Pages: [1]   Go Down
« previous next »
Author Topic: Windows module_logevent - ReadEventLog error 997  (Read 2207 times)
0 Members and 2 Guests are viewing this topic.
Dez
Newbie
*

Karma: 0
Offline Offline

Posts: 7


View Profile
« on: October 22, 2009, 07:50:48 AM »
I have the following module in my Window agent (v3 RC1) conf file:

# Log events
module_begin
module_name Logevents
module_type generic_data_string
module_logevent
module_source Application
module_description Log Events
module_end

This works on a Windows 2003 x86 installation.

However on a Windows 2003 x64 installation I get the following error in the pandora_agent.log file:

ReadEventLog error 997

Any ideas?
 
Logged

rnovoa
Administrator
Sr. Member
*****

Karma: 2
Offline Offline

Posts: 119



View Profile
« Reply #1 on: October 26, 2009, 08:11:42 PM »
Hi Dez,

Do you get that error everytime the module runs?

I haven't found much about ReadEventLog and error 997, but the logevent module does use the EVENTLOG_SEEK_READ flag, it could have something to do with this:

http://www.codeproject.com/KB/system/sysevent.aspx?msg=488187#xx488187xx


Quote from: Dez on October 22, 2009, 07:50:48 AM
I have the following module in my Window agent (v3 RC1) conf file:

# Log events
module_begin
module_name Logevents
module_type generic_data_string
module_logevent
module_source Application
module_description Log Events
module_end

This works on a Windows 2003 x86 installation.

However on a Windows 2003 x64 installation I get the following error in the pandora_agent.log file:

ReadEventLog error 997

Any ideas?
 
Logged

chejov suzdal voshkov
Sr. Member
****

Karma: 8
Offline Offline

Posts: 175



View Profile WWW
« Reply #2 on: December 16, 2009, 01:22:11 PM »
try with this vbs

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate, (Security)}!\\" & _
        strComputer & "\root\cimv2")
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _   
    ("Select * from __instancecreationevent where " _
        & "TargetInstance isa 'Win32_NTLogEvent' ")
Do
    Set objLatestEvent = colMonitoredEvents.NextEvent
        strAlertToSend = objLatestEvent.TargetInstance.User _
            & " attempted to access DatabaseServer."
        Wscript.Echo "---"
      
      'Wscript.Echo strAlertToSend
      
      Wscript.Echo objLatestEvent.TargetInstance.LogFile & " :: " & "Category: " & objLatestEvent.TargetInstance.Category
      Wscript.Echo objLatestEvent.TargetInstance.LogFile & " :: " & "Computer Name: " & objLatestEvent.TargetInstance.ComputerName
      Wscript.Echo objLatestEvent.TargetInstance.LogFile & " :: " & "Event Code: " & objLatestEvent.TargetInstance.EventCode
      Wscript.Echo objLatestEvent.TargetInstance.LogFile & " :: " & "Message: " & objLatestEvent.TargetInstance.Message
      Wscript.Echo objLatestEvent.TargetInstance.LogFile & " :: " & "Record Number: " & objLatestEvent.TargetInstance.RecordNumber
      Wscript.Echo objLatestEvent.TargetInstance.LogFile & " :: " & "Source Name: " & objLatestEvent.TargetInstance.SourceName
      Wscript.Echo objLatestEvent.TargetInstance.LogFile & " :: " & "Time Written: " & objLatestEvent.TargetInstance.TimeWritten
      Wscript.Echo objLatestEvent.TargetInstance.LogFile & " :: " & "Event Type: " & objLatestEvent.TargetInstance.Type
      Wscript.Echo objLatestEvent.TargetInstance.LogFile & " :: " & "User: " & objLatestEvent.TargetInstance.User
      Wscript.Echo "-:-"
Loop


create something like this:

---
System :: Category: 0
System :: Computer Name: 99901-EIF-1204
System :: Event Code: 7036
System :: Message: El servicio Pandora FMS agent entró en estado Activo.

System :: Record Number: 118
System :: Source Name: Service Control Manager
System :: Time Written: 20091216131347.000000+060
System :: Event Type: Información
System :: User:
-:-

so now, you can parse with System, Application or security to get all new evetns from that.
Logged
www.hacktimes.com
www.qualias.net

Sancho Lerena
Administrator
Expert member
*****

Karma: 24
Offline Offline

Posts: 1151


I can see everything... with my glasses :-)


View Profile WWW
« Reply #3 on: January 11, 2010, 01:44:33 PM »
I've just added a new entry in our FAQ about this problem:

http://openideas.info/wiki/index.php?title=Pandora:FAQ#I_have_problems_running_agent_for_Windows_2008_in_64_bits
Logged
-- See you in the other screen.

quietas
Newbie
*

Karma: 0
Offline Offline

Posts: 4


View Profile
« Reply #4 on: January 15, 2010, 06:56:49 PM »
I'm seeing this on a 32 bit XP system. I looked at your FAQ post and #1 isn't valid of course since it is  32bit, and #2 isn't either as I see a pdh.dll file in System32.

