installed exactly 04/May/2014 at 03:00. Apparently, that's what broke my machine...
When I try to start Windows Event Log via net
start eventlog or via Services
panel, I get an error:
C:\Users\Administrator>net start eventlog
The Windows Event Log service is starting.
The Windows Event Log service could not be started.
A system error has occurred.
System error 2 has occurred.
The system cannot find the file specified.
I tried:
restarted the OS (virtual on the host's VMWare).
re-checked the settings in services menu -they are like in the link.
checked the identity in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog -
the identity is NT
AUTHORITY\LocalService
gave all Authenticated Users full access to C:\Windows\System32\winevt\Logs
ran fc /scannow - Windows Resource Protection did not find any integrity violations.
went to the file %windir%\logs\cbs\cbs.log -
all clean, [SR] Repairing 0 components
EDIT: Uninstalled the recent system updates and rebooted - didn't help
EDIT: Sysinternals Process Monitor results when running start service from services panel (procmon in elevated mode):
filters:
process name is svchost.exe : include
operation contains TCP : exclude
the events captured are:
21:50:33.8105780 svchost.exe 772 Thread Create SUCCESS Thread ID: 6088
21:50:33.8108848 svchost.exe 772 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
21:50:33.8109134 svchost.exe 772 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8109302 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services REPARSE Desired Access: Read
21:50:33.8109497 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services SUCCESS Desired Access: Read
21:50:33.8110051 svchost.exe 772 RegCloseKey HKLM SUCCESS
21:50:33.8110423 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8110705 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Desired Access: Read
21:50:33.8110923 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8111257 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS Desired Access: Read
21:50:33.8111547 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services SUCCESS
21:50:33.8111752 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS
21:50:33.8111901 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
21:50:33.8112148 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS
21:50:33.8116552 svchost.exe 772 Thread Exit SUCCESS Thread ID: 6088, User Time: 0.0000000, Kernel Time: 0.0000000
NOTE: previoulsy, for
21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
I also got NAME
NOT FOUND error ,so I created the new string value for the Parameters with
the name ServiceDll and
data %SystemRoot%\System32\wevtsvc.dll (copied
from the upper HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog key)
and this event now is
21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
I also checked for the presence of wevtsvc.dll in
the place and it's there.
Also, I tried to capture all events with path containing 'event' and
got following events firing every several seconds:
21:38:38.9185226 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Tag NAME NOT FOUND Length: 16
21:38:38.9185513 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\DependOnGroup NAME NOT FOUND Length: 268
21:38:38.9185938 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Group NAME NOT FOUND Length: 268
Also, I tried to capture all the events containing 'file',
excluding w3wp.exe,
chrome.exe, wmiprvse.exe, wmtoolsd.exe, System and it shows NO attempts to access any file ih the time I try to start
the event logger (if run from cmd - there are several hits by net executable,
not present if run from the panel).
What can be done?Hi,
I don’t found the similar issue, if you have the IE 11 please try to update system automatic or install the MS14-029 update.
The related KB:
MS14-029: Security update for Internet Explorer 11 for systems that do not have update 2919355 (for Windows 8.1 or Windows Server 2012 R2) or update 2929437 (for Windows 7
SP1 or Windows Server 2008 R2 SP1) installed: May 13, 2014
http://support.microsoft.com/kb/2961851/en-us
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Questions about BT Home Hub 4A event log - WIFI c...
Hope someone can help please ?
I had BT inifinity installed 2 weeks ago with the HH 4 (type A) and everything has worked - connection found, no problem.
This week, my ipod touch was unable to join the network but the iphone 5, another ipod and a tablet could connect without a problem. The ipod touch managed to connect to another WIFI used at the property and my work wifi without a problem.
I thought it maybe the ipod touch as it was quite old but that doesn't make sense since it connects fine to other networks. I restored network settings and other options suggested by Apple but to no avail.
I have turned my attention to the Hub. My laptop (older than the ipod touch) gets the connection no problem along with the other devices. I went into the hub management page but I am not smart enough to decifer the event log so would like some help so I can fix this because I thought BT infinity was the better more reliable option?
The ipod touch Wifi IP address is 00:25:00:b7:35:f6.
On the event log, it shows STA before the address - but it shows STA before all the device IP addresses. Should I change this to DCHP ? or is this (Static ? alright)
The Lease on all the devices on the event log is set to 1440 min. (1 day) is that alright too, what does it mean ?
Do I have to keep renewing the lease ? How do I do that ? I read it can be set to 21 days ?
Going back to the IP address on the ipod it shows the Hostname as 00:25:00:B7:35:f6-2 this is different to the IP address with the -2. Could that be a cause of the unable to join network or is it because I attempted to recreate the network on the ipod so its the second version of that host name ?
Is there any setting I can change to fix this because I am concerned the same this will happen to the other devices and then the laptop....
What do I need to do to be able to get my ipod touch to connect to the BT network setting ?
I think its the hub 4A causing the 'block' on the ipod touch not the device and I think its maybe a matter of changing a setting - but then why was it all fine before when Infinity was first installed ?
