Announcement

Collapse
No announcement yet.

Dumpevt from Schedule service

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • j2222
    replied
    Re: Dumpevt from Schedule service

    Well cleared them and it started working ...

    Thanks for your help,
    James

    Leave a comment:


  • j2222
    replied
    Re: Dumpevt from Schedule service

    OH goody!!! Will try to clear them and let you know what happens.

    Thanks,
    James

    Leave a comment:


  • Guest's Avatar
    Guest replied
    Re: Dumpevt from Schedule service

    The rc=1500 error is why it is aborting, and that error seems to mean:

    ERROR_EVENTLOG_FILE_CORRUPT

    Leave a comment:


  • j2222
    replied
    Re: Dumpevt from Schedule service

    Thanks kstanush,
    I've run the program again and here is the output. Strangely, if you delete the whole key, it gets re-created, but the values don't appear!

    James

    D:\CollectEvents>d:\collectEvents\dumpevt /logfile=sec /reg=local_machine
    le=d:\collectevents\sec.txt
    1/12/2005 3:48:52 PM
    Somarsoft DumpEvt V1.7.3, Copyright ⌐ 1995-1997 by Somarsoft, Inc.
    LogType=Security
    Computer=(local)
    SystemRoot=C:\WINNT
    Outfile=d:\collectevents\sec.txt
    Use HKEY_LOCAL_MACHINE for saving record number
    Format=yes
    DateFormat=(locale dependent)
    TimeFormat=HH':'mm':'ss
    FieldSeparator=,
    ReplaceFieldSeparator= (blank)
    ReplaceCR=^
    ReplaceLF=`
    StringSeparator=;
    MaxMessageLen=32000
    MaxFragmentLen=32000
    DumpData=none
    SplitDateTime=yes
    DumpRecnum=no
    ==>LastProcessed (0) < Oldest (6260913), log records lost
    process event log records starting with 6260913
    ==>Format message error, source=Security type=Parameter msg=5382 rc=317
    ==>Format message error, source=Security type=Parameter msg=5383 rc=317
    ==>Format message error, source=Security type=Parameter msg=5384 rc=317
    ==>Format message error, source=Security type=Parameter msg=7689 rc=317
    ==>Format message error, source=Security type=Parameter msg=7691 rc=317
    ==>Format message error, source=Security type=Parameter msg=7695 rc=317
    ==>Format message error, source=Security type=Parameter msg=7690 rc=317
    ==>Format message error, source=Security type=Parameter msg=7692 rc=317
    ==>Format message error, source=Security type=Parameter msg=7693 rc=317
    ==>Format message error, source=Security type=Parameter msg=7694 rc=317
    ==>Format message error, source=Security type=Parameter msg=5413 rc=317
    ==>Format message error, source=Security type=Parameter msg=5415 rc=317
    ==>Format message error, source=Security type=Parameter msg=5416 rc=317
    ==>Format message error, source=Security type=Parameter msg=5429 rc=317
    ==>Format message error, source=Security type=Parameter msg=5430 rc=317
    ==>Format message error, source=Security type=Parameter msg=5431 rc=317
    ==>Format message error, source=Security type=Parameter msg=5432 rc=317
    ==>ReadEventLog rc=1500 cbReq=0

    D:\CollectEvents>

    Leave a comment:


  • kstanush
    replied
    Re: Dumpevt from Schedule service

    Thank you for your help in analyzing your problem. The output from DumpEvt that you provided in the next-to-previous posting may be the key to this problem. The message about "log records lost" indicates that DumpEvt is starting from the first record, because it can't find the key in the registry <eventlogname>-<computername> that you can see if looking for in the RegMon output.

    So, in cases where it either can't find the registry key or in cases where the record IDs are out of sync, DumpEvt starts from the beginning of the log.

    DumpEvt writes the last event log records that it processes back into the registry at the end of its processing. See if you see any error at the bottom of your log file. Its should say:

    "last event log record processed = ???"

    If there is an error trying to write to the registry key, there should be an error message after that.

    [This message has been edited by kstanush (edited 01-12-2005).]

    Leave a comment:


  • j2222
    replied
    Re: Dumpevt from Schedule service

    Here is a log from REGMON ... the app queries for the key Security-HORODC02 but never sets its value!

