We have a batch file that uses log parser to pull remote systems logs, but the system has been getting the following error for quite some time. My coworker says that it used to work. He says it used to resolve the EventCategoryName and Message and it no
longer does. It runs under an account that has no elevated permissions/privileges. I think it is conceivable that this account had elevated permissions but that they were removed.
These are the commands run:
"c:\program files\log parser 2.2\LogParser" -o:NAT -filemode:0 -rtp:-1 "SELECT Count(*) as [Total MyServerName Events] INTO c:\Intrusionrptg\AdminLog.txt FROM
\\MyServerName\Security WHERE EventID in (624;631;632;633;634;635;636;637;638;639;641;643;645;646;647;608;609;610;611;612;621;622;623) and TimeWritten >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-02',
'yyyy-MM-dd') )" -resolveSIDs:ON
"c:\program files\log parser 2.2\LogParser" -o:NAT -filemode:0 -rtp:-1 "SELECT TimeGenerated, ComputerName, SourceName, EventCategoryName, Message INTO c:\Intrusionrptg\AdminLog.txt FROM
\\MyServerName\Security WHERE EventID in (624;631;632;633;634;635;636;637;638;639;641;643;645;646;647;608;609;610;611;612;621;622;623) and TimeWritten >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-02',
'yyyy-MM-dd') )" -resolveSIDs:ON
This is a sample from the log that shows the lack of resolution:
"TimeGenerated ComputerName SourceName EventCategoryName Message
----------------------- ----------------------- ------------------ ------------------------------- -------------
2011-12-22 14:36:43 MyServerName Security The name for category 7 in Source "Security" cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer The description
for Event ID 624 in Source "Security" cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer"
I read some things online which suggest that the account may need to have its permissions elevated, none of the links and posts were very official. I don't really know if the account once had admin rights. Does it need Admin rights?
These issues are repeated across several remote servers including the server that the script actually runs on.
http://discuss.joelonsoftware.com/default.asp?dotnet.12.264626.11 This seems like it contains the information I will need. Will test and report back. Verified that an Administrator account can resolve the name. Clearly a permissions issue, but the user account
is just 'user' account with the manage logs permission in group policy. Need to check the permissions on the HKLM key corresponding to security event log. We don't care about it having write, but the account needs read at least.
Jay, can you please clarify what you're really asking? For instance, you show in your output what seems to be the result of running the LogParser againsy your windows event log.It would seem the "error" is not from logparser but rather this "output" is
reflecting what's in your Event log.
Have you looked at the event log in question, for this entry you show, in the event viewer of the same machine where logparser is running? And does it show the eventcategory name and message? When you look at the security event log and find these exact date/time
entries, note that you are seeing there what would be extracted by logparser.
The point is, you may be asking here on the logparser forum for an answer to a question that has nothing to do with logparser. If those values are not resolved in the eventviewer for a remote machine, logparser won't help with that problem.
Here's another thread on this forum from some time ago where the same problem bit someone else:
http://forums.iis.net/t/1144993.aspx
jayKuykendal...
2 Posts
Security Event Log Error resolving EventCategoryName and Message from remote system.
Jan 04, 2012 08:31 PM|LINK
We have a batch file that uses log parser to pull remote systems logs, but the system has been getting the following error for quite some time. My coworker says that it used to work. He says it used to resolve the EventCategoryName and Message and it no longer does. It runs under an account that has no elevated permissions/privileges. I think it is conceivable that this account had elevated permissions but that they were removed.
These are the commands run:
"c:\program files\log parser 2.2\LogParser" -o:NAT -filemode:0 -rtp:-1 "SELECT Count(*) as [Total MyServerName Events] INTO c:\Intrusionrptg\AdminLog.txt FROM \\MyServerName\Security WHERE EventID in (624;631;632;633;634;635;636;637;638;639;641;643;645;646;647;608;609;610;611;612;621;622;623) and TimeWritten >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-02', 'yyyy-MM-dd') )" -resolveSIDs:ON
"c:\program files\log parser 2.2\LogParser" -o:NAT -filemode:0 -rtp:-1 "SELECT TimeGenerated, ComputerName, SourceName, EventCategoryName, Message INTO c:\Intrusionrptg\AdminLog.txt FROM \\MyServerName\Security WHERE EventID in (624;631;632;633;634;635;636;637;638;639;641;643;645;646;647;608;609;610;611;612;621;622;623) and TimeWritten >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-02', 'yyyy-MM-dd') )" -resolveSIDs:ON
This is a sample from the log that shows the lack of resolution:
"TimeGenerated ComputerName SourceName EventCategoryName Message
----------------------- ----------------------- ------------------ ------------------------------- -------------
2011-12-22 14:36:43 MyServerName Security The name for category 7 in Source "Security" cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer The description for Event ID 624 in Source "Security" cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer"
I read some things online which suggest that the account may need to have its permissions elevated, none of the links and posts were very official. I don't really know if the account once had admin rights. Does it need Admin rights?
