|
Where do I find the log files to
send to EventLog Analyzer Support?
The log files are located in the <EventLogAnalyzer_Home>/server/default/log
directory. Typically when you run into a problem, you will
be asked to send the serverout.txt file from
this directory to EventLog Analyzer Support.
I find that EventLog Analyzer keeps crashing or all of a sudden stops collecting logs. What could be the reason?
The inbuilt MySQL database of Firewall Analyzer could get corrupted if other processes are accessing these directories. Kindly exclude the EventLog Analyzer installation directory 'AdventNet' (it could be in C:\AdventNet or D:\AdventNet) from both the Backup process and Anti-Virus Scans.
How to create SIF (Support Information File) and send the file to AdventNet, if you are not able to perform the same from the Web client?
The SIF will help us to analyze the issue you have come across and propose a solution. If you are unable to create a SIF from the Web client UI, you can zip the files under 'log' folder, which is located in C:\AdventNet\ME\Eventlog\server\default\log (default path) and send the zip file by upload it in the following ftp link:
http://bonitas.adventnet.com/upload/index.jsp?to=support@eventloganalyzer.com
EventLog Analyzer displays "Enter
a proper AdventNet license file" during installation
This message could be shown in two cases:
Case 1: Your system date is set to a
future or past date. In this case, uninstall EventLog Analyzer,
reset the system date to the current date and time, and
re-install EventLog Analyzer.
Case 2: You may have provided an incorrect
or corrupted license file. Verify that you have applied
the license file obtained from AdventNet, Inc.
If neither is the reason, or you are still getting this
error, contact licensing@adventnet.com
Unable to bind EventLog Analyzer server to a specific interface.
To bind EventLog Analyzer server to a specific interface follow the procedure given below:
- Open the runSEC.exe/sh file.
- Add the following parameter in the line in any place before %* or $*: bin\SysEvtCol.exe -loglevel 3 -port 513 514 %*
-bindip <IP Address of the interface to which the EventLog Analyzer needs to be bound>
Example entry is as given below:
bin\SysEvtCol.exe -loglevel 3 -bindip 192.168.111.153 -port 513 514 %*
MySQL-related errors on Windows machines
Probable cause: An instance of MySQL is
already running on this machine.
Solution: Shut down all instances
of MySQL and then start the EventLog Analyzer server.
Probable cause: Port 33335 is not free
Solution: Kill the other application
running on port 33335. If you cannot free this port, then
change
the MySQL port used in EventLog Analyzer.
EventLog Analyzer displays "Port
8400 needed by EventLog Analyzer is being used by another
application. Please free the port and restart EventLog Analyzer"
when trying to start the server
Probable cause: The default web server
port used by EventLog Analyzer is not free.
Solution: Kill the other application
running on port 8400. If you cannot free this port, then
change
the web server port used in EventLog Analyzer.
EventLog Analyzer displays "Can't Bind to Port <Port Number>" when logging into the UI.
Probable cause:The syslog
listener port of EventLog Analyzer is not free.
Solution:
- Check for the process that is occupying the syslog
listener port, using
netstat -anp -pudp . And if possible, try to free up this port.
- If you have started the server in UNIX machines, please ensure
that you start the server as a root user.
- or, configure EventLog Analyzer to listen to a different
syslog listener port and ensure that all your configured hosts
send their syslog to the newly configured syslog listener port of EventLog Analyzer.
While adding host for monitoring, the 'Verify Login' action throws RPC server unavailable error
The probable reason and the remedial action is:
Probable cause: The host machine RPC (Remote Procedure Call) port is blocked by any other Firewall.
Solution: Unblock the RPC ports in the Firewall.
While adding host for monitoring, the 'Verify Login' action throws 'Access Denied' error.
The probable reasons and the remedial actions are:
- Probable cause: The host machine is not reachable from ELA machine.
Solution: Check the network connectivity between host machine and ELA machine, by using PING command.
- Probable cause: The host machine running a System Firewall and REMOTEADMIN service is disabled.
Solution: Check whether System Firewall is running in the host. If System Firewall is running, execute the following command in the command prompt window of the host machine:
netsh firewall set service type=REMOTEADMIN mode=ENABLE profile=all
I've added a host, but EventLog Analyzer
is not collecting event logs from it
Probable cause: The host machine
is not reachable from the EventLog Analyzer server machine
Solution: Check if the host machine responds
to a ping command. If it does not, then the machine is not
reachable. The host machine has to be reachable from the EventLog
Analyzer server in order to collect event logs.
