Troubleshooting WCS Event log

Similar Messages

• How can I turn off Event ID 5156 AND 5145 in the Security Event Log?

  Hi,
  I have a high volume web service.   Everytime there is a connection from the outside, it logs this in my security event log.
  I want to turn this off.
  How can I stop the logging of event id 5156 on the web server and 5145 on the file server?
  Thanks!
  Dane!

  Hi,
  Thanks for posting in Microsoft TechNet forums.
  The problem can be related to Audit settings. Please check the following threads to see if the information can be useful during the troubleshooting:
  auditing file share on windows 2008 R2
  http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/9e633bad-cda6-4ec4-8f04-c01de57ce767
  Event ID 5156 filling up event logs. Probably due to anti-virus software (SEP 11)
  http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/8044fb62-f5ea-45b5-b717-3f6592af77e0
  Regards
  Kevin
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback
  on our support quality, please send your feedback here.

• Event Log stopped working - Error 1747 : The Authentication Service is Unknown

  I reccently noticed that my scheduled tasks were no longer running. I tried to bring up the task scheduler and it said the service was not running. I checked the service and sure enough, it was not running. I tried to start it and it failed because the windows event log service, which is a dependency, was also not running. I tried to start the event log service, and gave the error above in the subject line.
  The event log service uses a log on of "Local Service". There are other services that use the same log on and they start up with no problem. I have searched the internet for a solution to this and have tried several things I found with no luck. One was to run SFC, another was to delete the Windows/Logs and Windows/System32/Logfiles folders so they would be re-created on startup. I also tried subinacl to reset the ACLs on registry branches and the subfolders of %SystemDrive% as recommeded in another forum.
  I am running Vista Home Premium and all the latest updates have neen applied. Anyone have any further ideas? (short of re-installing Vista).
  Thanks.

  Hi there Robin. I am an IT Technician & felt that I needed to begin communication with you regarding this issue. I recently made a post in this thread detailing my issues & found resolution. I just wanted to share my post with you & hope that the information is useful to others that need to resolve these issues without re-installing their operating systems. Please find my post below:
  Hi all. I am an IT technician & have recently been troubleshooting a customer's Windows Vista Home Premium laptop in a wireless home network.
  In a nutshell the laptop suddenly stopped connecting to the wireless router; upon investigation I found lots of windows services were not starting; this sent me on a bit of a wild goose chase as this showed all signs of some kind of trojan / malware infection hogging the system. Here are some of the things I saw:
  1). Norton 360 wasn't even running correctly & I was unable to view it's firewall status.
  2). Windows firewall was disabled & I was unable to start it (service failed error message).
  3). I was unable to view windows event logs & received "Error 1747 : The Authentication Service is Unknown"
  4). Windows Side Bar was all blanked out & not showing any gadgets
  5). I attempted a system restore but that failed (I saw references in system restore that the Bonjour service had been un-installed)
  I did loads of further investigation & found this thread. It would appear that removing, or even trying to remove / un-install the Bonjour service may cause the above mentioned issues in windows Vista. I have not seen this kind of errata in windows XP.
  I have heard of people pulling their hair out & re-installing the operating system possibly due to experiencing these issues.
  Please Read On.... 
  Resolution that worked for me:
  I ran the Winsock corruption fix that is mentioned in previous threads as per microsoft's instructions found at the following URL: http://support.microsoft.com/kb/811259 
  Manual steps to recover from Winsock2 corruption for Windows Vista users
  Winsock corruption can cause connectivity problems. To resolve this issue by using Network Diagnostics in Windows Vista, follow these steps:
  1.
  Click , and then click Network.
  2.
  Click Network and Sharing Center.
  3.
  In the Network and Sharing Center box, click Diagnose and Repair.
  Note You may also access the Network and Sharing Center in Control Panel.
  If the Network and Diagnostic tool was unable to find a problem, you can manually repair or reset Winsock.
  Manual steps to repair or to reset Winsock for Windows Vista users
  1.
  Click , type cmd in the Start Search box, right-click cmd.exe, click Run as administrator, and then press Continue.
  2.
  Type netsh winsock reset at the command prompt, and then press ENTER.
  Note If the command is typed incorrectly, you will receive an error message. Type the command again. When the command is completed successfully, a confirmation appears, followed by a new command prompt. Then, go to step 3.
  3.
  Type exit, and then press ENTER
  Hey Presto!!!! After re-booting everything is back online & all necessary windows services & norton 360 are starting as normal.
  Further Information on Bonjour Service:
  http://en.wikipedia.org/wiki/Bonjour_(software)
  As I understand & in my experience the Bonjour service is installed as a sub-aplet with certain 3rd party software applications including Apples itunes & Adobe newest Creative Suite 3 installs Apple’s Bonjour service even if you don’t install Version Cue. Its main goal is to provide zero-configuration connectivity between Version Cue server and the suite’s applications.
  A bit more CSi & i've established how to un-install Bonjour service; there is a great topic on this subject at the following URL: http://www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/
  Thanks to all for your post & input...it has really helped to get this issue resolved (well for me anyway) & has of course save a re-install!!!!
  I will keep an eye on this thread...please post your resolutions / experiences to help others.
  Kind regards