Lastly my laptop (7 Years old) seems to be attached to the 5GHZ Wireless channel - is that alright ? The other more recent devices are on the 2.4ghz channel (except the ipod touch which isn't on any !!)
Is it alright to turn the hub on / off ? -I am resisting that because I don't want to make the situation worse.
Sorry but what does client disassociated mean and all the BLOCKS - do they relate to firewall ?
Please can you review the event log and my questions ?
Many thanks
angie 2601
The time frame is 3.55am 8/8/2013 - 7.16 am 8/8/2013
(Latest (7.16am) at the top
Message
07:16:39, 08AUG
(1224785.050000) Admin login successful by 192.168.1.64 on HTTP (1224766.610000) Admin login FAILED by 192.168.1.64 on HTTP (1224648.050000) New GUIsession from IP 192.168.1.64
(1224466.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disassociated
(1224362.750000) lease for IP 192.168.1.65 renewed by host Unknown d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1224362.750000) Device connected: Hostname:Unknown-d8:d1:cb:ec:a6:feiP:
192.168.1.65 MAC:d8:dl:cb:ec:a6:fe lease time: 1440 min. link rate:90.0 Mbps
(1224362.690000) Lease requested
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
(1224241.150000) lease for IP 192.168.1.64 renewed by host FAMILY (MAC
00:13:02:de:6d:e6). Lease duration:1440 min
(1224241.150000) Device connected: Hostname: FAMii.Y IP:192.168.1.64 MAC:
00:13:02:de:6d:e6 Lease time: 1440 min. link rate: 54.0 Mbps
(1224241.090Cl00) Lease requested
wlan1TA 00:13:02:de:6d:e6 IEEE 802.11:Client associated
OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:34905->31.13.72.38:443 on ppp1)
(1223644.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
wlanl: STA d8:d1:cb:ec:a6:-fe IEEE 802.11:CHent diSassociated
(1223489.390000) Lease for IP 192.168.1.65 renewed by host Unknown d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1223489.380000) Device connected:Hostname:Unknown-d8:dl:cb:ec:a6:fe IP:
192.168.1.65 MAC: d kd1:cb ec:-a6-:fe Lease time: 1440 min. Link rare: 90.0 Mbps
(1223489.330000) Lease requested
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client associated wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disasSociated
wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
OUT;BLOCK [9] Packet i valid in connection (TCP
192.168.1.66:34375->31.13.72.38:443 on pppl)
l'N':BLOCK [16-} Remote administration {ICMP type 8 code 0
117.1.42.94->86.182.228.205 on ppp1)
IN: BLOCK [9] Packet invalid in connection (TCP
31.13.72.33:443->86.182.228.205:44156 on ppp1) IN: BLOCK [9] Packet invalid in connection (TCP
31.13.72.33:443->86.182.228.205:36615 on ppp1)
OUT: BLOCK [9] Packet invalid in connection (TCP
192.1-68.1.68:49476->173.252.103.16:443 OR ppp1)
BLOCKED 5 more packets (because of Packet invalid in connection) OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.68:49443->95.100.195.205:443 on ppp1)
OUT:BLOCK {9] PaCket invalid in connection (TCP
192.168.1.68:49438->95.100.194.217:443 on ppp1)
IN:BLOCK [9] Packet invalid in connection (TCP
95.100.194.217:443->86.182.228.205:49444 on ppp1)
(1222111.810000) Lease for IP 192.168.1.68 renewed by host Unknown-
70:56:81:46:bf:d9 (MAC 70:56:81:46:bf:d9).Lease duration:1440 min
(1222111.810000) Device connected:Hostname:Unknown-70:56:81:46:bf:d9 IP:,
192.168.1.68 MAC:70:56:8:t:46:bf:d9lease time:1440 min. Link rate:52.0 Mbps
(1222111.750000) Lease requested .-
wlanO: STA 70:56:81:46:bf:d9 IEEE 802.11: Client associated • (1222093.690000) Device dlsconn: Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168. MAC: 00:25:00:b7:35:f6 wlanoTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66-:43272->31.13.72.33:443 on ppp1)
221969.130000) lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
(1221969.130000} Devicconnected: Hostname·:Unknowwoo·:25:00:b7 35:f6-2
IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1221969.070000) Lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
(1220365.290000) Device disconnected: Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
(1220348.230000) Lease for IP 192.168.1.67 renewed by host Unlmown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6).lease duration: 1440 min
(1220348.230000) Device connected: Hostname:Unknown-00:25:00:b7:35:f6-2
IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1220348.170000) lease requested
wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
IN: BLOCK f16] Remote administration (TCP
123.151.42.61:12233->86.182.228.205:8080 on ppp1) OUT: BLOCK [9] Packet invalid in connection (TCP
:t92.Hi8.1.66:53813->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:43989->31.13.72.33:443 on ppp1)
IN: BLOCK [16] Remote administration (ICMP type 8 rode 0
2.7.251.109.227->86.182.228.205 on pppl)
(1216770.650000) Device disconnected:Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6
OUT:BLOCK [9j Packet invalid in connection (TCF
192.168.1.67:49180->74.125.136.109:993 on ppp1)
wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
(1216753.280000) Lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
(1216753.270000) Device connected: Hostname: Unknown-00:25:00:b7:35:f6-2
IP: 192.168.1.67 MAC: 00:25.:00-:.b7.:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1216753.220000) lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client assodat
OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:55944->23.21.78.229:443 on ppp1)
OUT: BLOCK [9J Packet invafid in connection (TCP
192.168.1.66:34794->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:41441->31.13.72.33:443 on ppp1)
{1213176.020000) Device disconnected:.Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC:00:25:00:b7:35:f6 wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client disassociated
(1213158.410000) Lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min _./:\ (1213158.400000) Device connected:Hostname:Unknown-00:25:00:b7:35:ftt.Y IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min.Unk rate: 54.0
Mbps
(1213158.340000) Lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client associated
OUT:BLOCK (9] Packet invalid in connection (TCP
192.168.1.66:59767->176.34.180.243:443 on ppp1) OUT;BLOCK [9] P.acket invalid in connection {TCP
192.168.1.66:56075->31.13.72.33:443 on ppp1) OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66 581:1:0->31.13.72.33:443 on ppp1)
BL.OCKED 2 more packets (because of Packet invalid in connection) OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:56251->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:36959->31.13.72.33:443 on ppp1)
BlOCKED 1more packets (because of Packet invalid in connection)It could be that the Ipod touch is having problems with both the 2.4GHz and 5GHz frequencies being named the same. If you give them separate SSids it may help. ie add a 5 to the 5GHz SSid.
