EventLog Analyzer

-

IT Compliance & Event Log Management Software for SIEM

Troubleshooting Tips

General

  1. Where do I find the log files to send to EventLog Analyzer Support?
  2. I find that EventLog Analyzer keeps crashing or all of a sudden stops collecting logs. What could be the reason?
  3. How to create SIF (Support Information File) and send the file to Manageengine, if you are not able to perform the same from the Web client?
  4. How to register dll when message files for event sources are unavailable?

Installation

  1. EventLog Analyzer displays "Enter a proper Manageengine license file" during installation
  2. Unable to bind EventLog Analyzer server to a specific interface.
Startup and Shut Down
  1. MySQL-related errors on Windows machines
  2. EventLog Analyzer displays "Port 8400 needed by EventLog Analyzer is being used by another application. Please free the port and restart EventLog Analyzer" when trying to start the server
  3. EventLog Analyzer displays "Can't Bind to Port " when logging into the UI.
  4. When the application is started, configureODBC.vbs throws script error or opens with another application. How to overcome this?

Configuration

  1. While adding host for monitoring, the 'Verify Login' action throws RPC server unavailable error
  2. While adding host for monitoring, the 'Verify Login' action throws 'Access Denied' error.
Log Collection and Reporting
  1. I've added a host, but EventLog Analyzer is not collecting event logs from it
  2. I get an Access Denied error for a host when I click on Verify Login but I have given the correct login credentials
  3. I have added an Custom alert profile and enabled it. But the alert is not generated in EventLog Analyzer even though the event has occured in the host machine
  4. When I create a Custom Report, I am not getting the report with the configured message in the Message Filter
For any other issues, please contact EventLog Analyzer Technical Support

Where do I find the log files to send to EventLog Analyzer Support?

The log files are located in the <EventLogAnalyzer_Home>/server/default/log directory. Typically when you run into a problem, you will be asked to send the serverout.txt file from this directory to EventLog Analyzer Support.

I find that EventLog Analyzer keeps crashing or all of a sudden stops collecting logs. What could be the reason?

The inbuilt MySQL database of EventLog Analyzer could get corrupted if other processes are accessing these directories. Kindly exclude the EventLog Analyzer installation directory 'ManageEngine' (prior to version 6.0 it was in C:\AdventNet or D:\AdventNet) from both the Backup process and Anti-Virus Scans.

How to create SIF (Support Information File) and send the file to Manageengine, if you are not able to perform the same from the Web client?

The SIF will help us to analyze the issue you have come across and propose a solution. If you are unable to create a SIF from the Web client UI, you can zip the files under 'log' folder, which is located in C:\ManageEngine\Eventlog\server\default\log (default path) and send the zip file by upload it in the following ftp link: http://bonitas.zohocorp.com/upload/index.jsp?to=eventloganalyzer-support@manageengine.com 

How to register dll when message files for event sources are unavailable?

To register dll, follow the procedure given in the link below: http://ss64.com/nt/regsvr32.html

EventLog Analyzer displays "Enter a proper Manageengine license file" during installation

This message could be shown in two cases:

Case 1: Your system date is set to a future or past date. In this case, uninstall EventLog Analyzer, reset the system date to the current date and time, and re-install EventLog Analyzer.
Case 2: You may have provided an incorrect or corrupted license file. Verify that you have applied the license file obtained from ZOHO Corp.

If neither is the reason, or you are still getting this error, contact licensing@manageengine.com

Unable to bind EventLog Analyzer server to a specific interface.

To bind EventLog Analyzer server to a specific interface follow the procedure given below:

For Eventlog Analyzer running as application:

  • Open the runSEC.exe/sh file.
  • Add the following parameter in the line in any place before %* or $*: bin\SysEvtCol.exe -loglevel 3 -port 513 514 %*

-bindip <IP Address of the interface to which the EventLog Analyzer needs to be bound>

Example entry is as given below:

bin\SysEvtCol.exe -loglevel 3 -bindip 192.168.111.153 -port 513 514 %*

For Eventlog Analyzer running as service:
  • Stop the Eventlog Analyzer service.
  • Open the startDB.bat file which is under <Eventlog Analyzer Home>\bin directory, add option '--bind-address=<ip-address>' in the mysqld start command that starts with @start and save the file.
  • Open the stopDB.bat file which is under <Eventlog Analyzer Home>\bin directory, add '-h <ip-address>>' to the command arguments and save the file.
    After the change the line should like the one given below: 
    set commandArgs=-P %PORT% -u %USER_NAME% -h <ip-address> 
  • Open the wrapper.conf file which is under <Eventlog Analyzer Home>\server\default\conf and follow the below steps: 
    Uncomment the second application parameter ' wrapper.app.parameter.2=-L../lib/AdventNetDeploymentSystem.jar'. 
    Add the following new application parameters 
    wrapper.app.parameter.3=-c default 
    wrapper.app.parameter.4=-b <ip-address> 
    wrapper.app.parameter.5=-Dspecific.bind.address=<ip-address> 

    and save the file.
    Note: Remove '#' symbol for uncommenting in the .conf file.
  • Open the mysql-ds.xml file which is under <Eventlog Analyzer Home>\server\default\deploy directory, replace 'localhost' inconnection-url tag with the <ip-address> to which you want to bind the application and save the file.
  • Start the Eventlog Analyzer service.
  • Verify the setting by executing the 'netstat -ano' command in the command prompt.
Back to Top

MySQL-related errors on Windows machines

Probable cause: An instance of MySQL is already running on this machine.
Solution: Shut down all instances of MySQL and then start the EventLog Analyzer server.

