Worrying items in event log
HI,
I was looking at the GUI section of the Event Log of HH3, and I came across some items which are a bit worrying.
Most of the entries in my event log look like this:
15:40:30,31 Aug. HTTP User admin login from 192.168.1.64 successfully.
15:40:15,31 Aug. HTTP User Basic login from 192.168.1.64 successfully.
The IP I recognise as my own.
But i also noticed these entries too. in particular, the one in bold worries as it seems to suggest that someone has been able to log in to my HomeHub.
23:17:16,29 Aug. HTTP authentication Fail from 115.47.18.xxx
17:12:51,26 Aug. HTTP authentication success from 64.186.182.xxx
17:12:51,26 Aug. HTTP authentication Fail from 64.186.182.xxx
17:18:01,23 Aug. HTTP authentication Fail from 124.161.95.xxx
I have a decent password for my HH and a decent password for my wireless. There's no other evidence of anyone using my wireless. Can anyone shed some light on this? I'd be very grateful.
Solved!
Go to Solution.
xpsuser wrote:
Thank you for your reply.
I input the other IPs into the website you linked to. They seem to be from China. Can anyone shed any light on this?
Probably hackers attempting to access your home hub, the same way as Motive do. Its very unlikely they would succeed as there are a number of measures in place to stop them.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.
Similar Messages
-
Lots of Anyconnect Error Message in Windows Event Log
Hi Community.
We have lots of Anyconnect Error Messages in the Windows Event Log. Following two examples.
Can anyone tell me why these errors appears and how do I fix them ? I already installed the newest Anyconnect on my machine.
Thanks in advance and Kind Regards Patrick
Example 1
<Provider Name="acvpnagent" />
<EventID Qualifiers="9216">2</EventID>
<Keywords>0x80000000000000</Keywords>
<EventRecordID>97564</EventRecordID>
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
- <EventData>
<Data>Function: CNetEnvironment::logProbeFailure File: .\NetEnvironment.cpp Line: 1432 Invoked Function: CHttpProbeAsync::SendProbe Return Code: -27066354 (0xFE63000E) Description: HTTP_PROBE_ASYNC_ERROR_CANNOT_CONNECT HTTP (host: 109.164.211.237)</Data>
</EventData>
Example 2
<Provider Name="acvpnagent" />
<EventID Qualifiers="9216">2</EventID>
<Keywords>0x80000000000000</Keywords>
<EventRecordID>97565</EventRecordID>
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
- <EventData>
<Data>Function: CNetEnvironment::TestAccessToSG File: .\NetEnvironment.cpp Line: 1385 Invoked Function: CNetEnvironment::analyzeHttpResponse Return Code: -28966899 (0xFE46000D) Description: NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could not contact target</Data>
</EventData>HI and welcome to Discussions,
in my personal opinion there is not much for you to worry about.
The 'Windows Tool for the elimination of malware' is nothing you miss as long as you have a decent Anti-Virus Software running.
The update for the IE 7 might be missing an installed IE 7, which can do by downloading it yourself from Microsofts webpage.
If you don't use the IE but something like Firefox or Opera or Safari, than don't bother with these update.
Stefan -
Office 2013 Click-to-Run Event Logs
Anyone know what the event logs are (Source, Event ID, etc) for Office 2013 Click-to-Run version? Specifically, I'm trying to find out when my installation was last updated (automatic updates are enabled). In general it would also be nice to know
what all of the different events are that the program will log.
ShaunHi,
To view the Office updates log, we can just go to Control Panel > All Control Panel Items > Windows Update and click
View update history.
If you want to know all the event logs related to Microsoft Office, we can use Event Viewer.
http://windows.microsoft.com/en-in/windows/open-event-viewer#1TC=windows-7
To find Office-related logs, click Event Viewer > Applications and Services Logs > Microsoft Office Alerts in the Event Viewer window.
Regards,
Steve Fan
Forum Support
Come back and mark the replies as answers if they help and unmark them if they provide no help.
If you have any feedback on our support, please click
here -
I have a new Exchange 2013 server with plans to migrate from my current Exchange 2007 Server.
I installed Exchange 2013 SP1 and the only errors I saw in the event log seemed to be long standing known issues that did not indicate an actual problem (based on what I read online).
I updated to CU7 and now lots of errors have appeared (although the old ones seem to have been fixed so I have that going for me).
Currently the Exchange 2013 server is not in use and clients are still hitting the 2007 server.
Issue 1)
After each reboot I get a Kernel-EventTracing 2 error. I cannot find anything on this on the internet so I have no idea what it is.
Session "FastDocTracingSession" failed to start with the following error: 0xC0000035
I did read other accounts of this error with a different name in the quotes but still can’t tell what this is or where it is coming from.
Issue 2)
I am still getting 5 MSExchange Common 106 errors even after reregistering all of the perf counters per this page:
https://support.microsoft.com/kb/2870416?wa=wsignin1.0
One of the perf counters fails to register using the script from the link above.
66 C:\Program Files\Microsoft\Exchange Server\V15\Setup\Perf\InfoWorkerMultiMailboxSearchPerformanceCounters.xml
New-PerfCounters : The performance counter definition file is invalid.
At C:\Users\administrator.<my domain>\Downloads\script\ReloadPerfCounters.ps1:19 char:4
+ New-PerfCounters -DefinitionFileName $f
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo
: InvalidData: (:) [New-PerfCounters], TaskException
+ FullyQualifiedErrorId : [Server=VALIS,RequestId=71b6bcde-d73e-4c14-9a32-03f06e3b2607,TimeStamp=12/18/2014 10:09:
12 PM] [FailureCategory=Cmdlet-TaskException] 33EBD286,Microsoft.Exchange.Management.Tasks.NewPerfCounters
But that one seems unrelated to the ones that still throw errors.
Three of the remaining five errors are (the forum is removing my spacing between the error text so it looks like a wall of text - sorry):
Performance counter updating error. Counter name is Count Matched LowFidelity FingerPrint, but missed HighFidelity FingerPrint, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The
exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
at System.Diagnostics.PerformanceCounter.InitializeImpl()
at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
at System.Diagnostics.Process.GetProcessById(Int32 processId)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Performance counter updating error. Counter name is Number of items, item is matched with finger printing cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown
is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
at System.Diagnostics.PerformanceCounter.InitializeImpl()
at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
at System.Diagnostics.Process.GetProcessById(Int32 processId)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Performance counter updating error. Counter name is Number of items in Malware Fingerprint cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown is : System.InvalidOperationException:
The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
at System.Diagnostics.PerformanceCounter.InitializeImpl()
at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
at System.Diagnostics.Process.GetProcessById(Int32 processId)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Issue 3)
I appear to have some issues related to the healthmailboxes.
I get MSExchangeTransport 1025 errors for multiple healthmailboxes.
SMTP rejected a (P1) mail from 'HealthMailbox23b10b91745648819139ee691dc97eb6@<my domain>.local' with 'Client Proxy <my server>' connector and the user authenticated as 'HealthMailbox23b10b91745648819139ee691dc97eb6'. The Active Directory
lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError
I reran setup /prepareAD to try and remedy this but I am still getting some.
Issue 4)
I am getting an MSExchange RBAC 74 error.
(Process w3wp.exe, PID 984) Connection leak detected for key <my domain>.local/Admins/Administrator in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1.
Issue 5)
I am getting MSExchange Assistants 9042 warnings on both databases.
Service MSExchangeMailboxAssistants. Probe Time Based Assistant for database Database02 (c83dbd91-7cc4-4412-912e-1b87ca6eb0ab) is exiting a work cycle. No mailboxes were successfully processed. 2 mailboxes were skipped due to errors. 0 mailboxes were
skipped due to failure to open a store session. 0 mailboxes were retried. There are 0 mailboxes in this database remaining to be processed.
