Friday, July 15, 2005
How to view the event logs on remote machines.

I work in a place where we have lots of clients with lots of servers and hundreds of remote terminals.  If you ever have a problem on a terminal while it's in use, it's inconvenient to the users to tell them that you need to take over their teminal for a while just so you can look at the event log.  So you use remote tools to read the eventlogs.  I do this quite frequently, but I thought it might be worth sharing this article someone sent me.

***********************BEGIN ARTICLE************************

Viewing remote Event Logs

By Adrian Grigorof, B.Sc., MCSE

The description of events is not stored in the Event Logs but in Message Files specific to each application. The Event Viewer is able to open remote event log files (binary files with the EVT extension) but not the Message Files. The Message Files (actually DLL or EXE files) are required in order to properly display the description of the event.

For example, assume that computer APPSERVER is running an application called "Smart Application", a service called "smartapp". When the service is started, smartapp generates an application event log entry. Running Event Viewer on APPSERVER on can see the event description as follows:

"The Smart Application service has started successfully."

Running the Event Viewer from the administrators workstation (ADMINWKS) and connecting to the remote registry of APPSERVER, one can see the event description quite differently:

"The description for Event ID (100) in Source (smartapp) could not be found. It contains the following insertion string(s): The Smart Application service has started successfully."

All this means that the Message File specific to Smart Application events is not installed on ADMINWKS or there is no message file defined for that application. In case that there is a message file and if it is desired to display the event properly on the administrator's computer (or on any computer) the Message File dll has to be installed.

Here is the procedure:

1. Locate the dll

All the application event logs messages DLLs are defined under the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application

All the system event logs messages DLLs are defined under the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System

So, for example, Smart Application would probably have an entry for its Application-type events like the one below:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\SmartApp

EventMessageFile (of REG_EXPAND_SZ type): C:\Program Files\SmartApplication\smartapp.dll

All the application event log messages are defined in the smartapp.dll

2. Export the registry keys

Using REGEDIT select the applicable registry keys. In this example:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\SmartApp

On the Registry menu, click Export Registry File and select a file name (for example,SmartApp.reg).

3. Import the registry keys into ADMINWKS

Copy the SmartApp.reg to ADMINWKS and using REGEDIT import the keys in the local registry.

4. Copy the message file on ADMINWKS

From APPSERVER C:\Program Files\SmartApplication copy smartapp.dll to the ADMINWKS C:\Program Files\SmartApplication

5. The events should display the description properly when viewed from ADMINWKS

In some cases, there is no Message File so the description is not displayed properly not even on the computer running the application. This usually indicates a poorly written application (that is the application is creating event log entries but the programmers didn't bother creating Message Files) or the installation of the application was incomplete or corrupted.

In many cases, one can deduct the actual description by reading just the last part of the message. So for example, from "The description for Event ID (100) in Source (smartapp) could not be found. It contains the following insertion string(s): The Smart Application service has started successfully." one can discard everything but "The Smart Application service has started successfully.". This would work for events that do not contain parameters and sometimes may offer clues even for those that do use parameters.

***********************END ARTICLE***************************

-- Matt Ranlett

General | HOW TO | Programming
7/15/2005 11:44:32 AM (Eastern Standard Time, UTC-05:00)  #    Trackback

© Copyright 2012 Atlanta .NET Regular Guys
Theme design by Bryan Bell

newtelligence dasBlog 1.7.5016.2
Subscribe to this weblog's RSS feed with SharpReader, Radio Userland, NewsGator or any other aggregator listening on port 5335 by clicking this button.   RSS 2.0|Atom 0.2|CDF  Send mail to the author(s) | Page rendered at 2/11/2012 3:56:03 PM (Eastern Standard Time, UTC-05:00)

Reset | Slate | Movable Radio Heat | DasBlog | Just Html | Candid Blue | Discreet Blog Blue | Movable Radio Blue