CheckEventLog on Windows 2008

[gspotter]

When using CheckEventLog on Windows 2008 and checking system logs, there is an error reported in the logs.

d \CheckEventLog.cpp(484) Attempting to match: System with System
e \eventlog_record.hpp(134) Could not extract DLL for eventsource: Service Control Manager

bla bla
and the same for DCOM

In 2008 it seems that some use ProviderGuid? {555908d1-a6d7.....} to reference a key under

HKLM\Software\Microsoft\Windows\CurrentVersion?\WINEVT\Publishers\{GUID}\

MessageFileName? Reg_expand_sz %systemroot%\system32\services.exe
ParameterFileName? Reg_expand_sz %systemroot%\system32\kernel32.dll
ResourceFileName? Reg_expand_sz %systemroot%\system32\services.exe

If I "filter=generated gt -12h severity = 'error' AND (id = 1058 OR id = 5722)" the filter gets ignored or so and I get matches on other eventids

Haven't tested yet on other platforms than Windows 2008.

BTW using inject and no params allowed if that matters.

[averyjim]

I'm seeing similar with DCOM events here too. For the DCOM issue, I would guess this kb applies:

​http://support.microsoft.com/kb/2008047

I'll see if I can find a test system here to try it on.

[averyjim]

I finally managed to get the Microsoft kb 2008047 fix applied to one of our test servers. Before applying the registry change, I was seeing output from CheckEventLog like this:

Events;CRITICAL;SOFT;1;error: DCOM: 10029: (1), eventlog: 1 > critical
and entries in the nsclient.log file like:

2011-04-10 03:08:29: error:c:\source\nscp\branches\stable\modules\checkeventlog\eventlog_record.hpp:134: Could not extract DLL for eventsource: DCOM: SYSTEM\CurrentControlSet?\Services\EventLog?\system\DCOM.EventMessageFile? -- Failed to get value: 2: The system cannot find the file specified.

After applying the registry change, I now get more meaningful output for events with source=DCOM, for example:

Events;CRITICAL;SOFT;2;error: DCOM: 10029: failed to load: %SystemRoot?%\System32\oleres.dll( reson: 126 (1), eventlog: 1 > critical

and no corresponding entry in nsclient.log.

Unfortunately it seems NSClient++ is still not filtering the alerts with source=DCOM out though. The specific config I'm using at the moment is:

alias_CheckEventLog=CheckEventLog file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -1h AND severity NOT IN ('success', 'informational') AND source NOT IN ('DCOM', 'EventLog?')" truncate=800 unique descriptions "syntax=%severity%: %source%: %id%: %message% (%count%)"

I've just restarted NSClient++ in case that will make a difference. I'll report back if I find anything else.

[averyjim]

Good news - NSClient++ 0.3.8.75 is now correctly filtering these DCOM alerts. I think it's fair to say then that the registry fix in ​http://support.microsoft.com/kb/2008047 followed by restart of the NSClient++ service solves this issue.

[averyjim]

I'm not sure whether simply to document this as a known issue on the relevant Wiki page, or whether the agent install should actually set this registry key? Technically I'd say it's a bug in the O/S not a bug in NSClient++.

[mickem]

Updated the wiki page whit this information, thanks!