• Error 41 - Kernel Power in event log after clean shutdown - Windows 8.0

  HP Envy H9-1405A - 16MB RAM,  Windows 8.0, and up to date with updates. (16 months old but under extended h/w warranty).  All user data backed-up daily.
  After problems earlier today I noticed that after a controlled shutdown and start from cool (ie on/off button on PC, not mains power at the wall) the startup took over 10 minutes.  Event browser showed error 41 - Kernel Power - "after system crash or lost power unexpectedly",  which it definitely hadn't as I was testing a controlled shutdown.
  When starting from overnight sleep mode this morning it came up with  blue screen and an error mssage something like 'hard disk driver error', or similar (before first coffee so I wasn't really awake).  PC wouldn't restart in anything like reasonable time until powered off at wall, after which it struggled up and ran normally for a while.  Went out for a couple of hours and on return again the PC wouldn't re-start from sleep mode.  Again used the wall power switch to effect the restart and PC and after very slow restart it ran normally.  Event log showed Startup Repair ran due to a corrupted registry hive, and reboot used an earlier version.
  Checkdisk ran clean and the HP Support Assistant diags just looped for ever.
  I then tried a system restart, which worked but took a long time, and then a controlled power down and start from cool which also took a long time as described above.  I've temporarily turned off sleep mode so as to keep working.
  Question - do I have a transient software problem which might be fixable with Recovery, or failing hardware that should be covered by warranty, and where might I find some hardware diagnostics to show to the supplier?  Thanks.

  Hello @mikerb,
  I have read your post on how your desktop computer is displaying an error message in regards to a Kernel event log, and I would be happy to assist you in this matter!
  To further diagnose this issue, I recommend following the steps in this document on Windows Kernel event ID 41 error "The system has rebooted without cleanly shutting down first". This should help to resolve the critical error message.
  Just to be on the safe side, I also suggest following this resource on Testing for Hardware Failures (Windows 8); which should help determine if there is a hardware defect with one or multiple hardware components on your computer.
  Please re-post with the results of your troubleshooting, and I look forward to your reply!
  Regards
  MechPilot
  I work on behalf of HP
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the right to say “Thanks” for helping!

• Where are the explanatio​ns for the error codes in Envy 120 EWS Event Log

  I have been having trouble with the printer, and following diagnostic recommendations from a separate thread, have looked at the event log.
  I see a series of events, mostly 74899 Printer Event and 74741 Network Information.
  What I DO NOT SEE is any explanation of these events, and whether they are normal or indications of trouble.
  I have also searched online for the Secret Message Decoder but nothing was found with Bing or Google.
  Seriously, what value are the codes without a way to interpret them?
  I beginning to regret my long-term loyalty to HP products.

  Hello @mikerb,
  I have read your post on how your desktop computer is displaying an error message in regards to a Kernel event log, and I would be happy to assist you in this matter!
  To further diagnose this issue, I recommend following the steps in this document on Windows Kernel event ID 41 error "The system has rebooted without cleanly shutting down first". This should help to resolve the critical error message.
  Just to be on the safe side, I also suggest following this resource on Testing for Hardware Failures (Windows 8); which should help determine if there is a hardware defect with one or multiple hardware components on your computer.
  Please re-post with the results of your troubleshooting, and I look forward to your reply!
  Regards
  MechPilot
  I work on behalf of HP
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the right to say “Thanks” for helping!

