Problems with events not showing in GFI
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Problems with events not showing in GFI - 22.Jul.2008 7:17:43 PM
|
|
|
eax
Posts: 4
Score: 0
Joined: 22.Jul.2008
Status: offline
|
Hi,
I configured two sources on a trial version of GFI Eventsmanager.
One is a Win2k3 DC and the other an Exchange 2007 server.
I configured the logging level on the Exchange Server to show me when users are accessing other users mailboxes (Event ID: 1016).
None of these events show up in GFI. I even created a custom group with no rule processing enabled for this group without any luck!
Am i missing something or what is the reason for some logs not being displayed or search able in GFI?
I even manually checked in the logging database and the logs are not there at all.
Regards,
EAX
|
|
|
|
|
RE: Problems with events not showing in GFI - 23.Jul.2008 8:35:49 AM
|
|
|
eax
Posts: 4
Score: 0
Joined: 22.Jul.2008
Status: offline
|
yes all the events are showing up in the windows event log on the exchange server under the application log.
there are loads of the events i am looking for but nothing gets pulled into GFI?
i need this sorted quite urgently as i need to have this configured by the end of the week
|
|
|
|
|
RE: Problems with events not showing in GFI - 23.Jul.2008 8:45:52 AM
|
|
|
DrewE
Posts: 1246
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline
|
It sounds like a processing rule issue then. Try this:
- Choose Configuration -> Event Processing Rules
- Create a new folder and name it 'My Processing Rules'
- Select the newly created folder and Press 'Ctrl + Up' on the keyboard, Do this multiple times until the newly created folder is at the top of the list (above noise reduction)
- Within the new folder create a new rule set, and a new processing rule.
- For the processing rule, enter the appropriate event ID you are searching for 1016. You may want to narrow this down by also listing the source.
- Once the rule is created, Choose Configuration -> Event Sources.
- Right click on your server (or the group the server is in) and select properties. Choose the windows event log tab and locate the processing rules being applied toward the bottom of this window. Select the newly created ruleset and see if this changes anything.
_____________________________
Drew Easley
GFI Software
Talk Tech To Me (GFI Blog) – Follow Us (Twitter) - Watch Us (YouTube) - Join us (Facebook)
|
|
|
|
|
RE: Problems with events not showing in GFI - 23.Jul.2008 8:56:48 AM
|
|
|
eax
Posts: 4
Score: 0
Joined: 22.Jul.2008
Status: offline
|
OK, first of all, how can i collect all events without any processing rules?
Secondly, whats the difference between your recommendation and the following scenario?
I added a group to the event sources called "MyGroup" as example
In this group i configured for Windows Event Log under the Post collection processing the following setting ...
"Archive all logs without any further processing".
Then i added the exchange server to this group. This should basically skip all processing rules and add it to the events browser??
|
|
|
|
|
RE: Problems with events not showing in GFI - 23.Jul.2008 9:00:15 AM
|
|
|
DrewE
Posts: 1246
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline
|
Yes, you are correct. Your settings should also archive all messages. If this does not work, we likely have trouble that needs investigation by our support department. You would want to open a support ticket at http://support.gfi.com so we can review your log files.
_____________________________
Drew Easley
GFI Software
Talk Tech To Me (GFI Blog) – Follow Us (Twitter) - Watch Us (YouTube) - Join us (Facebook)
|
|
|
|
|
RE: Problems with events not showing in GFI - 23.Jul.2008 3:56:03 PM
|
|
|
eax
Posts: 4
Score: 0
Joined: 22.Jul.2008
Status: offline
|
it seems that i have found the problem...
under event processing rules->e-mail server->microsoft exchange normal operation
the two events i was looking for are the following.
1) users accessing their mailbox
2) mailbox accessed by other users than the owner
These two rules are in the default configuration although the log they refer to is the security log instead of the application log. I don't know if this changed for exchange 2007 or if this was a configuration mistake but these events occur in the application log. (for exchange 2007 and i assume for the others as well which might make this a configuration mistake as part of the default installation)
I fixed these two rules and deleted all other rules from the configuration and tested! it worked perfectly.
i then restored the old configuration and changed the rules from security to application log and tested again. again all worked 100%!
in other words the developers need to change the default configuration to refer to the correct logs!
ta and hope it helped!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
