Fix for eventlog tester on Windows 2000
Brought to you by:
aeby
Menu
▾
▴
#203 Fix for eventlog tester on Windows 2000
Problem:
On Windows 2000 the eventlog tester may not retrieve
the full text of the message of each Read(), therefore
regular expressions in the eventlog configuration file
searching for particular pattern in the description field
may not return any matches.
Uxmon in debug mode returns the following message
instead of the message text:
Unused message ID
Solution:
The following solution worked on my Windows 2000
servers running Bigsister 0.99c3 with Active Perl 5.8.6:
Change the following line in the eventlog.pm module
$event->{"Message"} = $self->{"fh"}->GetMessageText(
$event );
to
$event->{"Message"};
make sure that GetMessageText is set to 1 via the
following line:
$Win32::EventLog::GetMessageText = 1;
Test:
I've attached an eventlog config file that checks for
changes to the local administrators group and sends an
alert if such a change occurs. Here is the alert:
The status of
Host cl004001 (cl004001)
Item msgs
went down (status red) at Tue Jun 28 15:05:17 2005.
The status text is
Security: Security Enabled Local Group Member
Removed:
Member Name: -
Member ID: %{S-1-5-21-117609710-1979792683-
682003330-1116}
Target Account Name: Administrators
Target Domain: Builtin
Target Account ID: %{S-1-5-32-544}
Caller User Name: cb18cl
Caller Domain: AU
Caller Logon ID: (0x0,0x5A86237)
Privileges: -
eventlog config
Logged In: YES
user_id=77961
Thanks a lot for the report and the fix.
Logged In: YES
user_id=77961
Both changes are in CVS, now (partially some time ago)
Logged In: YES
user_id=1134674
When will this fix make it into a release? I just
installed the 1.0 prerelease2 MSI on a W2003 server. It
still appears to exhibit this behavior.
Logged In: YES
user_id=77961
Funny enough, then. The fix has been applied 2004/03/12
(yes, that's before the bug had been submitted :-))) and the
bug made when trying to fix the bug (my mistake) was fixed
on October 4. So, both releases of the MSI contain the fixed
eventlog monitor unless something went terribly wrong.
This actually means that you must have run into another bug
or problem.
What exactly are the symptoms you get?
Logged In: YES
user_id=77961
Oh, sorry to spam you - are we talking of a remote eventlog
monitor or are you trying to monitor a machines local eventlog?
It seems to be crucial that the piece of software actually
posting the eventlog entry is also installed on the machine
trying to read the eventlog - in the local case this is
trivial, in the remote case this means you will not
necessarily get a valid event description in case the event
was posted by some service or application that is not
installed on the machine running the agent as well.
We might have to use Win32::Lanman as a fallback for events
that do not actually give valid event messages ...
Logged In: YES
user_id=1134674
It is a local eventlog. It me be a different bug I'm
experiencing, possibly one that only affects the
application eventlog. The messages where I observed the
problem were warnings in the application eventlog. After I
posted my comment, the monitor detected an error message
in the system eventlog, in this case the message text was
reported.
I'm not at the affected customers site right now. I'll
look a litle closer at this the next time I am there.
Logged In: YES
user_id=1134674
Examining things closely, the only cases where I have
observed that the message text is missing, is for events
from Perl/BigSister, where event viewer shows the
following:
"The description for Event ID ( 100 ) in Source ( Perl )
cannot be found. The local computer may not have the
necessary registry information or message DLL files to
display messages from a remote computer. You may be able
to use the /AUXSOURCE= flag to retrieve this description;
see Help and Support for details. The following
information is part of the event: BigSister: config
file /Program Files/BigSister//adm/uxmon-net has changed -
reloading."
In other cases, BigSister correctly retrieves the message
text.
Logged In: YES
user_id=1134674
Examining things closely, the only cases where I have
observed that the message text is missing, is for events
from Perl/BigSister, where event viewer shows the
following:
"The description for Event ID ( 100 ) in Source ( Perl )
cannot be found. The local computer may not have the
necessary registry information or message DLL files to
display messages from a remote computer. You may be able
to use the /AUXSOURCE= flag to retrieve this description;
see Help and Support for details. The following
information is part of the event: BigSister: config
file /Program Files/BigSister//adm/uxmon-net has changed -
reloading."
In other cases, BigSister correctly retrieves the message
text.
Logged In: YES
user_id=77961
Ok, now things are clear. This will apply to all messages
without a registered event id.
I'll change this bug's status back into non-fixed, since it
needs additional contemplation. Probably I'll go for the
Lanman API that allows us to present unregistered events in
a way similiar to the Windows eventlog viewer (converting
raw event data into something readable).