Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

Are you specifying criteria to filter for? If so, remove all criteria and run it again to see if you get back records. Also, as a test, right-click on the server and choose Events->Event Viewer. Does that give any errors? Can you view Security events with it?

Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

Hi there,

Yes i tried running the filter without any criteria and still didnt get any security related logs.


I got below error when i did what you suggested: Event -- Event Viewer- Windows Logs --Security
Error:
Event Viewer cannot open the event log or custom view. Verify that event log services is running or query is too long. Access Denied (5)

Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

Hi there

appreciate your feedback please.

Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

I would have to assume the access denied issue is the reason you can't get events from that server. For some reason Windows is saying your account doesn't have sufficient permissions.

Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

Thanx Admin,

How come this is the issue? becuase i can use the same login ID to access remotly onto the server and view the concerned security logs .. its just through Hyena am not able to get the needed details, but i can view for example Application Logs from Hyena!
So i dont think its a privilege issue.
Appreciat eyour further investigation into this plz.

Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

Just want to update u
i just went through all the servers in my domain n tried to access Security Event Logs and i found that some servers i am able and some i am not able !! but even the ones i am not able, i can view application Logs in event view, its only Security Logs i cannot.

Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

Appreciate your feedback Hyena Team plz

Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

It sounds like a permissions issue of some sort. You got access denied trying to view them with Event Viewer, so Hyena is probably running into the same issue.

Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

Originally posted by cmccullough:
It sounds like a permissions issue of some sort. You got access denied trying to view them with Event Viewer, so Hyena is probably running into the same issue.


Hi there,

Its only using Hyena i cannot get access to these secuirty event logs! but i can check all events accessing the server directly using same login as i provide in Hyena.
Also how can i access applications and not access security logs of these servers! Its not access permission issue i beleive .. it is some thing to do with some setting maybe to allow Hyena to read such logs!

For same machines if i try to run some default WMI query then i get errors msg saying: RPC server not found or not available..does that help u to help me?

Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

It's not just Hyena because using Event Viewer you got an access denied. To further test that, on your computer run Event Viewer by itself (without Hyena), then connect to the server you are having trouble with and see if you are able to view all events. Make sure you run this on your remote computer to fully test remotely accessing the logs the same way you are doing when in Hyena.

Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

Here is one technical article on this error and one way to troubleshoot it.
http://social.technet.microsoft.com/Foru...76-6aae7f8dc101

Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

Hi there,

i thought to update you on my issue.
You kept suggesting that it is access issue and i kept saying i am using same account on local machine or from another machine accessing remotly the needed logs and i was able to do so but with Hyena i am not able.

I contacted another compnay to help me investigate issue and they successfully identifed the problem, i have tested it with them and its working now.

The problem was that for some strange reason - which i need you to please explain why and how ? - when accessing only certain servers, Hyena tool used my own credentials to access the logs instead of using the credentials i provide manually when right clicking and choosing 'Logon As', and that is why we couldnt get the logs for these servers. Then for testing purpose i added myself in domain administrator group and tried doing same thing and i was able to get the logs!
Another work around was to startup Hyena tool by pressing SHIFT and then right clicking on Heyna icon then we get another option to login as different user, -- we choose this --then provide, at this stage, the domain administrator login, which is same login which i provided earlier by right clicking on server and choosing 'Logon As' , then queried secrutiy logs and i was able to view the logs!

So why Hyena chooses to run my query using my local credentials for some servers! and ignores the credentials i provide manually?1

Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

Hyena has nothing to do with determining which credentials Windows uses. The Windows fucntions Hyena uses make that determination.

The Logon As function is basically the same as doing a:

net use \\server\IPC$

Windows will typically use that pipe when determining credentials, so the only theory I have is the servers that you have problems with might not allow IPC$ connections like that. In those cases Windows will use your logged on account.

Using Run As is always the best solution, though.

Re: Not able to retrive Security Event Log details from Windows 2008 R2 server

I add/confirm what happens in difference cases:

- The Logon As function simply creates and IPC$ connection to the server. You can actually 'see' this if you do a Logon As and then go to a command prompt and type "Net use". Windows lacks any method that an application can actually "logon" to another computer, so setting the IPC$ connection is essentially all we can do.

- When accessing event logs, Hyena has no way of providing a set of credentials to use, so Windows uses its rules on what credentials to use. Its supposed to always use an existing connection, so perhaps another previous connection was being used to the server. Or, the event log functions don't allow an IPC$ connection, or it was blocked, who knows. Its frustrating to know what is happending behind the scenes, so I'm glad you figured it out.

- When you do a 'Run As', then Windows will always use those credentials, and Hyena has no knowledge that you are running under another account (as it should be), and again Windows controls which credentials to use.

- Windows 7 might complicate this issue, where by default it strips away admin rights when you run an application. It could be that even if you 'Logon As' an administrator, and thereby set an IPC$ connection, Windows 7 might strip away the admin portion of those rights.

- Finally, when you perform a 'Logon As' or perhaps even a 'Run As', and then run an external application like the Event Viewer from Hyena, Windows will not run the external application using the credentials provided when you ran the parent application. Microsoft changed this behavior some time back and its very unfortunate, as there isn't any way for the parent application (Hyena) to know (or should it know), the userid/password you ran it under and then pass this information to the external application.

In any case, I'm glad you shed some light on your issue.

Thanks for posting.