Some research suggested this may be related to deleted mailboxes however I have never had any actual user mailboxes on this server.
If they are healthmailboxes or arbitration mailboxes that might make sense but I am unsure of what to do on this.
Issue 6)
At boot I am getting an MSExchange ActiveSync warning 1033
The setting SupportedIPMTypes in the Web.Config file was missing.
Using default value of System.Collections.Generic.List`1[System.String].
I don't know why but this forum is removing some of my spacing that would make parts of this easier to read.Hi Eric
Yes I have uninstalled and reinstalled Exchange 2013 CU7 for the 3<sup>rd</sup> time.
I realize you said one issue per forum thread but since I already started this thread with many issues I will at least post what I have discovered on them in case someone finds their way here from a web search.
I have an existing Exchange 2007 server in the environment so I am unable to create email address policies that are defined by “recipient container”.
If I try and do so I get “You can't specify the recipient container because legacy servers are detected.”
So I cannot create a normal email address policy and restrict it to an OU without resorting to some fancy filtering.
Instead what I have done is use PS to modify extensionAttribute1 (otherwise known as Custom Attribute 1 to exchange) for all of my users.
I then applied an address policy to them and gave it the highest priority.
Then I set a default email address policy for the entire organization.
After reinstalling Exchange all of my system mailboxes were created with the internal domain name.
So issue number 3 above has not come up.
For issue number one above I have created a new thread:
https://social.technet.microsoft.com/Forums/office/en-US/7eb12b89-ae9b-46b2-bd34-e50cd52a4c15/microsoftwindowskerneleventtracing-error-2-happens-twice-at-boot-ex2013cu7?forum=exchangesvrdeploy
For issue number four I have posted to this existing thread where there is so far no resolution:
https://social.technet.microsoft.com/Forums/exchange/en-US/2343730c-7303-4067-ae1a-b106cffc3583/exchange-error-id-74-connection-leak-detected-for-key?forum=exchangesvradmin
Issue number Five I have managed to recreate and get rid of in more than one way.
If I create a new database in ECP and set the database and log paths where I want, then this error will appear.
If I create the database in the default location and then use EMS to move it and set the log path, then the error will not appear.
The error will also appear (along with other errors) if I delete the health mailboxes and let them get recreated by restarting the server or the Health Manager service.
If I then go and set the retention period for deleted mailboxes to 0 days and wait a little while, these will all go away.
So my off hand guess is that these are caused by orphaned system mailboxes.
For issue number six I have posted to this existing thread where there is so far no resolution:
https://social.technet.microsoft.com/Forums/exchange/en-US/dff62411-fad8-4d0c-9bdb-037374644845/event-1033-msexchangeactivesync-warning?forum=exchangesvrmobility
So for the remainder of this thread we can try and tackle issue number two which is the perf counters.
The exact same 5 perf counter were coming up and this had been true each time I have uninstalled and reinstalled Exchange 2013CU7.
Actually to be more accurate a LOT of perf counter errors come up after the initial install, but reloading the perf counters using the script I posted above reduces it to the same five.
Using all of your suggestions so far has not removed these 5 remaining errors either. Since there is no discernible impact other than these errors at boot I am not seriously bothered by them but as will all event log errors, I would prefer
to make them go away if possible. -
New Event Log Errors L355-S7902
These two are recurring daily and showing up in Event Viewer>Windows>Diagnostic Performance>Operational. I have noticed that shutdown is too long so I have copied the errors.
Log Name: Microsoft-Windows-Diagnostics-Performance/Operational
Source: Microsoft-Windows-Diagnostics-Performance
Date: 8/11/2010 7:01:45 AM
Event ID: 203
Task Category: Shutdown Performance Monitoring
Level: Error
Keywords: Event Log
User: LOCAL SERVICE
Computer: Laptop
Description:
This service caused a delay in the system shutdown process:
File Name : RasMan
Friendly Name : Remote Access Connection Manager
Version : 6.0.6000.16386 (vista_rtm.061101-2205)
Total Time : 16925ms
Degradation Time : 16570ms
Incident Time (UTC) : 8/10/2010 7:44:55 PM
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Diagnostics-Performance" Guid="{cfc18ec0-96b1-4eba-961b-622caee05b0a}" />
<EventID>203</EventID>
<Version>1</Version>
<Level>2</Level>
<Task>4007</Task>
<Opcode>41</Opcode>
<Keywords>0x8000000000010000</Keywords>
<TimeCreated SystemTime="2010-08-11T12:01:45.242Z" />
<EventRecordID>3327</EventRecordID>
<Correlation ActivityID="{00000000-9B8C-0001-2EDB-D6AD4C39CB01}" />
<Execution ProcessID="2008" ThreadID="2144" />
<Channel>Microsoft-Windows-Diagnostics-Performance/Operational</Channel>
<Computer>Laptop</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData>
<Data Name="StartTime">2010-08-10T19:44:55.195Z</Data>
<Data Name="NameLength">7</Data>
<Data Name="Name">RasMan</Data>
<Data Name="FriendlyNameLength">33</Data>
<Data Name="FriendlyName">Remote Access Connection Manager</Data>
<Data Name="VersionLength">39</Data>
<Data Name="Version">6.0.6000.16386 (vista_rtm.061101-2205)</Data>
<Data Name="TotalTime">16925</Data>
<Data Name="DegradationTime">16570</Data>
<Data Name="PathLength">32</Data>
<Data Name="Path">C:\Windows\System32\rasmans.dll</Data>
<Data Name="ProductNameLength">37</Data>
<Data Name="ProductName">Microsoft® Windows® Operating System</Data>
<Data Name="CompanyNameLength">22</Data>
<Data Name="CompanyName">Microsoft Corporation</Data>
</EventData>
</Event>
Log Name: Microsoft-Windows-Diagnostics-Performance/Operational
Source: Microsoft-Windows-Diagnostics-Performance
Date: 8/9/2010 5:06:37 PM
Event ID: 351
Task Category: Standby Performance Monitoring
Level: Error
Keywords: Event Log
User: LOCAL SERVICE
Computer: Laptop
Description:
This driver responded slower than expected to the resume request while servicing this device:
Driver File Name : \Driver\usbehci
Driver Friendly Name : EHCI eUSB Miniport Driver
Driver Version : 6.0.6001.18000 (longhorn_rtm.080118-1840)
Driver Total Time : 271ms
Driver Degradation Time : 95ms
Incident Time (UTC) : 8/9/2010 10:11:50 PM
Device Name : PCI\VEN_8086&DEV_293C&SUBSYS_FF661179&REV_03\3&21436425&0&D7
Device Friendly Name : Intel(R) ICH9 Family USB2 Enhanced Host Controller - 293C
Device Total Time : 281ms
Device Degradation Time : 95ms
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Diagnostics-Performance" Guid="{cfc18ec0-96b1-4eba-961b-622caee05b0a}" />
<EventID>351</EventID>
<Version>1</Version>
<Level>2</Level>
<Task>4003</Task>
<Opcode>35</Opcode>
<Keywords>0x8000000000010000</Keywords>
<TimeCreated SystemTime="2010-08-09T22:06:37.507Z" />
<EventRecordID>3311</EventRecordID>
<Correlation ActivityID="{00000000-06C8-0000-2E38-015FCA37CB01}" />
<Execution ProcessID="236" ThreadID="996" />
<Channel>Microsoft-Windows-Diagnostics-Performance/Operational</Channel>
<Computer>Laptop</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData>
<Data Name="StartTime">2010-08-09T22:11:50.769Z</Data>
<Data Name="NameLength">16</Data>
<Data Name="Name">\Driver\usbehci</Data>
<Data Name="FriendlyNameLength">26</Data>
<Data Name="FriendlyName">EHCI eUSB Miniport Driver</Data>
<Data Name="VersionLength">42</Data>
<Data Name="Version">6.0.6001.18000 (longhorn_rtm.080118-1840)</Data>
<Data Name="TotalTime">271</Data>
<Data Name="DegradationTime">95</Data>
<Data Name="PathLength">40</Data>
<Data Name="Path">C:\Windows\system32\DRIVERS\usbehci.sys</Data>
<Data Name="ProductNameLength">37</Data>
<Data Name="ProductName">Microsoft® Windows® Operating System</Data>
<Data Name="CompanyNameLength">22</Data>
<Data Name="CompanyName">Microsoft Corporation</Data>
<Data Name="DeviceNameLength">61</Data>
<Data Name="DeviceName">PCI\VEN_8086&DEV_293C&SUBSYS_FF661179&REV_03\3&21436425&0&D7</Data>
<Data Name="DeviceFriendlyNameLength">58</Data>
<Data Name="DeviceFriendlyName">Intel(R) ICH9 Family USB2 Enhanced Host Controller - 293C</Data>
<Data Name="DeviceTotalTime">281</Data>
<Data Name="DeviceDegradationTime">95</Data>
</EventData>
</Event>
Hope I sent the right info this time.
