Not collecting events from Domain Controllers
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Not collecting events from Domain Controllers - 17.Sep.2008 9:00:39 AM
|
|
|
cmhnz
Posts: 9
Score: 0
Joined: 17.Sep.2008
Status: offline
|
Hi,
We have recently upgraded our domain controllers from Win 2000 to Win 2003 and have added the new DC's as Event Sources in EventsManager, however no events are being recorded in the Events Browser.
They are set to scan every hour, and I've also run scans manually but no luck. All logs are set to be collected (security, application, system etc).
Can anyone suggest why they are not being collected? Logs are being collected fine from our Exchange servers.
EventsManager 8, Windows Server 2003.
Thanks in advance.
Chris
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 17.Sep.2008 9:18:43 AM
|
|
|
DrewE
Posts: 476
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline
|
Do you see anything listed in the Status -> Job Activity window for the servers?
_____________________________
Drew Easley - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 17.Sep.2008 9:25:22 AM
|
|
|
cmhnz
Posts: 9
Score: 0
Joined: 17.Sep.2008
Status: offline
|
Hi Drew,
Yes, actually. It's reporting 'Error opening event log <Event log name> on machine <server>'.
I've had a quick look for a log to provide more information, but can't seem to see anything; can you point me in the right direction to find more information as to what is causing the error?
Thanks,
Chris
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 17.Sep.2008 1:17:22 PM
|
|
|
SPBloom
Posts: 3
Score: 0
Joined: 17.Sep.2008
Status: offline
|
Interesting. I'm having the same problem. Had a server that I connected to AOK this morning. Tried to use the "inherit from parent" UID/PW and now I cannot connect, even when I put in the hard coded UID/PW.
Had a similar problem with a server this morning where I couldn't create it at first, then figured I'd give it a try again, and now it's working.
The message that I get says "error connecting to ....., error 0x5, Access Denied".
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 17.Sep.2008 2:43:15 PM
|
|
|
SPBloom
Posts: 3
Score: 0
Joined: 17.Sep.2008
Status: offline
|
FYI, I stopped and restarted the GFI service and it seems that things are working. I'm collecting info from DCs and regular servers.
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 18.Sep.2008 4:43:31 AM
|
|
|
cmhnz
Posts: 9
Score: 0
Joined: 17.Sep.2008
Status: offline
|
I haven't been able to connect to these servers at all since I added them as Event Sources, and have restarted the EventsManager service (again just now) and run a scan, but still showing errors when trying to access the event logs.
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 18.Sep.2008 9:04:45 AM
|
|
|
SPBloom
Posts: 3
Score: 0
Joined: 17.Sep.2008
Status: offline
|
If you're using "inherited" security credentials, try changing them to be specific and use the master domain UID/PW. FWIW, it shouldn't be this hard and should just plain work.
I'm assuming that you have the local machine reporting events AOK...as well as other non-DC devices.
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 18.Sep.2008 9:33:09 AM
|
|
|
cmhnz
Posts: 9
Score: 0
Joined: 17.Sep.2008
Status: offline
|
Thats what I thought, and up until now it has been as easy as that. I've tried using the inherited credentials, which should be the credentials the EventsManager service runs as (domain admin account), but have also tried entering domain admin credentials as well, both with same result.
Other machines (Exchange servers and old DC's) are reporting fine, but these are the only new sources we've added since it was setup.
My concern is that the disk drive housing the SQL database ran out of space a while back, and once we freed some space everything started working ok again, but thought I should mention it.
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 19.Sep.2008 9:11:07 AM
|
|
|
DrewE
Posts: 476
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline
|
Try opening the Events Viewer remotely (Right click on My Computer from the GFI server and choose manage. Right click the first node and select the remote domain controller) Can you view the events remotely from the GFI server?
_____________________________
Drew Easley - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 24.Sep.2008 6:36:06 AM
|
|
|
cmhnz
Posts: 9
Score: 0
Joined: 17.Sep.2008
Status: offline
|
I cannot access the event logs by remotely managing any of the domain controllers, which would obviously prevent EventsManager from accessing because they try to access using the same domain admin account.
I'll investigate why this is the case, but cannot see any reason after a quick look. Any ideas appreciated.
Thanks
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 24.Sep.2008 8:36:04 AM
|
|
|
DrewE
Posts: 476
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline
|
Is your user account a member of domain admins? Not having this group added would be the most typical cause.
_____________________________
Drew Easley - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 24.Sep.2008 10:24:18 AM
|
|
|
cmhnz
Posts: 9
Score: 0
Joined: 17.Sep.2008
Status: offline
|
Yes, I've tried with 2 Domain Admin accounts and both return the same result. There is obviously a setting somewhere preventing access, but we have one of our old Win2K DC's up and running inheriting the same group policy, and I am able to access the event logs fine.
From what I've seen, most (if not all) local security settings are set through group policy, and user groups are set through domain groups in AD Users & Computers. Based on this, our current setup should work. I'll continue searching, but again, if anyone has any more bright ideas of what to check, I'm all ears.
Thanks
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 24.Sep.2008 11:27:59 AM
|
|
|
Arielle
Posts: 289
Score: 0
Joined: 15.Sep.2006
Status: online
|
Is the Remote Registry service and the Event Log service started on the DC?
What is the error message you get when you try to access the Event Viewer remotely?
_____________________________
Arielle Bonnici - Quality Metrics Analyst
GFI Software - www.gfi.com
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 25.Sep.2008 4:06:52 AM
|
|
|
cmhnz
Posts: 9
Score: 0
Joined: 17.Sep.2008
Status: offline
|
Both Remote Registry and Event Log services are started, and set to Automatic.
I can remote manage the DC, but as soon as I try to expand Event Viewer I receive the following error message:
Unable to connect to the computer "xxxxxx". The error was:
Access is denied.
For what its worth, I cannot view Device Manager remotely either, access denied. I'll keep investigating permissions, but can't see anything obvious, and this is specific to our 2k3 DC's, which inherit the same group policy as our Win2k DC's which we can access fine.
|
|
|
|
|
RE: Not collecting events from Domain Controllers - 25.Sep.2008 5:55:32 AM
|
|
|
Arielle
Posts: 289
Score: 0
Joined: 15.Sep.2006
Status: online
|
Check the following registry key on the DC:
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
Right click on winreg and select 'Permissions', select the LOCAL SERVICE user and click on 'Advanced'.
Select the LOCAL SERVICE user again, click on 'Edit...' and make sure that it has Query Value, Enumerate Subkeys, Notify and Read Control allow permissions.
_____________________________
Arielle Bonnici - Quality Metrics Analyst
GFI Software - www.gfi.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
