N-central Help

KBA10009: Windows Event Log Troubleshooting

Knowledge Base Article #: 10009
Applicable Versions: SolarWinds N-central 6.x, 7.x, 8.x, 9.x
Date Created/Updated: April 27, 2011

Introduction

The Windows Event Log service allows you to monitor the Event logs on Windows devices.

Because you can assign multiple instances of the Windows Event Log service to a device, each instance can be given a Service Identifier. The Service Identifier will be included in e-mail notifications and on service-related displays (including the NOC View and the Status tab when editing a device), this allows you to maintain multiple instances of the Windows Event Log service in an organized fashion.

The Windows Event Viewer can manage the following types of logs on a computer:

  • Security,
  • Application,
  • System Log,
  • Directory Service Log (only available on devices classed as Server-Windows),
  • File Replication Service Log (only available on devices classed as Server-Windows), and
  • DNS Server Log (only available on devices classed as Server-Windows).

Common issues

Below we will go through some common steps to troubleshoot an issue with the Windows Event Log service. The most frequent issues we seem to run into are as follows:

  1. Why does my Windows Event Log service never show failed?
  2. Why am I getting so many notifications for Windows Events?
  3. Why is my Windows Event Log showing Misconfigured?

These are merely the most common issues. If you are encountering something different, do not hesitate to contact N-Able Technical Support at 1-866-302-4689.

Why does my Windows Event Log service never show failed?

The Event Log service uses the Windows Agent to search the Event Log every 15-30 seconds, if it finds any new log in that section of the Event Log it is looking for, it logs the Event Log or Event Logs that were being monitored during that time. It changes the Event Log Status to Failed, then sends those new logs to the SolarWinds N-central server, when the server receives them, it changes the Status for Event Log back to Normal and it updates its Transition time (which is the time it last transitioned from Failed to Normal)

This explains why if you run a Raw Monitored Report on the Event Log service it is only going to show Failed. Because the time it sent the information to the SolarWinds N-central server, it was in a Failed State. Once it sends that information, it resets itself back to Normal.

Why am I getting so many notifications for Windows Events?

The Windows Event Log service, like any other, must be configured to work as you desire. If left to the defaults, the Windows Event Log Service will capture and trigger a failure for all Windows Events found.

The Settings for the Windows Event Log can be found under the Service Details tab, and a variety of options can be chosen:

Logs to Monitor:

The names of the Windows Event Viewer logs that are to be monitored:

  • Security (Failure, Success)
  • Application (Error, Information, Warning)
  • System (Error, Information, Warning)
  • Directory Service (Error, Information, Warning)
  • File Replication Service (Error, Information, Warning)
  • DNS Server (Error, Information, Warning)

Include List

The event IDs to monitor. Specify individual event IDs or a range of comma-separated event IDs.

For example: 100,200,250-400,500-650

This field allows a maximum of 200 characters with no spaces.

Exclude List

The event IDs to exclude. Specify individual event IDs or a range of comma-separated event IDs.

For example:

100,200,250-400,500-650

This field allows a maximum of 200 characters.

Event Source Include Filter

The names of the sources to monitor.

You must use the CSV format. For a range of Event IDs, you can use a dash (-).

For example:

Userenv,Security,W32Time

Event Source Exclude Filter

The names of the Event Log sources to exclude.

Use the CSV format. For a range of Event IDs, use a dash (-).

For example: Userenv,Security,W32Time

Event Description Regex Filter

The name of the text string or regular expression.

Refer to the topic Regular Expressions in the Online Help menu.

If you still feel that your Event Log Service is configured correctly, you'll want to contact N-Able Technical Support for further assistance.

Why is my Windows Event Log showing Misconfigured?

When a Windows Event Log Service shows as Misconfigured (), it's first important to capture all the necessary data from the SolarWinds N-central console. The first thing to verify is the details of the misconfiguration; by clicking on the Windows Event Log service in SolarWinds N-central, you will be brought to a Status page where if applicable, there will be a more detailed error shown.

Some common reasons why you might have a Misconfigured Event Log are:

  • The Windows Event log is Full
  • The Windows Agent or Probe monitoring the Service is short of resources
  • The Probe does not have Permission to the device's WMI or DCOM
  • The IP address of the device has changed

The Windows Event log is Full

To specify log size and overwrite options, follow these steps:

  1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
  2. In the console tree, expand Event Viewer, and then right-click the log in which you want to set size and overwrite options.
  3. Under Log size, type the size that you want in the Maximum log size box.
  4. Under When maximum log size is reached, click the overwrite option that you want.
  5. If you want to clear the log contents, click Clear Log.
  6. Click OK.
How to Archive a Log

If you want to save your log data, you can archive event logs in any of the following formats:

  • Log-file format (.evt)
  • Text-file format (.txt)
  • Comma-delimited text-file format (.csv)

To archive a log, follow these steps:

  1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
  2. In the console tree, expand Event Viewer, and then right-click the log in which you want to archive, and then click Save Log File As.
  3. Specify a file name and location where you want to save the file. In the Save as type box, click the format that you want, and then click Save.

The log file is saved in the format that you specified.

The Probe does not have Permission to the device's WMI or DCOM

For more information about this error, please see KBA10001: Service Displays a 205 or 201 WMI Error.

The IP address of the device has changed

This is most frequently an issue when a device is in a DHCP environment. The Agent, which does not have to submit any credentials to the WMI because of it being a local query, is being demanded for credentials due to the fact that it is presenting itself as another device (coming from another IP).

The resolution to this is fairly simple:

  1. Find the specified device within the SolarWinds N-central UI
  2. Click on the Agent tab
  3. Place a check next to Update Monitored Address. This will make SolarWinds N-central automatically update the IP of the Address within SolarWinds N-central.
  4. Click on the Services (pre SolarWinds N-central 7.0) or Status (SolarWinds N-central 7.0+) tab.
  5. Click Add
  6. Place a 1 next to the LocalIP service. This will monitor whether or not the Local IP of the device matches what SolarWinds N-central has listed.
  7. Click OK. The next scan interval of the Windows Event Log service should bring the service back to a normal state.