• Continuous "36888 Schannel Errors" in System Event Log when NOT connected to Internet

  We are hoping someone will be able to assist with us this very strange issue please ?
  We are using Windows 8.1 x64 Enterprise with Office 2013 and the latest Symantec Endpoint Proctecion v12.1.5 installed. They are managed using SCCM2012 in a large AD domain environment
  When our workstations are NOT connected to the internet (only local intranet) the following errors appear in SYSTEM event log almost continuously (several times a minute).
  Event ID:36888  User: SYSTEM  OpCode:Info  Level:Error  Source:SChannel 
  "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows Schannel error state is 11."
  The process associated with these events is "Local Security Authority Process"
  When an internet connection is enabled for these machines these 36888 errors will suddenly stop !.
  An event "Error 36887 "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40." Is also occurring on these machines but only occasionally.
  As a result, We suspect there must be a process continuously attempting to connect to an internet service and failing ?.
  Some of the things we have tried so far;
  - We have disabled all non-essential services (e.g. Windows Store Service) one by one but this didn't fix.
  - We have tried disabling Tile updates on Start 
  - We have tried a bunch of different Group Policy settings to disable different combinations of TLS/SSL in IE config.
  - We have searched the internet forums and tried some suggested fixes but this combination of error state and error code seems unique ?.
  It doesn't happen on our Windows 7 x64 workstations that have much same apps & configuration.
  Any advice or suggestions would be greatly appreciated !
  Thanks.

  Hi Makes006,
  This Event ID 36888 occurs if a user tries to access a web site using HTTP but specifies an SSL port in the URL.
  We can try clean boot to troubleshoot whether this issue is caused by a third party program .
  How to perform a clean boot in Windows
  http://support.microsoft.com/kb/929135
  If there is no sensible impacts on operating the machines ,we can try to disable this log by modify the following registry key value to 0.
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging
  For more information, please refer to the following link:
  How to enable Schannel event logging in IIS
  http://support.microsoft.com/kb/260729
  Regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• SCOM 2012 R2 Exchange Correlation Service , we receive almost at every day in the Event log Application the Event720

  HI
  Since the SCOM was Upgrade to R2 
  Almost at every Day, we receive in the Event log application the Event 720 from the correlation service Source MSExchangeMonitoring Correlation
  This arrives always around 7:20AM, someday is at 7:19, other at 7:21. It is always approximately at the same hour, but we never have any problem during weekend
  The description of the Event
  Exceeded maximum time (15 minutes) to wait for completion of all CorrelateBatchTask threads.
  After that the correlation stop to work. At the Same time if we tried to open the SCOM Console on that server we was unable to open it. Also we was not able to open the SCOM PowerShell
  And also we cannot from that server to get which server is the RMS if we run get-SCOMRMSEmulator .  (This the RMS Server)
  When this arrive, the only thing we found, it to reboot the server or restart de SCOM service, after the Reboot the Correlation begin to work
  We got also many Event 714 Critical and after this Event 711 Warning
  Thank

  Have a look at: https://social.technet.microsoft.com/Forums/systemcenter/en-US/e75e84d9-0c9e-4d83-b3da-45a143757f85/exchange-2010-monitoring-with-scom-2012-correlation-service-issue
  One user reported an issue with the exchange correlation engine after upgrade and said that:
  I had issues with the corellation engine after upgrading scom 2012 to R2.
  The MomBidLdr.dll version changed in the SCOM directories, and needs to be updated in the:
  C:\Program Files\Microsoft\Exchange Server\v14\Bin directory.
  That seemed to stop the errors for me.
  Some troubleshooting steps listed here also:
  https://technet.microsoft.com/en-us/library/ff360495(v=exchg.140).aspx
  Cheers,
  Martin
  Blog:
  http://sustaslog.wordpress.com 
  LinkedIn:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• DFSN-Server ID 516 Flooding Event Log

  Good Day,
   Since setting up a Server 2012 server as a DFS root the Administrative Events log is getting flooded with DFSN-Server ID 516 warning events. We have multiple name spaces and we get a message for each every 15 minutes, so for our 6 name spaces
  that is over 500 messages a day.
  DFSN service has started performing complete refresh of metadata for namespace <DFS-Root>. This task can take time if the namespace has large number of folders and may delay namespace administration operations.
  Although I found one solution on the Russian Technet forum DFSN-Server EventID 516 this disables the entire DFSN-Server
  Admin log, so if there are any problems with the refresh they will not appear.
  The main cause of the problem appears to be that the 516 Events have a Warning level 3 for something that should be Information level 4. There is no reason for a warning to be issued for what is a regular update process.
  Thanks,
  James

