Hello,
----------------------------
Current: .\src\agent\subagents\logwatch\eventlog.cpp is unable
to handle any other event log beside *System.
parser definition <file>*Security</file> for instance will try
to get EventMessageFile value from registry on path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\Security
----------------------------
----------------------------
<file>*Application</file>
should handle:
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Application
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\<XY Application>
----------------------------
----------------------------
Could someone pretty please fix that and attach compiled logwatch.nsm
for v0.2.26.1 until next release.
Curent fix (for impatient grateful users) is to copy:
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security
to
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Security
for *Application hover you must copy relavant subkey of
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\<xyz>
to
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\<xyz>
----------------------------
thank you,
Ales
Sory, environment is:
- windows 2008 x64 server
- x64 v0.2.26.1 agent
Error was checked with Process Monitor v2.04
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Filtering was set to show nxagentd.exe Process Name and
all failed registry query requests begining with path
HKLM\System\CurrentControlSet\Services\Eventlog
Ales
Hello!
In fact, we need completely different log readers for Windows Vista and 2008 - Microsoft changes event log API (see http://msdn.microsoft.com/en-us/library/aa964766(vs.85).aspx (http://msdn.microsoft.com/en-us/library/aa964766(vs.85).aspx)), and old API used by logwatch.nsm is not always compatible with new logs. I'll add support for new event log API in upcoming release.
Best regards,
Victor