Donna in ARSatellite L355-S7902
Donna, I wouldn't worry that Rasman (the Remote Access Connection Manager service) takes 17 seconds to shut down. And certainly the 0.095 seconds taken by the Usbehci.sys driver is inconsequential.
My Event Viewer is filled with stuff like this. Most users don't know to look here. Best to ignore it.
Pay more attention to what's in the Application and System logs under Windows Logs.
Hope I sent the right info this time.
In the future, leave out the stuff beginning with the line..
Event Xml:
-Jerry -
Script to Export Pervious Day Events Logs to CSV
HI,
I am trying to export all the previous day's application event logs to a CSV file. I found the following script on net. But for this script to work I need to enter in the Event ID's I wont to export. Does anyone have any idea how I can change thsi script
to export all event ID's or have another script that can?
'Description : This script queries the event log for...whatever you want it to! Just set the event 'log name and event ID's!
'Initialization Section
Option Explicit
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
Dim objDictionary, objFSO, wshShell, wshNetwork
Dim scriptBaseName, scriptPath, scriptLogPath
Dim ipAddress, macAddress, item, messageType, message
On Error Resume Next
Set objDictionary = NewDictionary
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set wshShell = CreateObject("Wscript.Shell")
Set wshNetwork = CreateObject("Wscript.Network")
scriptBaseName = objFSO.GetBaseName(Wscript.ScriptFullName)
scriptPath = objFSO.GetFile(Wscript.ScriptFullName).ParentFolder.Path
scriptLogPath = scriptPath & "\" & IsoDateString(Now)
If Err.Number <> 0 Then
Wscript.Quit
End If
On Error Goto 0
'Main Processing Section
On Error Resume Next
PromptScriptStart
ProcessScript
If Err.Number <> 0 Then
MsgBox BuildError("Processing Script"), vbCritical, scriptBaseName
Wscript.Quit
End If
PromptScriptEnd
On Error Goto 0
'Functions Processing Section
'Name : ProcessScript -> Primary Function that controls all other script processing.
'Parameters : None ->
'Return : None ->
Function ProcessScript
Dim hostName, logName, startDateTime, endDateTime
Dim events, eventNumbers, i
hostName = wshNetwork.ComputerName
logName = "application"
eventNumbers = Array("1001","1")
startDateTime = DateAdd("n", -21600, Now)
'Query the event log for the eventID's within the specified event log name and date range.
If Not QueryEventLog(events, hostName, logName, eventNumbers, startDateTime) Then
Exit Function
End If
'Log the scripts results to the scripts
For i = 0 To UBound(events)
LogMessage events(i)
Next
End Function
'Name : QueryEventLog -> Primary Function that controls all other script processing.
'Parameters : results -> Input/Output : Variable assigned to an array of results from querying the event log.
' : hostName -> String containing the hostName of the system to query the event log on.
' : logName -> String containing the name of the Event Log to query on the system.
' : eventNumbers -> Array containing the EventID's (eventCode) to search for within the event log.
' : startDateTime -> Date\Time containing the date to finish searching at.
' : minutes -> Integer containing the number of minutes to subtract from the startDate to begin the search.
'Return : QueryEventLog -> Returns True if the event log was successfully queried otherwise returns False.
Function QueryEventLog(results, hostName, logName, eventNumbers, startDateTime)
Dim wmiDateTime, wmi, query, eventItems, eventItem
Dim timeWritten, eventDate, eventTime, description
Dim eventsDict, eventInfo, errorCount, i
QueryEventLog = False
errorCount = 0
If Not IsArray(eventNumbers) Then
eventNumbers = Array(eventNumbers)
End If
'Construct part of the WMI Query to account for searching multiple eventID's
query = "Select * from Win32_NTLogEvent Where Logfile = " & SQ(logName) & " And (EventCode = "
For i = 0 To UBound(eventNumbers)
query = query & SQ(eventNumbers(i)) & " Or EventCode = "
Next
On Error Resume Next
Set eventsDict = NewDictionary
If Err.Number <> 0 Then
LogError "Creating Dictionary Object"
Exit Function
End If
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & hostName & "\root\cimv2")
If Err.Number <> 0 Then
LogError "Creating WMI Object to connect to " & DQ(hostName)
Exit Function
End If
'Create the "SWbemDateTime" Object for converting WMI Date formats. Supported in Windows Server 2003 & Windows XP.
Set wmiDateTime = CreateObject("WbemScripting.SWbemDateTime")
If Err.Number <> 0 Then
LogError "Creating " & DQ("WbemScripting.SWbemDateTime") & " object"
Exit Function
End If
'Build the WQL query and execute it.
wmiDateTime.SetVarDate startDateTime, True
query = Left(query, InStrRev(query, "'")) & ") And (TimeWritten >= " & SQ(wmiDateTime.Value) & ")"
Set eventItems = wmi.ExecQuery(query)
If Err.Number <> 0 Then
LogError "Executing WMI Query " & DQ(query)
Exit Function
End If
'Convert the property values of Each event found to a comma seperated string and add it to the dictionary.
For Each eventItem In eventItems
Do
timeWritten = ""
eventDate = ""
eventTime = ""
eventInfo = ""
timeWritten = ConvertWMIDateTime(eventItem.TimeWritten)
eventDate = FormatDateTime(timeWritten, vbShortDate)
eventTime = FormatDateTime(timeWritten, vbLongTime)
eventInfo = eventDate &
eventInfo = eventInfo & eventTime & ","
eventInfo = eventInfo & eventItem.SourceName & ","
eventInfo = eventInfo & eventItem.Type & ","
eventInfo = eventInfo & eventItem.Category & ","
eventInfo = eventInfo & eventItem.EventCode & ","
eventInfo = eventInfo & eventItem.User & ","
eventInfo = eventInfo & eventItem.ComputerName & ","
description = eventItem.Message
'Ensure the event description is not blank.
If IsNull(description) Then
description = "The event description cannot be found."