Code:
2010-01-15 17:53:37 Pandora agent started
2010-01-15 17:53:38 ReadEventLog error 997
« Last Edit: January 15, 2010, 07:01:15 PM by quietas » Logged

Sancho Lerena
Administrator
Expert member
*****

Karma: 24
Offline Offline

Posts: 1151


I can see everything... with my glasses :-)


View Profile WWW
« Reply #5 on: January 23, 2010, 05:49:27 PM »
Damm this problem is quite annoying :(

This happen you on all your windows servers or only in specific version of windows ?

What version / SP have you in that server ?

Could you use the logevent module in other app/source (for example security) to check if happen only in application source, for example ?
Logged
-- See you in the other screen.

randy_srs
Full Member
***

Karma: 0
Offline Offline

Posts: 39


View Profile
« Reply #6 on: February 09, 2010, 06:25:36 AM »
any update on this for win xp pro
Logged

raul
Administrator
Expert member
*****

Karma: 1
Offline Offline

Posts: 576



View Profile
« Reply #7 on: February 14, 2010, 04:13:36 PM »
To verify the issue we need to know which Operating systems are in the Server and Agents, also Pandora version (first post was about RC1..) and some other detail info about which modules are installed and which transfer method is used.
Logged

juanjillo
Newbie
*

Karma: 0
Offline Offline

Posts: 5


View Profile
« Reply #8 on: March 17, 2010, 01:01:07 PM »
I have the same problem.

Fresh install of FMS 3.0 Final on Ubuntu 9.10 Server.

Agent without any configuration in the client side.
The tentacle server is running.

I make the test in a XP pro sp3 32bits in the domain and ina W2K3 SP2 server 32bits.

I get this error in the log when start o restart the agent service:

Code:
2010-03-17 11:58:30 Pandora agent stopped
2010-03-17 11:58:32 Pandora agent started
2010-03-17 11:58:33 ReadEventLog error 997
2010-03-17 11:58:33 ReadEventLog error 997
Logged

juanjillo
Newbie
*

Karma: 0
Offline Offline

Posts: 5


View Profile
« Reply #9 on: March 17, 2010, 01:16:45 PM »
Quote from: juanjillo on March 17, 2010, 01:01:07 PM
I have the same problem.

Fresh install of FMS 3.0 Final on Ubuntu 9.10 Server.

Agent without any configuration in the client side.
The tentacle server is running.

I make the test in a XP pro sp3 32bits in the domain and ina W2K3 SP2 server 32bits.

I get this error in the log when start o restart the agent service:

Code:
2010-03-17 11:58:30 Pandora agent stopped
2010-03-17 11:58:32 Pandora agent started
2010-03-17 11:58:33 ReadEventLog error 997
2010-03-17 11:58:33 ReadEventLog error 997

An update:

in my case the WMI Server is set to 0, when i put to 1 and restart server works OK.

But the error continues appearing:

Code:
2010-03-17 11:58:30 Pandora agent stopped
2010-03-17 11:58:32 Pandora agent started
2010-03-17 11:58:33 ReadEventLog error 997
2010-03-17 11:58:33 ReadEventLog error 997
2010-03-17 12:14:28 Pandora agent stopped
2010-03-17 12:14:28 Pandora agent started
2010-03-17 12:14:29 ReadEventLog error 997
2010-03-17 12:14:29 ReadEventLog error 997
Logged

myasystems
Newbie
*

Karma: 0
Offline Offline

Posts: 3


View Profile
« Reply #10 on: April 23, 2010, 10:50:11 PM »
Hi,

You can see the event viewer using the WMI module as follows

Code:
module_begin
module_name Event Viewer Errors
module_type generic_data_string
module_wmiquery select Message from Win32_NTLogEvent WHERE type="error"
module_wmicolumn Message
module_description Event Viewer
module_end

I hope to be able to help them

Bye
Logged

Sancho Lerena
Administrator
Expert member
*****

Karma: 24
Offline Offline

Posts: 1151


I can see everything... with my glasses :-)


View Profile WWW
« Reply #11 on: May 08, 2010, 01:20:49 PM »
Have you tried the latest Windows Agent 3.1RC1 published in sourceforge ?

Quote from: juanjillo on March 17, 2010, 01:16:45 PM
An update:

in my case the WMI Server is set to 0, when i put to 1 and restart server works OK.

But the error continues appearing:

Code:
2010-03-17 11:58:30 Pandora agent stopped
2010-03-17 11:58:32 Pandora agent started
2010-03-17 11:58:33 ReadEventLog error 997
2010-03-17 11:58:33 ReadEventLog error 997
2010-03-17 12:14:28 Pandora agent stopped
2010-03-17 12:14:28 Pandora agent started
2010-03-17 12:14:29 ReadEventLog error 997
2010-03-17 12:14:29 ReadEventLog error 997
Logged
-- See you in the other screen.

Pages: [1]   Go Up
Print
« previous next »
 
Jump to:  


SourceForge.net Logo  This site is monitored by Pandora FMS   ArticaST