    Any ideas,
    James

    59 3.52961596 DUMPEVT.exe:4880 CloseKey HKLM\SOFTWARE SUCCESS
    60 3.52984603 DUMPEVT.exe:4880 CreateKey HKLM\SOFTWARE\Somarsoft\DumpEvt SUCCESS Access: 0x20019
    61 3.52987900 DUMPEVT.exe:4880 CloseKey HKLM\SOFTWARE\Somarsoft SUCCESS
    62 3.52992132 DUMPEVT.exe:4880 QueryValue HKLM\SOFTWARE\Somarsoft\DumpEvt\Security-HORODC02 NOTFOUND
    63 3.52995142 DUMPEVT.exe:4880 CloseKey HKLM\SOFTWARE\Somarsoft\DumpEvt SUCCESS
    64 3.54159657 DUMPEVT.exe:4880 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security SUCCESS Access: 0x20019
    65 3.54162423 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\CategoryMessageFile SUCCESS "%SystemRoot%\System32\MsAuditE.dll"
    66 3.54164566 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\CategoryMessageFile SUCCESS "%SystemRoot%\System32\MsAuditE.dll"
    67 3.54167768 DUMPEVT.exe:4880 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security SUCCESS
    68 3.54217959 DUMPEVT.exe:4880 OpenKey HKCU SUCCESS Access: 0x2000000
    69 3.54222114 DUMPEVT.exe:4880 OpenKey HKLM\System\CurrentControlSet\Control\Nls\MUILangu ages NOTFOUND
    70 3.54226128 DUMPEVT.exe:4880 OpenKey HKCU\Control Panel\Desktop SUCCESS Access: 0x80000000
    71 3.54229278 DUMPEVT.exe:4880 QueryValue HKCU\Control Panel\Desktop\MultiUILanguageId NOTFOUND
    72 3.54231560 DUMPEVT.exe:4880 CloseKey HKCU\Control Panel\Desktop SUCCESS
    73 3.54233494 DUMPEVT.exe:4880 CloseKey HKCU SUCCESS
    74 3.54248056 DUMPEVT.exe:4880 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security SUCCESS Access: 0x20019
    75 3.54250318 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\EventMessageFile BUFOVRFLOW
    76 3.54252748 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\EventMessageFile SUCCESS "%SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\S ystem32\sp2res.dll;%SystemRoot%\System32\sp3res.dl l"
    77 3.54254728 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\EventMessageFile BUFOVRFLOW
    78 3.54256980 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\EventMessageFile SUCCESS "%SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\S ystem32\sp2res.dll;%SystemRoot%\System32\sp3res.dl l"
    79 3.54259798 DUMPEVT.exe:4880 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security SUCCESS
    80 3.62336209 DUMPEVT.exe:4880 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security SUCCESS Access: 0x20019
    81 3.62339235 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\ParameterMessageFile SUCCESS "%SystemRoot%\System32\MsObjs.dll"
    82 3.62341451 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\ParameterMessageFile SUCCESS "%SystemRoot%\System32\MsObjs.dll"
    83 3.62344797 DUMPEVT.exe:4880 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security SUCCESS
    84 178.39226011 DUMPEVT.exe:4880 CloseKey HKCU SUCCESS
    85 178.39228428 DUMPEVT.exe:4880 CloseKey HKLM SUCCESS

    Leave a comment:


  • j2222
    replied
    Re: Dumpevt from Schedule service

    The output from the prog is:

    D:\CollectEvents>d:\collectEvents\dumpevt /logfile=sec /reg=local_machine /outfi
    le=d:\collectevents\sec.txt
    1/12/2005 1:54:45 PM
    Somarsoft DumpEvt V1.7.3, Copyright ⌐ 1995-1997 by Somarsoft, Inc.
    LogType=Security
    Computer=(local)
    SystemRoot=C:\WINNT
    Outfile=d:\collectevents\sec.txt
    Use HKEY_LOCAL_MACHINE for saving record number
    Format=yes
    DateFormat=(locale dependent)
    TimeFormat=HH':'mm':'ss
    FieldSeparator=,
    ReplaceFieldSeparator= (blank)
    ReplaceCR=^
    ReplaceLF=^
    StringSeparator=;
    MaxMessageLen=64000
    MaxFragmentLen=64000
    DumpData=none
    SplitDateTime=no
    DumpRecnum=no
    ==>LastProcessed (0) < Oldest (7380964), log records lost
    process event log records starting with 7380964
    ==>Format message error, source=Security type=Parameter msg=5382 rc=317
    ==>Format message error, source=Security type=Parameter msg=5383 rc=317
    ==>Format message error, source=Security type=Parameter msg=5384 rc=317

    Does the mesasge records lost mean anything relevant to this problem?

    Thanks,
    James

    Leave a comment:


  • Guest's Avatar
    Guest replied
    Re: Dumpevt from Schedule service

    Unfortunately no it is not.

    Leave a comment:


  • j2222
    replied
    Re: Dumpevt from Schedule service

    The program creates logs and these are getting created ok ... obviously can't see any output since its running from the schedule service.

    Is the source code available/in the public domain?

    Thanks,
    James

    Leave a comment:


  • Guest's Avatar
    Guest replied
    Re: Dumpevt from Schedule service

    This should work the way you have it setup, but it's hard to debug since its running in
    another process. Try it from the administrator account to see if it works that way, to see if it's a permissions issue.

    Do you get any errors or anything in the output?

    Leave a comment:


  • j2222
    replied
    Re: Dumpevt from Schedule service

    A CMD File call RUNCMD, which looks like this ...
    d:\collectevents\now Starting ... >> d:\collectEvents\CollectEvents.log
    :START
    del d:\collectevents\sec.txt
    d:\collectevents\now Dumping ... >> d:\collectEvents\CollectEvents.log
    start /low /wait d:\collectEvents\dumpevt /logfile=sec /reg=local_machine /outfile=d:\collectevents\sec.txt
    d:\collectevents\now Importing ... >> d:\collectEvents\CollectEvents.log
    start /low /wait cscript d:\collectevents\jcimportevents2.vbs d:\collectEvents\sec.txt
    d:\collectevents\now Sleeping >> d:\collectEvents\CollectEvents.log
    d:\collectevents\sleep 300
    goto START

    Thanks,
    James

    Leave a comment:


  • Guest's Avatar
    Guest replied
    Re: Dumpevt from Schedule service

    What is the exact command you are using?

    Leave a comment:


  • j2222
    started a topic Dumpevt from Schedule service

    Dumpevt from Schedule service

    Help! I am trying to run DUMPEVT from the schedule service, it runs ok BUT dumps the entire log file!!! When I run it from the CMD line, it only dumps new events ... I've checked the registry and from the command line the keys get created/updated, but from the schedule they don't ... the process has permission ... I'm using the /local_machine setting!

    Any ideas???

    Thanks,
    James
Working...
X