End If
description = Replace(description, vbCrLf, " ")
eventInfo = eventInfo & description
'Check if any errors occurred enumerating the event Information
If Err.Number <> 0 Then
LogError "Enumerating Event Properties from the " & DQ(logName) & " event log on " & DQ(hostName)
errorCount = errorCount + 1
Err.Clear
Exit Do
End If
'Remove all Tabs and spaces.
eventInfo = Trim(Replace(eventInfo, vbTab, " "))
Do While InStr(1, eventInfo, " ", vbTextCompare) <> 0
eventInfo = Replace(eventInfo, " ", " ")
Loop
'Add the Event Information to the Dictionary object if it doesn't exist.
If Not eventsDict.Exists(eventInfo) Then
eventsDict(eventsDict.Count) = eventInfo
End If
Loop Until True
Next
On Error Goto 0
If errorCount <> 0 Then
Exit Function
End If
results = eventsDict.Items
QueryEventLog = True
End Function
'Name : ConvertWMIDateTime -> Converts a WMI Date Time String into a String that can be formatted as a valid Date Time.
'Parameters : wmiDateTimeString -> String containing a WMI Date Time String.
'Return : ConvertWMIDateTime -> Returns a valid Date Time String otherwise returns a Blank String.
Function ConvertWMIDateTime(wmiDateTimeString)
Dim integerValues, i
'Ensure the wmiDateTimeString contains a "+" or "-" character. If it doesn't it is not a valid WMI date time so exit.
If InStr(1, wmiDateTimeString, "+", vbTextCompare) = 0 And _
InStr(1, wmiDateTimeString, "-", vbTextCompare) = 0 Then
ConvertWMIDateTime = ""
Exit Function
End If
'Replace any "." or "+" or "-" characters in the wmiDateTimeString and check each character is a valid integer.
integerValues = Replace(Replace(Replace(wmiDateTimeString, ".", ""), "+", ""), "-", "")
For i = 1 To Len(integerValues)
If Not IsNumeric(Mid(integerValues, i, 1)) Then
ConvertWMIDateTime = ""
Exit Function
End If
Next
'Convert the WMI Date Time string to a String that can be formatted as a valid Date Time value.
ConvertWMIDateTime = CDate(Mid(wmiDateTimeString, 5, 2) & "/" & _
Mid(wmiDateTimeString, 7, 2) & "/" & Left(wmiDateTimeString,
4) & " " & _
Mid(wmiDateTimeString, 9, 2) & ":" & _
Mid(wmiDateTimeString, 11, 2) & ":" & _
Mid(wmiDateTimeString, 13, 2))
End Function
'Name : NewDictionary -> Creates a new dictionary object.
'Parameters : None ->
'Return : NewDictionary -> Returns a dictionary object.
Function NewDictionary
Dim dict
Set dict = CreateObject("scripting.Dictionary")
dict.CompareMode = vbTextCompare
Set NewDictionary = dict
End Function
'Name : SQ -> Places single quotes around a string
'Parameters : stringValue -> String containing the value to place single quotes around
'Return : SQ -> Returns a single quoted string
Function SQ(ByVal stringValue)
If VarType(stringValue) = vbString Then
SQ = "'" & stringValue & "'"
End If
End Function
'Name : DQ -> Place double quotes around a string and replace double quotes
' : -> within the string with pairs of double quotes.
'Parameters : stringValue -> String value to be double quoted
'Return : DQ -> Double quoted string.
Function DQ (ByVal stringValue)
If stringValue <> "" Then
DQ = """" & Replace (stringValue, """", """""") & """"
Else
DQ = """"""
End If
End Function
'Name : IsoDateTimeString -> Generate an ISO date and time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateTimeString -> Date and time parts of the input value in "yyyy-mm-dd hh:mm:ss" format.
Function IsoDateTimeString(dateValue)
IsoDateTimeString = IsoDateString (dateValue) & " " & IsoTimeString (dateValue)
End Function
'Name : IsoDateString -> Generate an ISO date string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateString -> Date part of the input value in "yyyy-mm-dd" format.
Function IsoDateString(dateValue)
If IsDate(dateValue) Then
IsoDateString = Right ("000" & Year (dateValue), 4) & "-" & _
Right ( "0" & Month (dateValue), 2) & "-" & _
Right ( "0" & Day (dateValue), 2)
Else
IsoDateString = "0000-00-00"
End If
End Function
'Name : IsoTimeString -> Generate an ISO time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoTimeString -> Time part of the input value in "hh:mm:ss" format.
Function IsoTimeString(dateValue)
If IsDate(dateValue) Then
IsoTimeString = Right ("0" & Hour (dateValue), 2) & ":" & _
Right ("0" & Minute (dateValue), 2) & ":" & _
Right ("0" & Second (dateValue), 2)
Else
IsoTimeString = "00:00:00"
End If
End Function
'Name : LogMessage -> Writes a message to a log file.
'Parameters : logPath -> String containing the full folder path and file name of the Log file without with file extension.
' : message -> String containing the message to include in the log message.
'Return : None ->
Function LogMessage(message)
If Not LogToCentralFile(scriptLogPath & ".csv", IsoDateTimeString(Now) & "," & message) Then
Exit Function
End If
End Function
'Name : LogError -> Writes an error message to a log file.
'Parameters : logPath -> String containing the full folder path and file name of the Log file without with file extension.
' : message -> String containing a description of the event that caused the error to occur.
'Return : None ->
Function LogError(message)
If Not LogToCentralFile(scriptLogPath & ".err", IsoDateTimeString(Now) & "," & BuildError(message)) Then
Exit Function
End If
End Function
'Name : BuildError -> Builds a string of information relating to the error object.
'Parameters: message -> String containnig the message that relates to the process that caused the error.
'Return : BuildError -> Returns a string relating to error object.
Function BuildError(message)
BuildError = "Error " & Err.Number & " (Hex " & Hex(Err.Number) & ") " & message & ". " & Err.Description
End Function
'Name : LogToCentralFile -> Attempts to Appends information to a central file.
'Parameters : logSpec -> Folder path, file name and extension of the central log file to append to.
' : message -> String to include in the central log file
'Return : LogToCentralFile -> Returns True if Successfull otherwise False.
Function LogToCentralFile(logSpec, message)
Dim attempts, objLogFile
LogToCentralFile = False
'Attempt to append to the central log file up to 10 times, as it may be locked by some other system.
attempts = 0
Do
On Error Resume Next
Set objLogFile = objFSO.OpenTextFile(logSpec, ForAppending, True)
If Err.Number = 0 Then
objLogFile.WriteLine message
objLogFile.Close
LogToCentralFile = True
Exit Function
End If
On Error Goto 0
Randomize
Wscript.sleep 1000 + Rnd * 100
attempts = attempts + 1
Loop Until attempts >= 10
End Function
'Name : PromptScriptStart -> Prompt when script starts.
'Parameters : None
'Return : None
Function PromptScriptStart
MsgBox "Now processing the " & DQ(Wscript.ScriptName) & " script.", vbInformation, scriptBaseName
End Function
'Name : PromptScriptEnd -> Prompt when script has completed.
'Parameters : None
'Return : None
Function PromptScriptEnd
MsgBox "The " & DQ(Wscript.ScriptName) & " script has completed successfully.", vbInformation, scriptBaseName
End Function
ThanksHere is a script that will copy the previous days events and save them to "C:\". The file name be yesterdays date ex "04-18-2010-Events.csv"
Const strComputer = "."