  What bothers me is that those events mention only "started a complete refresh", but they never mention so far completing one ... weird...
  Thank you Microsoft (sarcasm).
  If you look directly at the log, you'll see this message is quickly followed by ID 517 which states it has completed the refresh.  Event 517 is an informational event, so it won't display in the default "Administrative Events" filter.
  My suggestion to Microsoft:  Change the severity on ID 516 to Informational.  I don't believe
  anyone would consider this routine refresh a warning-level concern!!
  yes, you are right. sorry for super late reply, but I was swamped in company move and server upgrades, new installations, new IP phone system, new IP cams, site-to-site VPN, new faster firewall for new faster Internet link, NAT config changes ... man ...
  a bit too much for a single person to manage sometimes ...
  anyways, I didn't see the 517 events in "Custom Views - Administrative Events" that's why I was alerted with a flood of 516 (there is 1 every 12 minutes), can't understand why MS would drop one informational event (categorized wrongly as warning)
  and not add the other one stating it was completed right after (because it's still informational only) ... I finally found the following 517's when I went to the tree of Apps and Services Logs - MS - Win - DFSN-Server - Admin ... it's kinda buried down there
  very annoying it still is in end of October, especially then I am troubleshooting a non-replication conditions without any errors between two DFS servers (also DC roles installed) running 2012R2. Ended up removing DFS from secondary DC (VM actually) and
  building a new DFS dedicated VM with fixed sized disks on Hyper-V 2012 R2 server, hoping it resolves the issue when replication would just stop without error creating a huge file count (and content!) mismatch over time... a flood of meaningless events in administrative
  logs in not helping with troubleshooting ...

• Connection Timeout Expired in Windows Event Logs

  I just recently installed SharePoint 2013 SP1 on a Windows Server 2008 R2 SP1 server and have been receiving this error message in the Windows Event logs:
  Cannot connect to SQL Server.  <database server name> not found.  Additional error information from SQL Server is included below.
  Connection Timeout Expired.  The timeout period elapsed during the post-login phase.  The connection could have timed out while waiting for server to complete the login process and respond; Or it could have timed out while attempting to create
  multiple active connections.  The duration spent while attempting to connect to this server was - [Pre-Login] initialization=12; handshake=6; [Login] initialization=0; authentication=0; [Post-Login] complete=14000;
  I have never seen this error message before in my life on any prior installation of SharePoint that I have ever done.  It is only occurring on this one particular installation of SharePoint.  The environment is corporate built, so I have no idea
  as to how to troubleshoot or determine the root cause of this error message.
  I looked at the value of the database-connection-timeout in stsadm and it gets back a value of 15, however, I am unable to alter the database connection timeout using stsadm since I either get an "Object reference not sent to an instance of an object"
  error message or "This operation can be performed only on a computer that is joined to a server farm by users who have permissions in SQL Server to read from the configuration database.  To connect this server to the server farm, use the SharePoint
  Products Configuration Wizard, located on the Start menu in Microsoft SharePoint 2010 Products."
  Please advise. 

  What is specification of your SQL server? i think its more CPU, RAM, I/O issue with SQL server.
  under which account you are running the stsadm command?
  check this one
  http://stackoverflow.com/questions/21230927/sql-azure-the-timeout-period-elapsed-during-the-post-login-phase
  may be you fall in this bug
  http://connect.microsoft.com/VisualStudio/feedback/details/821803/connection-timeout-expired-the-timeout-period-elapsed-during-the-post-login-phase
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