Probable cause: You do not have administrative
rights on the host machine
Solution: Edit the host's details,
and enter the Administrator login credentials of the host
machine. Click Verify Login to see if the
login was successful.
I get an Access Denied error for
a host when I click on "Verify Login" but I have given the
correct login credentials
Probable cause: There may be other
reasons for the Access Denied error.
Solution: From a Windows machine,
follow the steps below to find out the exact code of the
Access Denied error:
- Select Start > Run
- Type
wbemtest in the text box and click
OK
- In the WMIT window that opens, click Connect
- In the Namespace text box, enter
\\<machine_name>\root\cimv2
where <machine_name> is the host machine
that you are trying to connect to.
- In the User text box, enter
<machine_name/domain_name>\user_name
- In the Password text box, enter the
password to log in to the host machine
- Click Connect
If no error dialog box is shown, the login is successful.
Otherwise, refer the table below
for a description of the usually thrown Access Denied error
codes.
| Access Denied Code |
Cause |
Solution |
| 0x80070005 |
Scanning of the Windows workstation
failed due to one of the following reasons: |
| The login name and password provided
for scanning is invalid in the workstation |
Check if the login name and password are entered correctly |
| Remote DCOM option is disabled in the
remote workstation |
Check if Remote DCOM is enabled in the remote workstation.
If not enabled, then enable the same in the following
way:
- Select Start > Run
- Type
dcomcnfg in the text box and
click OK
- Select the Default Properties
tab
- Select the Enable Distributed COM in this
machine checkbox
- Click OK
To enable DCOM on Windows XP hosts:
- Select Start > Run
- Type
dcomcnfg in the text box and
click OK
- Click on Component Services > Computers
> My Computer
- Right-click and select Properties
- Select the Default Properties
tab
- Select the Enable Distributed COM in this
machine checkbox
- Click OK
|
| User account is invalid in the target
machine |
Check if the user account is valid in the target
machine by opening a command prompt and executing
the following commands:
net use \\<RemoteComputerName>\C$ /u:<DomainName\UserName>
"<password>"
net use \\<RemoteComputerName>\ADMIN$
/u:<DomainName\UserName> "<password>"
If these commands show any errors, the provided user
account is not valid on the target machine.
|
| 0x80041003 |
The user name provided for scanning does
not have sufficient access privileges to perform the
scanning operation. Probably, this user does not belong
to the Administrator group for this host machine |
Move the user to the Administrator Group of the workstation
or scan the machine using an administrator (preferably
a Domain Administrator) account. |
| 0x800706ba |
A firewall is configured on the remote
computer. Such exceptions mostly occur in Windows XP
(SP 2), when the default Windows firewall is enabled. |
- Disable the default Firewall in the Windows XP
machine:
- Select Start > Run
- Type
Firewall.cpl and click OK
- In the General tab, click
Off
- Click OK
- If the firewall cannot be disabled, launch Remote
Administration for administrators on the remote
machine by executing the following command:
netsh firewall set service RemoteAdmin
After scanning, you can disable Remote Administration
using the following command:
netsh firewall set service RemoteAdmin disable
|
| 0x80040154 |
- WMI is not available in the remote windows workstation.
This happens in Windows NT. Such
error codes might also occur in higher versions
of Windows if the WMI Components are not registered
properly.
- WMI Components are not registered
|
- Install WMI core in the remote workstation. This
can be downloaded from the Microsoft
web site.
- Register the WMI DLL files by executing the following
command in the command prompt:
winmgmt /RegServer
|
| 0x80080005 |
There is some internal execution failure
in the WMI Service (winmgmt.exe) running
in the host machine. The last update of the WMI Repository
in that workstation could have failed. |
Restart the WMI Service in the remote workstation:
- Select Start > Run
- Type Services.msc and click OK
- In the Services window that opens, select Windows
Management Instrumentation service.
- Right-click and select Restart
|
| For any other error codes,
refer the MSDN
knowledge base |
I have added an Custom alert profile
and enabled it. But the alert is not generated in EventLog
Analyzer even though the event has occured in the host machine
Probable cause: The alert criteria
have not been defined properly
Solution: Please ensure that the required
fields in the Add
Alert Profile screen have been given propelrly.Check if
the e-mail address provided is correct. Ensure that the Mail
server has been configured correctly.
For any other issues, please contact EventLog
Analyzer Technical Support |
