How to find the source of a cryptic event viewer log

eventviewerwindows-server-2008

I'm looking at the eventviewer logs, and I see a bunch Error entries in the Application log. (Windows Server 2008 R1). There is an error written to the logs about every 4 seconds.

I need to find out which application is causing these events, is there anyway to find this out?

Here is what each look like:

Error  12/2/2010 12:00:09 PM   Application 0   None

The details for each error:

Log Name:      Application
Source:        Application
Date:          12/2/2010 12:00:09 PM
Event ID:      0
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      computer.domain
Description:
The description for Event ID 0 from source Application cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event: 


the message resource is present but the message is not found in the string/message table

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application" />
    <EventID Qualifiers="0">0</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-12-02T20:00:09.000Z" />
    <EventRecordID>237167</EventRecordID>
    <Channel>Application</Channel>
    <Computer>computer.domain</Computer>
    <Security />
  </System>
  <EventData>
    <Binary>534F434B...</Binary>
  </EventData>
</Event>

Best Answer

The additional text in the event log Description field is displayed by event viewer. It does not stem from the log entry itself.

In my experience, the EventMessageFile setting of this event source is invalid, e.g. pointing to the wrong .NET version.

When confronted with the message, I replace the invalid setting in the registry with a valid EventMessageFile setting from a similar log configuration on the same machine (usual registry caution disclaimers apply).

After restarting event viewer the additional text disappears from the otherwise unchanged log entries.

Related Solutions

Windows Server 2008 – Email on Event Variables

I went about this a bit differently, but this approach generates emails on new events that match a custom filter, with all the event details included in the email body.

1) Create a 'Custom View' in the Event Viewer with your desired filter.

2) Once you have the view, you should see a link to 'Attach Task to This Custom View...'.

I chose to use sendMail.exe from here (http://caspian.dotconf.net/menu/Software/SendEmail/) which I extracted to C:\sendmail. The reason is Microsoft's 'Send an email' action has issues with SMTP authentication and also apparently isn't even present in Server 2012.

So in my case I selected 'Start a program' while attaching the task to the Custom View. But we're going to edit it as XML so don't worry about filling it in via the GUI.

3) Export the new Task to XML, we'll be editing it later.

4) Create a 'mail-event.bat' file under C:\sendmail folder with the following 3 lines:

C:\Windows\system32\wevtutil.exe qe Application /f:text /q:"<QueryList><Query Id='0' Path='Application'><Select Path='Application'>*[System[(EventRecordID=%1)]]</Select></Query></QueryList>" > C:\sendmail\%1.log
C:\sendmail\sendEmail.exe -s <smtp_server> -f <from> -xu <user> -xp <pass> -t <to> -u "<subject>" -o message-file=c:\sendmail\%1.log
del C:\sendmail\%1.log

Obviously, replace 'smtp_server', 'from', 'user', 'pass', 'to', 'subject' with the desired values.

This will create a '$(EventRecordID).log' file under C:\sendmail with all the details for that event, mail it, and then delete it.

You can test if the batch file works by going into Event Viewer, opening an event in your Applications log, switching to Details tab, selecting 'XML View' and then look for EventRecordID. Copy that integer, and then run from the command line:

C:\sendmail> log-event.bat 53522

Of course, replacing 53522 with the value from the EventRecordID node. If you receive the email, go to your happy place.

NOTE WELL: You might have noticed the string 'Application' shows up a couple times in the command line for wevtutil.exe -- that's because I couldn't seem to get it to work by pointing it directly at the Custom View, and my Custom View happened to be a sub-set of events that are all inside the Application log. You might have to adjust that to make it work in your case if your trying to mail events from the System log, for example.

5) Edit the XML you exported, we're going to make two changes:

First, add the following 'ValueQueries' node into the XML under the 'EventTrigger' node:

<EventTrigger>
  <Enabled>true</Enabled>
  <Subscription>...snip...</Subscription>
  <ValueQueries>
    <Value name="EventRecordID">Event/System/EventRecordID</Value>
  </ValueQueries>  
</EventTrigger>

NOTE: In the above, I snipped the 'Subscription' info which will have been filled in based on the Custom View you created. Don't copy my 'Subscription' into your XML!

Second, replace the Actions node with the following:

<Actions Context="Author">
   <Exec>
     <Command>C:\sendmail\mail_event.bat</Command>
     <Arguments>$(EventRecordID)</Arguments>
   </Exec>
</Actions>

Now, cause a new event to appear in your Custom View, and you should automatically get the email notification! Woohoo!

Warning After updating to 2008R2 AD

I had a conflicting group policy

Best Answer

Related Solutions

Windows Server 2008 – Email on Event Variables

Warning After updating to 2008R2 AD

Related Topic