Logs not written to custom event logs


Logs not written to custom event logs

S

Hi,

I'm completely out of ideas. I have created custom event logs for forwarding on Server 2016 but no events are written on any of the custom logs. I have used bot methods - creating a custom .man and .dll and using Supercharger interface to create a custom log. But whatever I do not a single event is written to any of those logs. As soon as I switch to Forwarded Events events are starting to come in. What's even more baffling is I had it working in another server with the same procedure, I'm pretty sure. At least I can't remember doing anything differently.



bjvista

SC_user10 - 8/6/2020
Hi,

I'm completely out of ideas. I have created custom event logs for forwarding on Server 2016 but no events are written on any of the custom logs. I have used bot methods - creating a custom .man and .dll and using Supercharger interface to create a custom log. But whatever I do not a single event is written to any of those logs. As soon as I switch to Forwarded Events events are starting to come in. What's even more baffling is I had it working in another server with the same procedure, I'm pretty sure. At least I can't remember doing anything differently.



On the subscription, do you see any forwarders listed?  If this is Server 2016 I would say it's a permissions issue.  On the collector, in a cmd prompt, what do you get it if you run "netsh http show urlacl".  Look for the line that says "Reserved URL: http://5985/wsman".  Can you paste in a screenshot of what you have there?
S

bjvista - 8/6/2020
SC_user10 - 8/6/2020
Hi,

I'm completely out of ideas. I have created custom event logs for forwarding on Server 2016 but no events are written on any of the custom logs. I have used bot methods - creating a custom .man and .dll and using Supercharger interface to create a custom log. But whatever I do not a single event is written to any of those logs. As soon as I switch to Forwarded Events events are starting to come in. What's even more baffling is I had it working in another server with the same procedure, I'm pretty sure. At least I can't remember doing anything differently.



On the subscription, do you see any forwarders listed?  If this is Server 2016 I would say it's a permissions issue.  On the collector, in a cmd prompt, what do you get it if you run "netsh http show urlacl".  Look for the line that says "Reserved URL: http://5985/wsman".  Can you paste in a screenshot of what you have there?

Hi,

I was considering this myself. And yet when I compare the SSDL with the Forwarded Events, it's exactly the same. I have no idea where I should be looking for the problem.
Also if create the event from Supercharger it still wont write any events into the log. I'd recon that if Supercharger creates the log, all the permissions are set as they should be.
Forwarders are subscribing in to collector. As soon as I switch the destination log to Forwarded Events logs are coming in.



bjvista

SC_user10 - 8/6/2020
bjvista - 8/6/2020
SC_user10 - 8/6/2020
Hi,

I'm completely out of ideas. I have created custom event logs for forwarding on Server 2016 but no events are written on any of the custom logs. I have used bot methods - creating a custom .man and .dll and using Supercharger interface to create a custom log. But whatever I do not a single event is written to any of those logs. As soon as I switch to Forwarded Events events are starting to come in. What's even more baffling is I had it working in another server with the same procedure, I'm pretty sure. At least I can't remember doing anything differently.



On the subscription, do you see any forwarders listed?  If this is Server 2016 I would say it's a permissions issue.  On the collector, in a cmd prompt, what do you get it if you run "netsh http show urlacl".  Look for the line that says "Reserved URL: http://5985/wsman".  Can you paste in a screenshot of what you have there?

Hi,

I was considering this myself. And yet when I compare the SSDL with the Forwarded Events, it's exactly the same. I have no idea where I should be looking for the problem.
Also if create the event from Supercharger it still wont write any events into the log. I'd recon that if Supercharger creates the log, all the permissions are set as they should be.
Forwarders are subscribing in to collector. As soon as I switch the destination log to Forwarded Events logs are coming in.



So can you tell me what you get when you run that cmd that shows the SDDL?
S

bjvista - 8/6/2020
SC_user10 - 8/6/2020
bjvista - 8/6/2020
SC_user10 - 8/6/2020
Hi,

I'm completely out of ideas. I have created custom event logs for forwarding on Server 2016 but no events are written on any of the custom logs. I have used bot methods - creating a custom .man and .dll and using Supercharger interface to create a custom log. But whatever I do not a single event is written to any of those logs. As soon as I switch to Forwarded Events events are starting to come in. What's even more baffling is I had it working in another server with the same procedure, I'm pretty sure. At least I can't remember doing anything differently.