Dim objFSO, objWMIService, colEvents, objEvent, outFile
Dim dtmStartDate, dtmEndDate, DateToCheck, fileDate
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
'change the date form "/" to "-" so it can be used in the file name
fileDate = Replace(Date - 1,"/","-")
Set outFile = objFSO.CreateTextFile("C:\" & fileDate & "-Events.csv",True)
DateToCheck = Date - 1
dtmEndDate.SetVarDate Date, True
dtmStartDate.SetVarDate DateToCheck, True
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
For each objEvent in colEvents
outFile.WriteLine String(100,"-")
outFile.WriteLine "Category = " & objEvent.Category
outFile.WriteLine "ComputerName = " & objEvent.ComputerName
outFile.WriteLine "EventCode = " & objEvent.EventCode
outFile.WriteLine "Message = " & objEvent.Message
outFile.WriteLine "RecordNumber = " & objEvent.RecordNumber
outFile.WriteLine "SourceName = " & objEvent.SourceName
outFile.WriteLine "TimeWritten = " & objEvent.TimeWritten
outFile.WriteLine "Type = " & objEvent.Type
outFile.WriteLine "User = " & objEvent.User
outFile.WriteLine String(100,"-")
Next
outFile.Close
MsgBox "Finished!"
v/r LikeToCode....Mark the best replies as answers. -
Audit/Log GPO changes and Logging of new addition of Domain Controllers in the Event Log
Hi all,
We am trying to log the following items in the event log for Windows 2012. This applies to a domain controller.
1) Audit any changes made to the Group Policy
2) Log the addition of new domain controllers added to the system.
We need the windows event log to record the above events for security purposes. Can anyone advise if this is doable? If yes what are the steps.
Thank youHi,
>>1) Audit any changes made to the Group Policy
We can enable audit for directory service object access and configure specific SACL for group policy files to do this.
Regarding how to step-to-step guide for auditing changes of group policy, the following two blogs can be referred to for more information.
Monitoring Group Policy Changes with Windows Auditing
http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx
Auditing Group Policy changes
http://blogs.msdn.com/b/canberrapfe/archive/2012/05/02/auditing-group-policy-changes.aspx
>>2) Log the addition of new domain controllers added to the system.
Based on my knowledge, when a server is successfully promoted to be domain controller, event ID 29223 will be logged in the System log.
Regarding this point, the following thread can be referred to for more information.
Is an Event ID for a completed Domain Controller promotion logged on the PDC?
https://social.technet.microsoft.com/Forums/windowsserver/en-US/11b18816-7db0-49e2-9a65-3de0e7a9645e/is-an-event-id-for-a-completed-domain-controller-promotion-logged-on-the-pdc?forum=winserverDS
Best regards,
Frank Shen -
Large number of event Log entries: connection open...
Hi,
I am seeing a large number of entries in the event log of the type:
21:49:17, 11 Mar.
IN: ACCEPT [57] Connection closed (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [81.154.101.160:51163] CLOSED/TIME_WAIT ppp0 NAPT)
21:49:15, 11 Mar.
IN: ACCEPT [54] Connection opened (Port Forwarding: UDP 192.168.1.78:14312 <-->86.128.58.172:14312 [81.154.101.160:41820] ppp0 NAPT)
Are these anything I should be concerned about? I have tried a couple of forum and Google searches, but I don't quite know where to start beyond pasting the first bit of the message. I haven't found anything obvious from those searches.
DHCP table lists 192.168.1.78 as the desktop PC on which I'm writing this.
Please could you point me in the direction of any resources that will help me to work out if I should be worried about this?
A slightly longer extract is shown below:
21:49:17, 11 Mar.
IN: ACCEPT [57] Connection closed (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [81.154.101.160:51163] CLOSED/TIME_WAIT ppp0 NAPT)
21:49:15, 11 Mar.
IN: ACCEPT [54] Connection opened (Port Forwarding: UDP 192.168.1.78:14312 <-->86.128.58.172:14312 [81.154.101.160:41820] ppp0 NAPT)
21:49:15, 11 Mar.
IN: ACCEPT [54] Connection opened (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [81.154.101.160:51163] CLOSED/SYN_SENT ppp0 NAPT)
21:49:11, 11 Mar.
IN: ACCEPT [57] Connection closed (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [213.205.231.156:51027] TIME_WAIT/CLOSED ppp0 NAPT)
21:49:03, 11 Mar.
IN: ACCEPT [54] Connection opened (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [178.190.63.75:55535] CLOSED/SYN_SENT ppp0 NAPT)
21:49:00, 11 Mar.
IN: ACCEPT [57] Connection closed (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [2.96.4.85:23939] TIME_WAIT/CLOSED ppp0 NAPT)
21:48:59, 11 Mar.
IN: ACCEPT [57] Connection closed (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [78.144.143.222:21617] CLOSED/TIME_WAIT ppp0 NAPT)
21:48:58, 11 Mar.
IN: ACCEPT [54] Connection opened (Port Forwarding: UDP 192.168.1.78:14312 <-->86.128.58.172:14312 [41.218.222.34:28188] ppp0 NAPT)
21:48:57, 11 Mar.
IN: ACCEPT [54] Connection opened (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [41.218.222.34:28288] CLOSED/SYN_SENT ppp0 NAPT)
21:48:57, 11 Mar.
IN: ACCEPT [54] Connection opened (Port Forwarding: UDP 192.168.1.78:14312 <-->86.128.58.172:14312 [86.132.123.255:18048] ppp0 NAPT)
21:48:57, 11 Mar.
IN: ACCEPT [54] Connection opened (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [86.132.123.255:54199] CLOSED/SYN_SENT ppp0 NAPT)
21:48:55, 11 Mar.
IN: ACCEPT [57] Connection closed (Port Forwarding: UDP 192.168.1.78:14312 <-->86.128.58.172:14312 [86.144.91.49:60704] ppp0 NAPT)
21:48:55, 11 Mar.
IN: ACCEPT [57] Connection closed (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [80.3.100.12:50875] TIME_WAIT/CLOSED ppp0 NAPT)
21:48:45, 11 Mar.
IN: ACCEPT [57] Connection closed (Port Forwarding: UDP 192.168.1.78:14312 <-->86.128.58.172:14312 [78.150.251.216:57656] ppp0 NAPT)
21:48:39, 11 Mar.
IN: ACCEPT [54] Connection opened (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [78.150.251.216:56975] CLOSED/SYN_SENT ppp0 NAPT)
21:48:29, 11 Mar.
IN: ACCEPT [54] Connection opened (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [79.99.145.46:8368] CLOSED/SYN_SENT ppp0 NAPT)
21:48:27, 11 Mar.
IN: ACCEPT [54] Connection opened (Port Forwarding: UDP 192.168.1.78:14312 <-->86.128.58.172:14312 [90.192.249.173:45250] ppp0 NAPT)
21:48:16, 11 Mar.
IN: ACCEPT [57] Connection closed (Port Forwarding: UDP 192.168.1.78:14312 <-->86.128.58.172:14312 [212.17.96.246:62447] ppp0 NAPT)
21:48:10, 11 Mar.
IN: ACCEPT [57] Connection closed (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [82.16.198.117:49942] TIME_WAIT/CLOSED ppp0 NAPT)
21:48:08, 11 Mar.
IN: ACCEPT [54] Connection opened (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [213.205.231.156:51027] CLOSED/SYN_SENT ppp0 NAPT)
21:48:04, 11 Mar.
IN: ACCEPT [57] Connection closed (Port Forwarding: TCP 192.168.1.78:14312 <-->86.128.58.172:14312 [89.153.251.9:53729] TIME_WAIT/CLOSED ppp0 NAPT)
21:47:54, 11 Mar.
IN: ACCEPT [54] Connection opened (Port Forwarding: UDP 192.168.1.78:14312 <-->86.128.58.172:14312 [80.3.100.12:37150] ppp0 NAPT)Hi,
Thank you for the response. I think, but can't remember for sure, that UPnP was already switched off when I captured that log. Anyway, even if it wasn't, it is now. So I will see what gets captured in my logs.