These issues are repeated across several remote servers including the server that the script actually runs on.
Any assistance is greatly appreciated.
security log Event Logs log file log parser 2.2 powershell
HCamper
8048 Posts
Re: Security Event Log Error resolving EventCategoryName and Message from remote system.
Jan 05, 2012 12:27 AM|LINK
Hello,
You have an automated email that gets sent out daily. Where does the email come from ?
For the security events from the prior day. This a Remote Server you should check on that machine.
You recently gotten the information in the Email using the information check the machine.
The Email does not contain enough information.
IMO: It makes sense not to reveal more about the Remote Server & machine in an Email.
If you check the IIS Server logs and there are errors post them in the forum.
Martin
Community Member Award 2011
HCamper
8048 Posts
Re: Security Event Log Error resolving EventCategoryName and Message from remote system.
Jan 07, 2012 02:26 AM|LINK
Hello,
You have a batch script that is used with log parser. It now has problems. "Your coworker says that it used to work."
Session (0 ) changes for security http://msdn.microsoft.com/en-us/windows/hardware/gg463353
User Access Control http://forums.iis.net/p/1178151/1981859.aspx members of the Administrators group
to not have full rights or permissions.
The information above should help answer your permissions questions.
Technet http://technet.microsoft.com/en-us/magazine/2008.06.elevation.aspx article.
http://technet.microsoft.com/en-us/sysinternals/cc300361 Runas System internals.
Technet Elevation Power Toys http://blogs.technet.com/b/elevationpowertoys/ tools that may help.
Martin
Community Member Award 2011
jayKuykendal...
2 Posts
Re: Security Event Log Error resolving EventCategoryName and Message from remote system.
Jan 08, 2012 06:09 AM|LINK
HCamper
8048 Posts
Re: Security Event Log Error resolving EventCategoryName and Message from remote system.
Jan 08, 2012 06:53 AM|LINK
Ok,
So which Windows http://en.wikipedia.org/wiki/History_of_Microsoft_Windows ?
http://discuss.joelonsoftware.com/default.asp?dotnet.12.264626.11 Dated 2005.
Searching http://technet.microsoft.com/en-us/security/bb980617 Technet
Microsoft Support http://support.microsoft.com/select/?target=hub . is more up to date.
Community Member Award 2011
carehart
32 Posts
Re: Security Event Log Error resolving EventCategoryName and Message from remote system.
Jan 09, 2012 07:21 PM|LINK
Jay, can you please clarify what you're really asking? For instance, you show in your output what seems to be the result of running the LogParser againsy your windows event log.It would seem the "error" is not from logparser but rather this "output" is reflecting what's in your Event log.
Have you looked at the event log in question, for this entry you show, in the event viewer of the same machine where logparser is running? And does it show the eventcategory name and message? When you look at the security event log and find these exact date/time entries, note that you are seeing there what would be extracted by logparser.
The point is, you may be asking here on the logparser forum for an answer to a question that has nothing to do with logparser. If those values are not resolved in the eventviewer for a remote machine, logparser won't help with that problem.
Here's another thread on this forum from some time ago where the same problem bit someone else:
http://forums.iis.net/t/1144993.aspx
HCamper
8048 Posts
Re:Forums-LogParser-"Forums"General-"Assistance"General"-"LogParser"-"Security-Problems"-"Event L...
Jan 18, 2012 11:08 PM|LINK
Hi,
A small interrupt for this thread "Any assistance".
TIA,
Martin
logparser remote troubleshooting logparser logparser exti code Access denied logging Event Logs audit log log parser 2.2 Log Parserarser Log Parseer Administrator Eventlog Logparser 2.2 applications and Services logs
Community Member Award 2011