On the subscription, do you see any forwarders listed?  If this is Server 2016 I would say it's a permissions issue.  On the collector, in a cmd prompt, what do you get it if you run "netsh http show urlacl".  Look for the line that says "Reserved URL: http://5985/wsman".  Can you paste in a screenshot of what you have there?

Hi,

I was considering this myself. And yet when I compare the SSDL with the Forwarded Events, it's exactly the same. I have no idea where I should be looking for the problem.
Also if create the event from Supercharger it still wont write any events into the log. I'd recon that if Supercharger creates the log, all the permissions are set as they should be.
Forwarders are subscribing in to collector. As soon as I switch the destination log to Forwarded Events logs are coming in.



So can you tell me what you get when you run that cmd that shows the SDDL?

Hi,

Here's the screenshots:


bjvista

SC_user10 - 8/7/2020
bjvista - 8/6/2020
SC_user10 - 8/6/2020
bjvista - 8/6/2020
SC_user10 - 8/6/2020
Hi,

I'm completely out of ideas. I have created custom event logs for forwarding on Server 2016 but no events are written on any of the custom logs. I have used bot methods - creating a custom .man and .dll and using Supercharger interface to create a custom log. But whatever I do not a single event is written to any of those logs. As soon as I switch to Forwarded Events events are starting to come in. What's even more baffling is I had it working in another server with the same procedure, I'm pretty sure. At least I can't remember doing anything differently.



On the subscription, do you see any forwarders listed?  If this is Server 2016 I would say it's a permissions issue.  On the collector, in a cmd prompt, what do you get it if you run "netsh http show urlacl".  Look for the line that says "Reserved URL: http://5985/wsman".  Can you paste in a screenshot of what you have there?

Hi,

I was considering this myself. And yet when I compare the SSDL with the Forwarded Events, it's exactly the same. I have no idea where I should be looking for the problem.
Also if create the event from Supercharger it still wont write any events into the log. I'd recon that if Supercharger creates the log, all the permissions are set as they should be.
Forwarders are subscribing in to collector. As soon as I switch the destination log to Forwarded Events logs are coming in.



So can you tell me what you get when you run that cmd that shows the SDDL?

Hi,

Here's the screenshots:


My next step would be to check the EventCollector log on the collector in event viewer.  You should also check the eventForwading log on a known forwarder's event viewer.  The errors there should help.  
S

bjvista - 8/27/2020
SC_user10 - 8/7/2020
bjvista - 8/6/2020
SC_user10 - 8/6/2020
bjvista - 8/6/2020
SC_user10 - 8/6/2020
Hi,

I'm completely out of ideas. I have created custom event logs for forwarding on Server 2016 but no events are written on any of the custom logs. I have used bot methods - creating a custom .man and .dll and using Supercharger interface to create a custom log. But whatever I do not a single event is written to any of those logs. As soon as I switch to Forwarded Events events are starting to come in. What's even more baffling is I had it working in another server with the same procedure, I'm pretty sure. At least I can't remember doing anything differently.



On the subscription, do you see any forwarders listed?  If this is Server 2016 I would say it's a permissions issue.  On the collector, in a cmd prompt, what do you get it if you run "netsh http show urlacl".  Look for the line that says "Reserved URL: http://5985/wsman".  Can you paste in a screenshot of what you have there?

Hi,

I was considering this myself. And yet when I compare the SSDL with the Forwarded Events, it's exactly the same. I have no idea where I should be looking for the problem.
Also if create the event from Supercharger it still wont write any events into the log. I'd recon that if Supercharger creates the log, all the permissions are set as they should be.
Forwarders are subscribing in to collector. As soon as I switch the destination log to Forwarded Events logs are coming in.



So can you tell me what you get when you run that cmd that shows the SDDL?

Hi,

Here's the screenshots:


My next step would be to check the EventCollector log on the collector in event viewer.  You should also check the eventForwading log on a known forwarder's event viewer.  The errors there should help.  
There's nothing in the logs.
There's an old error I'm sure I fixed already by modifying the url ACL.


