MonitorWare Knowledge Base

Hi there,

Have just download the trial version of EventReporter and installed it on a Windows 2008 Server Standard with SP1. So far so good. If I can get some advice on the following it may swing the decision to register for a full copy...

I have everything set up and forwarding events to a syslog server (Solarwinds Orion). Great! However I am trying to filter this to just forward certain Windows Auditing events which I think I have done. However, when I check the syslog server and view the forwarded events I see messages like the one below that state the Event ID description could not be found?

Message details - server name and username changed for security reasons.
<servername.domain> EvntSLog: RealSource:"<servername.domain>" 4658 Microsoft-Windows-Security-Auditing 12800 The description for Event ID ( 4658 ) in Source ( Microsoft-Windows-Security-Auditing ) could not be found. It contains the following insertion string(s): S-1-5-21-679025019-1726819077-794372410-26736 ewimp WOXFORD 0x1073648 Security 0x16dc 0x4

Now I can check the server event log for the exact details but I'd rather not have to do that. Is there something in the config I am missing? Is it a windows 2008 thing? Or is it just because the event/s do not have descriptions and so cannot be reported?

Any clues, ideas or help appreciated!

Thanks
Jeff

Hi Jeff,

you need to run the event log monitor V2. Under Windows 2008, the "old style" monitor is no longer permitted to read security event log information (it's not an EventReporter issue but rather a MS API change).

Please let me know if that solves the issue.

Rainer

That did the trick! Thanks for the advice.

Now to fine tune the settings so our Syslog server doesn't get swamped with unnecessary messages!

Thanks again
Jeff