If you do this you will need to re-connect all your devices that can see both frequencies to both SSids so that they will swap between the frequencies seamlessly when ever they need to
See link how to change SSid.
http://bt.custhelp.com/app/answers/detail/a_id/44504/related/1/session/L2F2LzEvdGltZS8xMzc1OTY2ODIxL...
Once you have changed the SSid I would delete the network connection on the Ipod touch and start again. -
I can no longer create an event on iCal by double clicking on a time or date, nor can I double click on an existing event! HELP!
The only way I have to create an event is by using the "+" button, which is very limiting!
I am running the latest version of Mac OS X and all the updates.
Anyone know how I could get a proper use of my iCal ?
ThanksHi,
If you list the steps you have taken to fix this it will help.
Have you tried using the File > New Event menu item?
Have you logged the user account out/ restarted the computer?
Have you tried un-syncing any accounts synced to Calendar?
Is there some change made to the computer that may have triggered this?
Best wishes
John M -
Exception write to event log when user not found in active directory
I'm trying to use a exception to write to a event log to show which user did not get imported from my csv file. Any help to write this exception is appreciated. Thanks
Import-CSV $importfile | ForEach-Object{
$samaccountname = $_.sAMAccountName.ToLower() #samaccountname on csv file
Try {
$exists = Get-ADUser -LDAPFilter "(sAMAccountName=$samaccountname)" #Filter user by samaccountname
Catch
write-host "Users did not exist." #user does not exisitTo your question:
"How can I create a new event log every time without saving to the original event log textfile?"
The answer provided by Mike Laughlin doesn't require you save anything to a text file - so either I'm misunderstanding this follow-up, or you are misunderstanding Mike's post. :)
To answer your other follow up... try:
$goodCount = 0
$badCount = 0
Import-Csv $importFile | ForEach {
$SamAccountName = $_.SamAccountName
try {
$user = Get-ADUser -Identity $SamAccountName -ErrorAction Stop
$goodCount++
} catch {
Write-EventLog # <-finish this command however you want
$badCount++
write-host "Users imported: $goodCount"
write-host "Users not imported: $badCount"
G. Samuel Hays, MCT, MCSE 2012, MCITP: Enterprise Admin
Blog:gsamuelhays.blogspot.com
twitter:twitter.com/gsamuelhays
Maybe you are looking for
-
SPROXSET ...Unable to rectify Business systems not found issue..
Hi, On doing a test of my proxy I am frustrated with an error " Business system not found". I have maintained SPROXSET values as IFR_aDDRESS = XI.XYZ.COM, IFR_PORT = 51000, IFR_USER = PIAPPLUSER and IFR_PASSWORD = XIPASS. I encounter this error whene
-
Photos when published have the colours washed out
I'm using iWeb 09. This didn't happen with 06 but whatever I do to process photographs before sticking into iWeb 09, when the site is published all the colours are washed out. I use Photoshop CS to get photographs suitable for websites using "Save fo
-
L_TO_CREATE_MULTIPLE with split bins
Hi, I need to create a transfer order without reference for multiple line items with split bin items. When using LT01, an item is split sucessfully over two bins when necessary and I need to do the same, but with multiple lines on the TO. Both L_TO_C
-
I have buy Adobe Creative Cloud full on Black Friday and i'm still on trial
Hi, i had try to deinstall and reinstall all Adobe Apps, and i still on trial.. We i try activate it, i can just enter a serial code. Help me please !!
-
Can my verizon ipad be switched to another carrier
I Have a Verizon Apple iPad mini and I'm thinking of switching carriers and am wondering if my ipad can be switched by buying a new SIM card?