• Forum FAQ: How to troubleshoot DNS Event 5504 error

  Symptom
  A DNS server may frequently record the Event ID 5504 error in the event log:
  Event Type: Warning
  Event Source: DNS
  Event Category: None
  Event ID: 5504
  User: N/A
  Computer: Computer_name
  Description: The DNS server encountered an invalid domain name in a packet from IP_Address .
  The packet is rejected.
  Cause
  Event ID 5504 is logged when a DNS Server receives a packet containing an invalid domain name. There are many possible causes.
  1.      The DNS cache becomes corrupt with invalid domain names.
  2.      The DNS Server receives a spoofed response.
  3.      The DNS response contains domain names with characters other than 0-9, a-z, A-Z, . (Period), and - (Hyphen).
  4.      The DNS Server has been configured with invalid forwarders
  5.      The network the DNS server resides on is busy or not working properly.
  Resolution
  The following are general troubleshooting steps for this issue:
  1. Secure the DNS cache against pollution.
  a)     Open DNS Management snap-in and then open the Properties dialog for the DNS server.
  b)     Click the Advanced tab, check the Secure Cache against Pollution option, and then click OK.
  c)      After enabling this setting, right-click the applicable DNS server and select Clear Cache, then restart the DNS Server service.
  2. Verify that the forwarder list on the DNS server is pointing to recursive DNS servers.  To view the forwarders, please perform the following steps:
  a)     Open DNS Management snap-in and then open the Properties dialog for the DNS server.
  b)     Click the Forwarders tab, you can view the existing forwarders.
  3. Some third party DNS servers may be using records of a type that aren’t supported by Windows DNS servers, such as the DNAME resource record.
  920162     Event 5504 is logged when a Windows Server 2003-based DNS server receives a packet that contains a DNAME resource record
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;920162
  4. Another example where DNS will produce the Event ID 5504 error is when Extended DNS (EDNS) packets are received but the server that is attempting to resolve the EDNS traffic doesn’t support EDNS or have it enabled. An easy workaround is to disable EDNS.
  dnscmd /Config /EnableEDnsProbes 0
  More Information
  Troubleshooting DNS
  http://technet2.microsoft.com/WindowsServer/en/library/de2aa69d-1155-4dc9-a651-e836
  2f6a81c81033.mspx?mfr=true
  DNS Best Practices
  http://technet2.microsoft.com/WindowsServer/en/library/59d7a747-48dc-42cc-8986-c73d
  b47398a21033.mspx?mfr=true
  Applies to
  Windows Server® 2003 operating system
  Windows Server® 2008 operating system
  Windows Server® 2008 R2 operating system

  I'm not sure whether this is the appropriate place to add this but - a (possible) cause that I have seen which is not mentioned above is a request for an AAAA record (IPv6 address)
  being responded to with an A record (IPv4 address).
  DNS debug logging (Windows 2008 R2 SP1) captured requests to
  192.225.156.200 and the corresponding responses. In each case the response was followed in the debug log by the event “The DNS server encountered an invalid domain name
  in a packet from 192.225.156.200. The packet will be rejected. The event data contains the DNS packet.”
  The domain name in the response was the same as that in the query, and looks OK.
  The logged query shows an AAAA record (IPv6 address) request and the logged response returned an A record (IPv4 address).
  http://www.rfc-editor.org/rfc/rfc4074.txt “Common
  Misbehavior Against DNS Queries for IPv6 Addresses” says, under “Expected Behavior”:
     Suppose that an authoritative server has an A RR but has no AAAA RR
     for a host name.  Then, the server should return a response to a
     query for an AAAA RR of the name with the response code (RCODE) being
     0 (indicating no error) and with an empty answer section (see
     Sections 4.3.2 and 6.2.4 of [1]).  Such a response indicates that
     there is at least one RR of a different type than AAAA for the
     queried name, and the stub resolver can then look for A RRs.

• VSS snapshot of 1.1TB is ending after few hours with timeout. No errors in event log

  Hello,
  does someone have experienced issue where starting making snapshot (forum GUI or command line) is taking a lot of time and then it just ends with timeout?
  I have scenario on virtualised Windows Web Server 2008 R2 where backup is being made by Idera Backup Software but since it relies on VSS Snapshots then we can just skip this point because making snapshots from directly Windows command line or drive preferences/GUI
  is ending with timeout for this single drive after few hours. Affected system has 3 drives: C - 95GB, D-1.06TB and E-120GB. C and E can be backuped correctly and only drive D has problems. System is updated with latest drivers vssadmin for writers returns
  list without any errors and snapshot for drive D which ends with timeout is not generating any error in event log. I wanted to configure VSS trace like it is being instructed on this site:
  http://publib.boulder.ibm.com/infocenter/tsminfo/v6/index.jsp?topic=%2Fcom.ibm.itsm.tshoot.doc%2Ft_pdg_traceprfrm.html
  but I don't see any trace.txt file on given location. If I remove drive D from backup process it ends without errors. System was restarted many times. Only thing which is visible in windows Event log (application part) is that "The VSS service is shutting
  down due to idle timeout." about 4 hours after snapshot making proces is starting.
  I've contacted Idera backup about this but they can't help too much if Windows snapshot process is failing. They suggested that something can be wrong with this drive but since this is virtualised machine and all of my VM are being stored on RAID10 disk
  array connected to my server using fiber connections then I don't think that this is hardware issue (especially when other two drives are located on the same LUN on disk array).
  Any suggestions?
  Regards