When Subscriptions are set to put events into Forwarded Events everything is just fine. Clients are checking in and events are written to the log. The only problem I see is that event descriptions are missing for services that are not available on the collector.



bjvista

SC_user10 - 8/28/2020
bjvista - 8/27/2020
SC_user10 - 8/7/2020
bjvista - 8/6/2020
SC_user10 - 8/6/2020
bjvista - 8/6/2020
SC_user10 - 8/6/2020
Hi,

I'm completely out of ideas. I have created custom event logs for forwarding on Server 2016 but no events are written on any of the custom logs. I have used bot methods - creating a custom .man and .dll and using Supercharger interface to create a custom log. But whatever I do not a single event is written to any of those logs. As soon as I switch to Forwarded Events events are starting to come in. What's even more baffling is I had it working in another server with the same procedure, I'm pretty sure. At least I can't remember doing anything differently.



On the subscription, do you see any forwarders listed?  If this is Server 2016 I would say it's a permissions issue.  On the collector, in a cmd prompt, what do you get it if you run "netsh http show urlacl".  Look for the line that says "Reserved URL: http://5985/wsman".  Can you paste in a screenshot of what you have there?

Hi,

I was considering this myself. And yet when I compare the SSDL with the Forwarded Events, it's exactly the same. I have no idea where I should be looking for the problem.
Also if create the event from Supercharger it still wont write any events into the log. I'd recon that if Supercharger creates the log, all the permissions are set as they should be.
Forwarders are subscribing in to collector. As soon as I switch the destination log to Forwarded Events logs are coming in.



So can you tell me what you get when you run that cmd that shows the SDDL?

Hi,

Here's the screenshots:


My next step would be to check the EventCollector log on the collector in event viewer.  You should also check the eventForwading log on a known forwarder's event viewer.  The errors there should help.  
There's nothing in the logs.
There's an old error I'm sure I fixed already by modifying the url ACL.


When Subscriptions are set to put events into Forwarded Events everything is just fine. Clients are checking in and events are written to the log. The only problem I see is that event descriptions are missing for services that are not available on the collector.



That's interesting because that message most always means the URLACL is messed up.  And just to be sure, when you ran the netsh http add urlacl command, you ran that on the event collector right?  How many collectors do you have?  Have you checked each one?  
S

bjvista - 8/29/2020
SC_user10 - 8/28/2020
bjvista - 8/27/2020
SC_user10 - 8/7/2020
bjvista - 8/6/2020
SC_user10 - 8/6/2020
bjvista - 8/6/2020
SC_user10 - 8/6/2020
Hi,

I'm completely out of ideas. I have created custom event logs for forwarding on Server 2016 but no events are written on any of the custom logs. I have used bot methods - creating a custom .man and .dll and using Supercharger interface to create a custom log. But whatever I do not a single event is written to any of those logs. As soon as I switch to Forwarded Events events are starting to come in. What's even more baffling is I had it working in another server with the same procedure, I'm pretty sure. At least I can't remember doing anything differently.



On the subscription, do you see any forwarders listed?  If this is Server 2016 I would say it's a permissions issue.  On the collector, in a cmd prompt, what do you get it if you run "netsh http show urlacl".  Look for the line that says "Reserved URL: http://5985/wsman".  Can you paste in a screenshot of what you have there?

Hi,

I was considering this myself. And yet when I compare the SSDL with the Forwarded Events, it's exactly the same. I have no idea where I should be looking for the problem.
Also if create the event from Supercharger it still wont write any events into the log. I'd recon that if Supercharger creates the log, all the permissions are set as they should be.
Forwarders are subscribing in to collector. As soon as I switch the destination log to Forwarded Events logs are coming in.



So can you tell me what you get when you run that cmd that shows the SDDL?

Hi,

Here's the screenshots:


My next step would be to check the EventCollector log on the collector in event viewer.  You should also check the eventForwading log on a known forwarder's event viewer.  The errors there should help.  
There's nothing in the logs.
There's an old error I'm sure I fixed already by modifying the url ACL.


When Subscriptions are set to put events into Forwarded Events everything is just fine. Clients are checking in and events are written to the log. The only problem I see is that event descriptions are missing for services that are not available on the collector.



That's interesting because that message most always means the URLACL is messed up.  And just to be sure, when you ran the netsh http add urlacl command, you ran that on the event collector right?  How many collectors do you have?  Have you checked each one?  

I'm sure I have fixed the ACL after that error. The thing is that on this collector everything works just fine until all the logs are dumped into Forwarded Events. Endpoints check in and send logs. But when any custom destination is selected, nothing happens. I'm completely out of ideas where to look. I see no other errors anywhere. And I have done custom event logs before without issue, and I can't remember doing anything differently than this time. I'm completely out of ideas. Maybe somethings has broken with any of the Server 2019 updates, I have no idea anymore.


GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search