I've just had to restart my Home Hub because of other connection issues and I notice that the first few entries are also odd:
19:35:16, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49250->173.194.78.125:5222 on ppp0)
19:34:45, 12 Mar.
OUT: BLOCK [15] Default policy (First packet in connection is not a SYN packet: TCP 192.168.1.78:49266->173.194.34.101:443 on ppp0)
19:34:31, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49250->173.194.78.125:5222 on ppp0)
19:34:31, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49266->173.194.34.101:443 on ppp0)
19:34:04, 12 Mar.
OUT: BLOCK [15] Default policy (First packet in connection is not a SYN packet: TCP 192.168.1.78:49462->199.59.149.232:443 on ppp0)
19:33:46, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49250->173.194.78.125:5222 on ppp0)
19:33:46, 12 Mar.
IN: BLOCK [12] Spoofing protection (IGMP 86.164.178.188->224.0.0.22 on ppp0)
19:33:45, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49266->173.194.34.101:443 on ppp0)
19:33:39, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49462->199.59.149.232:443 on ppp0)
19:33:33, 12 Mar.
OUT: BLOCK [15] Default policy (First packet in connection is not a SYN packet: TCP 192.168.1.78:49463->199.59.149.232:443 on ppp0)
19:33:29, 12 Mar.
IN: BLOCK [15] Default policy (UDP 111.252.36.217:26328->86.164.178.188:12708 on ppp0)
19:33:16, 12 Mar.
IN: BLOCK [15] Default policy (TCP 193.113.4.153:80->86.164.178.188:49572 on ppp0)
19:33:14, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49266->173.194.34.101:443 on ppp0)
19:33:14, 12 Mar.
IN: BLOCK [15] Default policy (TCP 66.193.112.93:443->86.164.178.188:44266 on ppp0)
19:33:14, 12 Mar.
( 164.240000) CWMP: session completed successfully
19:33:13, 12 Mar.
( 163.700000) CWMP: HTTP authentication success from https://pbthdm.bt.mo
19:33:05, 12 Mar.
BLOCKED 106 more packets (because of Default policy)
19:33:05, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49462->199.59.149.232:443 on ppp0)
19:33:05, 12 Mar.
IN: BLOCK [15] Default policy (TCP 213.1.72.209:80->86.164.178.188:49547 on ppp0)
19:33:05, 12 Mar.
BLOCKED 94 more packets (because of Default policy)
19:33:05, 12 Mar.
OUT: BLOCK [15] Default policy (First packet in connection is not a SYN packet: TCP 192.168.1.78:49330->173.194.67.94:443 on ppp0)
19:33:05, 12 Mar.
IN: BLOCK [15] Default policy (TCP 199.59.148.87:443->86.164.178.188:49531 on ppp0)
19:33:05, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49250->173.194.78.125:5222 on ppp0)
19:33:04, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49266->173.194.34.101:443 on ppp0)
19:33:04, 12 Mar.
( 155.110000) CWMP: Server URL: https://pbthdm.bt.mo; Connecting as user: ACS username
19:33:04, 12 Mar.
( 155.090000) CWMP: Session start now. Event code(s): '1 BOOT,4 VALUE CHANGE'
19:32:59, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49266->173.194.34.101:443 on ppp0)
19:32:54, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49462->199.59.149.232:443 on ppp0)
19:32:53, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49330->173.194.67.94:443 on ppp0)
19:32:52, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49463->199.59.149.232:443 on ppp0)
19:32:51, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49266->173.194.34.101:443 on ppp0)
19:32:48, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49330->173.194.67.94:443 on ppp0)
19:32:47, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49266->173.194.34.101:443 on ppp0)
19:32:46, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49330->173.194.67.94:443 on ppp0)
19:32:46, 12 Mar.
BLOCKED 4 more packets (because of First packet is Invalid)
19:32:45, 12 Mar.
OUT: BLOCK [15] Default policy (First packet in connection is not a SYN packet: TCP 192.168.1.78:49461->199.59.149.232:443 on ppp0)
19:32:44, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49330->173.194.67.94:443 on ppp0)
19:32:44, 12 Mar.
BLOCKED 1 more packets (because of First packet is Invalid)
19:32:43, 12 Mar.
OUT: BLOCK [15] Default policy (First packet in connection is not a SYN packet: TCP 192.168.1.78:49398->193.113.4.153:80 on ppp0)
19:32:42, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49330->173.194.67.94:443 on ppp0)
19:32:42, 12 Mar.
BLOCKED 3 more packets (because of First packet is Invalid)
19:32:42, 12 Mar.
OUT: BLOCK [15] Default policy (First packet in connection is not a SYN packet: TCP 192.168.1.78:49277->119.254.30.32:443 on ppp0)
19:32:41, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49330->173.194.67.94:443 on ppp0)
19:32:41, 12 Mar.
BLOCKED 1 more packets (because of First packet is Invalid)
19:32:41, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49330->173.194.67.94:443 on ppp0)
19:32:38, 12 Mar.
OUT: BLOCK [15] Default policy (First packet in connection is not a SYN packet: TCP 192.168.1.78:49280->119.254.30.32:443 on ppp0)
19:32:36, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49330->173.194.67.94:443 on ppp0)
19:32:34, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49463->199.59.149.232:443 on ppp0)
19:32:30, 12 Mar.
IN: BLOCK [15] Default policy (TCP 66.193.112.93:443->86.164.178.188:47022 on ppp0)
19:32:30, 12 Mar.
( 120.790000) CWMP: session closed due to error: WGET TLS error
19:32:30, 12 Mar.
( 120.140000) NTP synchronization success!
19:32:30, 12 Mar.
BLOCKED 1 more packets (because of Default policy)
19:32:29, 12 Mar.
OUT: BLOCK [15] Default policy (First packet in connection is not a SYN packet: TCP 192.168.1.78:49458->217.41.223.234:80 on ppp0)
19:32:28, 12 Mar.
OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.78:49280->119.254.30.32:443 on ppp0)
19:32:26, 12 Mar.
( 116.030000) NTP synchronization start
19:32:25, 12 Mar.
OUT: BLOCK [15] Default policy (First packet in connection is not a SYN packet: TCP 192.168.1.78:49442->74.125.141.91:443 on ppp0)
19:32:25, 12 Mar.
OUT: BLOCK [15] Default policy (TCP 192.168.1.78:49310->204.154.94.81:443 on ppp0)
19:32:25, 12 Mar.
IN: BLOCK [15] Default policy (TCP 88.221.94.116:80->86.164.178.188:49863 on ppp0) -
VM cannot get IP and shows host MAC in event logs
I have a strange issue where the VM on a user's laptop worked fine in the office with a Wireless NIC but when he got home we began having some problems (no network in the VM, only get 169.x.x.x IP in the VM, host network connection drops when we try
to access or configure the networking inside the VM).
Here is what I know so far:
Bridge exists on host (wireless NIC to virtual NIC) and is enabled
Adapter in VM has MAC of 00-15-5D-0A-A5-00, cannot get IP
VM settings for the wireless NIC show the MAC is Dynamic and the one assigned is within the range setup on the Virtual Switch
Adapter on host has MAC of 9C-4E-36-AC-83-68, gets IP of 192.168.0.14
In the VM, you cannot renew or assign an IP, it says the MAC exists on the network and has an address assigned. Network connectivity also drops if you try to renew the IP
In the system event logs on the VM, I see TCPIP event 4199, exact message is - The system detected an address conflict for IP address 192.168.0.14 with the system having hardware address 9C-4E-36-AC-83-68.