  Hi,
  Do you create VMs on Hyper-V or VMWare? Based on research, possible causes could be:
  1. Files changes in the volume is very huge. So the shadow size may be big and the current shadow storage my not able to hold it. And that’s cause the shadow copy creation failure. 
  2. The I/O in D drive is heavy and make the shadow copy I/O failed. 
  3. Server is too busy to handle the request.
  4. The disk is heavily defragment.
  Please refer to the articles to troubleshoot the issue:
  Time-out errors occur in Volume Shadow Copy service writers, and shadow copies are lost during backup and during times when there are high levels of input/output
  http://support.microsoft.com/kb/826936/en-us
  VSS timeouts during backup? What could contribute to that?
  https://blogs.technet.com/b/askpfeplat/archive/2012/09/12/vss-timeouts-during-backup-check-fragmentation.aspx
  Regards,
  Mandy
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Cannot generate Account Logon Events (Event ID 4624) in Security Event Log on Server 2008 R2 Domain Controller

  I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
  Default Domain Controllers Policy
  Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
  What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
  System audit policy
  Category/Subcategory                      Setting
  System
    Security System Extension               No Auditing
    System Integrity                        No Auditing
    IPsec Driver                            No Auditing
    Other System Events                     No Auditing
    Security State Change                   No Auditing
  Logon/Logoff
    Logon                                   No Auditing
    Logoff                                  No Auditing
    Account Lockout                         No Auditing
    IPsec Main Mode                         No Auditing
    IPsec Quick Mode                        No Auditing
    IPsec Extended Mode                     No Auditing
    Special Logon                           No Auditing
    Other Logon/Logoff Events               No Auditing
    Network Policy Server                   No Auditing
  Object Access
    File System                             No Auditing
    Registry                                No Auditing
    Kernel Object                           No Auditing
    SAM                                     No Auditing
    Certification Services                  No Auditing
    Application Generated                   No Auditing
    Handle Manipulation                     No Auditing
    File Share                              No Auditing
    Filtering Platform Packet Drop          No Auditing
    Filtering Platform Connection           No Auditing
    Other Object Access Events              No Auditing
    Detailed File Share                     No Auditing
  Privilege Use
    Sensitive Privilege Use                 No Auditing
    Non Sensitive Privilege Use             No Auditing
    Other Privilege Use Events              No Auditing
  Detailed Tracking
    Process Termination                     No Auditing
    DPAPI Activity                          No Auditing
    RPC Events                              No Auditing
    Process Creation                        No Auditing
  Policy Change
    Audit Policy Change                     No Auditing
    Authentication Policy Change            No Auditing
    Authorization Policy Change             No Auditing
    MPSSVC Rule-Level Policy Change         No Auditing
    Filtering Platform Policy Change        No Auditing
    Other Policy Change Events              No Auditing
  Account Management
    User Account Management                 No Auditing
    Computer Account Management             No Auditing
    Security Group Management               No Auditing
    Distribution Group Management           No Auditing
    Application Group Management            No Auditing
    Other Account Management Events         No Auditing
  DS Access
    Directory Service Changes               No Auditing
    Directory Service Replication           No Auditing
    Detailed Directory Service Replication  No Auditing
    Directory Service Access                No Auditing
  Account Logon
    Kerberos Service Ticket Operations      No Auditing
    Other Account Logon Events              No Auditing
    Kerberos Authentication Service         No Auditing
    Credential Validation                   Success

  Hi Lawrence,
  After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
  setting was applied successfully.
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• IP NetManager v1.1 Event logs

  Hello,
  We tried unsuccessfully to find the way to clear or delete event logs from database on IP Netmanager v1.1. We succeed to acknowledge but not to delete logs.
  Thanks in advance
  Regards

  From Reports > System > SNMP Trap log, you can see all of the traps the system has received. A trap is translated to an event only if the device is managed and the trap is supported. Usually, when the system receives active monitor events such as Ping Down or SNMP Down, it stops receiving other events for that device.
  Cleared events that are removed from the event report can be found in the Event History report
  For further information click this link.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_netmanager/1.1_data/faq/troubleshoot.html#wp54759