There are no errors in the event logs on the host.
Deleting the NIC inside the VM and removing/re-adding it to the VM settings does not resolve it
Deleting and recreating the virtual switch does not resolve it
The option to allow the management OS to also use the wireless NIC is enabled on the virtual switch.
The wired connection also worked in our office during the build and testing but he doesn't not have a cable at home for me to test the wired there.
We have another machine which is configured the same way and is working correctly, both in the office and offsite.
Why is the VM trying to use the host MAC to get an IP, shouldn't it be using the one assigned by Hyper-V? Could this be an issue with his home office network or maybe specifically with his WAP? What other items could cause this?
I have asked my user to go connect to a wireless network in a different location and test it but I haven't heard back from him yet.
Thanks in advance for any suggestions.Hi Milos,
1 - Unfortunately I can't test this, the router is supplied by his ISP and is not one that we have any management capabilities on.
2 - Any time I access network information in the VM (even just to run "ipconfig /all" at a command line), the network drops temporarily on the host and I loose access to it.
3 - I've not used this before, I'll check it out.
It seemed really odd to me that the VM showed the host MAC in the event logs when everything else in the VM shows the one assigned by Hyper-V.
Do you know if the "Virtual Networking and Wireless network adapters" entry in Ben Armstrong's Virtualization blog still applies in Windows 8.1? It won't let me post the link to it directly, sorry.
I've seen it referred to recent posts but it's from 2005.
It makes sense if it is since symptom #2 sounds like what I am seeing. -
Active Sync Error in Event Logs - Generated by Health Monitor Mailbox.
Receiving the event log entry below on an Exchange 2013 Mailbox Server (Server 2012 OS). No policies have been configured yet. Seems odd that by default the health mailbox would be blocked when default policy is allow. Anybody else seeing this?
Log Name: Application
Source: MSExchange ActiveSync
Date: 10/1/2013 11:59:16 AM
Event ID: 1021
Task Category: Requests
Level: Warning
Keywords: Classic
User: N/A
Computer: MYSERVER.mydomain.com
Description:
A non-compliant phone is trying to connect with Exchange ActiveSync. However, the Exchange ActiveSync mailbox policy for user [MYDOMAIN\HEALTLMAILBOXACCOUNT] and device ID [EASProbeDeviceId141] requires phones to be compliant before they synchronize with Exchange
ActiveSync.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange ActiveSync" />
<EventID Qualifiers="32772">1021</EventID>
<Level>3</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-10-01T17:59:16.000000000Z" />
<EventRecordID>136375</EventRecordID>
<Channel>Application</Channel>
<Computer>MYSERVER.mydomain.com</Computer>
<Security />
</System>
<EventData>
<Data>MYDOMAIN\HEALTLMAILBOXACCOUNT</Data>
<Data>EASProbeDeviceId141</Data>
</EventData>
</Event>Did you find a solution for it?
I see the same error on our 4 Exchange 2013 Servers.
I have not. I just chalked it up to another broken item with Exchange 2013. Maybe it will be fixed by next year. -
Problems with using System.Diagnostics.EventLog to retrieve event log messages
Hi
In my app I am retrieving error and critical events from application and system log - but for some reason what it is returning doesn't tally with what I see in event viewer
For example:-
1) Source is SideBySide and shows in event viewer with Event ID of 33 - but in my app it is returning an event ID of 3238068257 - all other details such as message are correct - other event sources show fine
2) A lot of the system event log messages are showing wrong error message - in event log it shows correctly but in my app it is retrieving messages like this "The description for Event ID '41' in Source 'Microsoft-Windows-Kernel-Power' cannot be
found. The local computer may not have the necessary registry information or message DLL files to display message, or you may not have permission to access them" - I am running the app with admin rights?, so not sure why not showing same message as it
shows in event viewer i.e "The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly."
Darren RosePrivate Sub btnCheckEventLog_Click(sender As Object, e As EventArgs) Handles btnCheckEventLogs.Click
' get event logs
' APPLICATION LOG
' variables for adding to the listview application log
Dim ListEventlogApp As ListViewItem
Dim arrayEventlogApp(5) As String
' Clear existing items from list
lvwEventLogApp.Clear()
' Create columns and set width
lvwEventLogApp.Columns.Add("Date/Time", 120)
lvwEventLogApp.Columns.Add("Type", 50)
lvwEventLogApp.Columns.Add("Source", 150)
lvwEventLogApp.Columns.Add("ID", 100)
lvwEventLogApp.Columns.Add("Message", 1000)
' get event log (application) error entries
Dim eventLogAppError As New System.Diagnostics.EventLog("Application")
Dim eventCntr1 As Integer = 1
Dim numberofeventstoshow1 As Integer = 1
For i As Integer = eventLogAppError.Entries.Count - 1 To 0 Step -1
Dim eventLogAppErrorEntry As EventLogEntry = eventLogAppError.Entries(i)
If eventLogAppErrorEntry.EntryType.ToString = ("Error") Then
arrayEventlogApp(0) = (eventLogAppErrorEntry.TimeGenerated)
arrayEventlogApp(1) = (eventLogAppErrorEntry.EntryType.ToString)
arrayEventlogApp(2) = (eventLogAppErrorEntry.Source)
arrayEventlogApp(3) = (eventLogAppErrorEntry.InstanceId)
arrayEventlogApp(4) = (eventLogAppErrorEntry.Message)
ListEventlogApp = New ListViewItem(arrayEventlogApp)
lvwEventLogApp.Items.Add(ListEventlogApp)
eventCntr1 = eventCntr1 + 1
If numberofeventstoshow1 = 10 Then Exit For ' amend if you want to show more than 10 events
numberofeventstoshow1 = numberofeventstoshow1 + 1
End If
Next
' SYSTEM LOG
' variables for adding to the listview application log
Dim ListEventlogSys As ListViewItem
Dim arrayEventlogSys(5) As String
' Clear existing items from list
lvwEventLogSys.Clear()
' Create columns and set width
lvwEventLogSys.Columns.Add("Date/Time", 120)
lvwEventLogSys.Columns.Add("Type", 50)
lvwEventLogSys.Columns.Add("Source", 150)
lvwEventLogSys.Columns.Add("ID", 100)
lvwEventLogSys.Columns.Add("Message", 1000)
' get event log (system) critical entries
Dim eventLogSystemCritical As New System.Diagnostics.EventLog("System")
Dim eventCntr2 As Integer = 1
Dim numberofeventstoshow2 As Integer = 1
For i As Integer = eventLogSystemCritical.Entries.Count - 1 To 0 Step -1
Dim eventLogSysCriticalEntry As EventLogEntry = eventLogSystemCritical.Entries(i)
If eventLogSysCriticalEntry.EntryType.ToString = ("0") Then
arrayEventlogSys(0) = (eventLogSysCriticalEntry.TimeGenerated)
arrayEventlogSys(1) = ("Critical")
arrayEventlogSys(2) = (eventLogSysCriticalEntry.Source)
arrayEventlogSys(3) = (eventLogSysCriticalEntry.InstanceId)
arrayEventlogSys(4) = (eventLogSysCriticalEntry.Message)
ListEventlogSys = New ListViewItem(arrayEventlogSys)
lvwEventLogSys.Items.Add(ListEventlogSys)
eventCntr2 = eventCntr2 + 1
If numberofeventstoshow2 = 10 Then Exit For ' amend if you want to show more than 10 events
numberofeventstoshow2 = numberofeventstoshow2 + 1
End If
Next
' get event log (system) error entries
Dim eventLogSystemError As New System.Diagnostics.EventLog("System")
Dim eventCntr3 As Integer = 1
Dim numberofeventstoshow3 As Integer = 1
For i As Integer = eventLogSystemError.Entries.Count - 1 To 0 Step -1
Dim eventLogSysErrorEntry As EventLogEntry = eventLogSystemError.Entries(i)
If eventLogSysErrorEntry.EntryType.ToString = ("Error") Then
arrayEventlogSys(0) = (eventLogSysErrorEntry.TimeGenerated)
arrayEventlogSys(1) = (eventLogSysErrorEntry.EntryType.ToString)
arrayEventlogSys(2) = (eventLogSysErrorEntry.Source)
arrayEventlogSys(3) = (eventLogSysErrorEntry.InstanceId)
arrayEventlogSys(4) = (eventLogSysErrorEntry.Message)
ListEventlogSys = New ListViewItem(arrayEventlogSys)
lvwEventLogSys.Items.Add(ListEventlogSys)
eventCntr3 = eventCntr3 + 1
If numberofeventstoshow3 = 10 Then Exit For ' amend if you want to show more than 10 events
numberofeventstoshow3 = numberofeventstoshow3 + 1
End If
Next
End Sub
Darren Rose -
Home Hub 3 - no event log for a month
I tried and failed to access the Hub Manager home page yesterday.
I tried several PCs / operating systems / browsers without success.
Eventually, I rebooted the router and managed to access the page.
Having logged in I found that no entries had been added to the event log since the early hours of November 18th (just over a month ago) although the broadband has been working fine.
Has anybody else had similar experiences? As a generally paranoid individual I am not too happy that there are missing event log items!!
Thanks
BrianHi oldbak,
Is this issue still apparent? Have you tried resetting the hub?
Chris
BT Mod team
If you like a post, or want to say thanks for a helpful answer, please click on the Ratings star on the left-hand side of the post.
If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’. -
Since being on Infinity my event log (WAN section) shows occasional "PPP LCP Send Termination Request [User request]", followed by a reconnect sequence, that lasts about 20s when it is back up running normally. The Home Hub 5 light remains blue but the DSL uptime reset itself.
The other items that shows up, in this sequence, is " PPPoE is down after 8693 minutes uptime [Waiting for Underlying Connection (WAN Ethernet 2 - Down)]"
Is this some short term break of service on the fibre network and nothing to do with the handshake between the router and the DSLAM in the cabinet?Same with the event log here. I've had a few wireless issues lately, and wanted to run the router a bit longer before rebooting.
EDIT: Restarted the HH3 tonight, and noticed from the event log that when booting it showed the correct time, but when it did a time sync check, it set the clock back one hour...
I also tried a couple of other time servers without success. -
Missing VSS System Writer and CAPI2 error in Event Log
Hello,
I'm having problems with making full system backup of Windows 2008 R2 x64. It looks like this is related to missing VSS System Writer. When I'm running command "vssadmin list writers" there is no System Writer in writers list and in event log CAPI2 error (event ID 513) is showing with this description:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
TraverseDir : Unable to push subdirectory.
System Error:
Unspecified error
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
<EventID Qualifiers="0">513</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2010-03-14T01:06:35.639125000Z" />
<EventRecordID>207975</EventRecordID>
<Correlation />
<Execution ProcessID="968" ThreadID="11588" />
<Channel>Application</Channel>
<Computer>System3</Computer>
<Security />
</System>
<EventData>
<Data>Details: TraverseDir : Unable to push subdirectory. System Error: Unspecified error</Data>
</EventData>
</Event>
any idea what could be wrong?
Thanks in advanceHello ,
Based on the research, the VSS System Writer runs in the context of CryptSvc service on Windows Server 2008. To make the system writer works normally, please open services
console to verify that the Cryptographic Services logon as the credentials of the "Network Service" account.
The VSS system writer can be missing due to several reasons, to isolate this issue, please refer to the following steps to boot the problematic server with clean
boot mode to perform the test.
Steps: Clean Boot
1. On a problematic server perform a clean boot and check if the issue still exists
2. Click Start->Run...->type msconfig and press Enter
3. Click Services tab and select Hide All Microsoft Services and Disable All third party Services.
4. Click Startup tab and Disable All startup items
5. Click OK and choose Restart
After the server reboot, please run "vssadmin list writers" to check if the "System Writer" can be displayed.
If the issue still exists, please open a CMD prompt as Run As Administrator and type the following commands to see if it the system writer will be occure.
CD c:\windows\system32
Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.* /grant "BUILTIN\Users:(RX)"
Moreover, based on the experience, it has been reported that there is some permissions issue which can cause this kind of issue. Please follow the steps below and check
if it can be helpful.
On domain controller
1. Open Active Directory Users and Computers
2. Click View and then "Advanced features"
3. Right Click built and click properties.
4. Click security tab.
5. Grant read permission to 'Authenticated Users'
6. Click Apply and OK.
7. Restart Cryptographic Services.
Note: By Default, it should have read permission for the system to take system state backup.
Hope this can be helpful.
MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin -
Is there a list of 'Event Log' enteries that I sho...
Hi,
I was looking through a few of the posts on here and noticed posts about event logs on the BT HomeHub.
I was wondering if there is a list of specific 'Event Log' enteries that I should be aware of that could be malicious activity?
If there is specific enteries that could be malicious activity is there a way of using Microsoft 'Event Viewer' of 'System Monitor' to send me a message when this malicious activity is taking place?
Also I noticed on my laptop that when I was looking in WiFi Status that there was a massive difference in the bytes sent and recieved. I think it was something like 600,000 sent and 6000,000 recieved. I looked in the BT HomeHub Event Log and there was a load of enteries for the following:
11:41:42,12 Feb. PortMapping Delete By UPNP/TR064 Success.
11:41:02,12 Feb. PortMapping Add By UPNP/TR064 Success.
The only thing I've done recently is install WAMP for a local test server to view website being designed in PHP. I wanted to view the websites on my other devices so I allowed WAMP through my microsoft firewall. I have dissalowed WAMP through the firewall now and the PortMapping messsages in BT HomeHub Event Log have seemed to have stopped.Disable uPnP, restart the hub, and the entries should stop. Then see if any programs you have installed, stop working properly.
If everything works as normal, then leave uPnP disabled.
Quote
"Is there anyway of setting up Microsoft ‘Event Viewer’ or ‘System Monitor’ to flag up this malicious activity and send me a message to make me aware of these?"
No, but I would not worry about them, as the home hub firewall is there to preven intrusions.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.
Maybe you are looking for
-
Hi, i've configured to generate and send idoc for Purchase order, and i realized that someone should create message output (goto -> message), by that time, some batch program try to send idoc. my question as below; 1. regarding FI or CO, FI or CO, is
-
Webcam not working (in my main user account)
I've been trying to debug and even reset the SMC, but then I saw something that implied that the problem might be user based, so I set up another account and, sure enough, the camera works ok. But I can't figure out how to change the settings on my
-
Update deployment plan definition with WLST
Hello, I would like to write a script in order to get the existing deployemnt plan of my deployed application (Deployement plan is yet modified, I don't want to use loadApplication). Then I would to update my deployement plan (update/add work manager
-
Recovery and restore -database
I restored a database that is operating in archivelog mode but on issueing the recovery until scn copmmand, i received a message that prompt for an archive log which is not available. I understand that for me to open the database, i need to force it
-
Using Mail Transport Rules and the Exchange AWS API
I am looking to programmatically Enable and Disable hub transport rules from VS.NET and was hoping these functions would be available via the REST API. However, I can't find any references, which indicates that perhaps they don't exist. The rules I