• LYNC 2013 Event Logging Parameters for LYNC server logs

  Hi,
  We have LYNC server 2013 enterprise voice. We have third party Monitoring server to monitor the event logging.
  Do we have default event logging parameters for LYNC Server logs in LYNC 2013?
  Thanks
  jitender

  There's really just the default level of logging for Lync Server Event Logs.  For individual call troubleshooting you might use the debug logger, and for longer term troubleshooting you'd deploy the Lync Monitoring role.  The monitoring role, service
  status, and performance monitor counters are what you really want to be monitoring if you're watching your Enterprise Voice deployment.
  If I understand the question, there isn't a way to turn up the amount of logs generated in the Lync event logs or change parameters around this. 
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Meeting place event log interpretation

  Hello Guys I am wondering if somebody could help me with the meaning of certain values that is shown in the meeting place event log.
  I have the following:
  08/13 12:31:17.72  P 8    RN MC s=009 mcpHangupNotification
  08/13 12:31:17.72  P 8    SE CP m=020 HANGUPEVENT Resp 0
  08/13 12:31:17.72  P 8    RQ SM m=01a C   0 REMOVEPORT
  08/13 12:31:17.72         RQ CP m=020 CPGOINGTOCONF
  08/13 12:31:17.72  P 8    SR SM m=01a C   0 REMOVEPORT Resp 0
  08/13 12:31:17.72         SR CP m=020 CPGOINGTOCONF Resp 0
  08/13 12:31:17.72  C 0    RQ CP m=020 CPPLAYFILELIST
  08/13 12:31:17.72  C 0    Play prompt: lang=1, num=575
  08/13 12:31:17.72  C 0    Play prompt: lang=1, num=399
  08/13 12:31:17.72  C 0    Play guest name: confID=263 part=4661
  08/13 12:31:17.72  C 0    SQ MC s=009 mcpPlayFileListRequest
  08/13 12:31:17.72  P 8    RQ CP m=020 CPDISCONNECT
  08/13 12:31:17.72  P 8    SQ MC s=009 mcpDisconnectCallRequest
  08/13 12:31:17.72  C 0    RR MC s=009 mcpPlayFileListResponse Resp 0
  08/13 12:31:17.72  P 8    RR MC s=009 mcpDisconnectCallResponse Resp 0
  08/13 12:31:17.72  P 8    SR CP m=020 CPDISCONNECT Resp 0
  I almost sure that P8 means port 8 but I do not know what RN, MC, SE, RQ, CP, mcp or C 0 means.
  Is there a document that shows all? 
  Regards

  Hello,
  This particular eventlog is for the CPMCP module within the Application Server which only talks to other internal components within the Application Server, so it's not exactly the best eventlog to start out with and is typically only reviewed for complex internal issues which are typically bugs. Since this getting involved with the internal workings of MeetingPlace, there is no external documentation for interpreting this.
  If you are going through the logs or an Information Capture of a particular incident, I would suggest first going through the VUI eventlog. Here you can ignore any lines with "State" or "Substate" since those are internal messagings, but this will give you a good idea of when a user calls in, which port they are on, the meeting they joined, and when they disconnected.
  For example:
  New call into MeetingPlace:
  08/17 09:54:55.83  P 1       In Call  : DID/DNIS 2085, ANI 3062 ============= (2)
  Outdial from MeetingPlace
  08/17 09:48:00.14  P 4095    Outdial  : UserID   3 RetCode 3107
            Dest +13076R Trans Dest
  Meeting ID that was entered in:
  08/17 09:55:11.36  P 1       ConfStr  : 640603980
  Leaving conference:
  08/17 10:01:56.29  P 1       Action   : CONF_LEAVECONF
  User disconnecting:
  08/17 10:01:56.27  P 1      Input    : Far end disconnect
  Also if you are familiar with SIP, you can review the SIP messages for specific calls in either the "CCA Sip Log" or "SIP B2BUA log" depending on your deployment. These logs tend to overwrite fairly quickly, so you should gather an Information Capture as soon as an issue occurs.
  The Information Capture is the main set of logs for Cisco Technical Support to review. To collect the Information Capture, login to the web page of the Application Server and go to Services, Logs, and System Information Capture. Select the appropriate start and end times to capture the issue. This will create a zip file for you to save on your computer. This can be unzipped and you can click on the "index.html" file to see the list of log files.
  If you need any further help with these or want further steps on troubleshooting a particular issue, open a TAC case and we will be able to these logs with you.
  Regards,
  Andrew
  Cisco TAC