Probable cause: Port 33335 is not free
Solution: Kill the other application running on port 33335. If you cannot free this port, then change the MySQL port used in EventLog Analyzer.

EventLog Analyzer displays "Port 8400 needed by EventLog Analyzer is being used by another application. Please free the port and restart EventLog Analyzer" when trying to start the server

Probable cause: The default web server port used by EventLog Analyzer is not free.
Solution: Kill the other application running on port 8400. If you cannot free this port, then change the web server port used in EventLog Analyzer.

EventLog Analyzer displays "Can't Bind to Port <Port Number>" when logging into the UI.

Probable cause:The syslog listener port of EventLog Analyzer is not free.

Solution:

  • Check for the process that is occupying the syslog listener port, using netstat -anp -pudp . And if possible, try to free up this port.
  • If you have started the server in UNIX machines, please ensure that you start the server as a root user.
  • or, configure EventLog Analyzer to listen to a different syslog listener port and ensure that all your configured hosts send their syslog to the newly configured syslog listener port of EventLog Analyzer.

When the application is started, configureODBC.vbs throws script error or opens with another application. How to overcome this?

Probable cause: (File opens with other program) The configureODBC.vbs file may be set to open with a program other than "wscript.exe" in WINDOWS\system32 folder (for example: Notepad.exe), hence the file was unable to execute during the application start.

Solution:

  • Stop the Eventlog Analyzer server/service.
  • Go to the Eventlog Analyzer installation folder <EventLog Analyzer Home>\bin(default path) and right click the "configureODBC.vbs" file and choose Open (or) Open With and choose the windows program wscript.exe from your Windows\System32 folder.
  • Start the Eventlog Analyzer server/service.

Probable cause: (File not having execute permission) The configureODBC.vbs file may not have execute permission.

Solution:

  • Stop the Eventlog Analyzer server/service.
  • Go to the Eventlog Analyzer installation folder <EventLog Analyzer Home>\bin(default path) and right click the configureODBC.vbs file and change the permission to execute the file.
  • Start the Eventlog Analyzer server/service.

While adding host for monitoring, the 'Verify Login' action throws RPC server unavailable error

The probable reason and the remedial action is:

Probable cause: The host machine RPC (Remote Procedure Call) port is blocked by any other Firewall.
Solution: Unblock the RPC ports in the Firewall.

While adding host for monitoring, the 'Verify Login' action throws 'Access Denied' error. 

The probable reasons and the remedial actions are:

Probable cause: The host machine is not reachable from ELA machine.
Solution: Check the network connectivity between host machine and ELA machine, by using PING command.

Probable cause: The host machine running a System Firewall and REMOTEADMIN service is disabled.
Solution: Check whether System Firewall is running in the host. If System Firewall is running, execute the following command in the command prompt window of the host machine:

netsh firewall set service type=REMOTEADMIN mode=ENABLE profile=all
Back to Top

I've added a host, but EventLog Analyzer is not collecting event logs from it

Probable cause: The host machine is not reachable from the EventLog Analyzer server machine
Solution:
Check if the host machine responds to a ping command. If it does not, then the machine is not reachable. The host machine has to be reachable from the EventLog Analyzer server in order to collect event logs.

Probable cause: You do not have administrative rights on the host machine
Solution: Edit the host's details, and enter the Administrator login credentials of the host machine. Click Verify Login to see if the login was successful.

I get an Access Denied error for a host when I click on "Verify Login" but I have given the correct login credentials

Probable cause: There may be other reasons for the Access Denied error.

Solution: Refer the Cause and Solution for the Error Code you got during Verify login.

Error Code Cause Solution
0x80070005 Scanning of the Windows workstation failed due to one of the following reasons:
The login name and password provided for scanning is invalid in the workstation Check if the login name and password are entered correctly
Remote DCOM option is disabled in the remote workstation Check if Remote DCOM is enabled in the remote workstation. If not enabled, then enable the same in the following way:
  1. Select Start > Run
  2. Type dcomcnfg in the text box and click OK
  3. Select the Default Properties tab
  4. Select the Enable Distributed COM in this machine checkbox
  5. Click OK

To enable DCOM on Windows XP hosts:

  1. Select Start > Run
  2. Type dcomcnfg in the text box and click OK
  3. Click on Component Services > Computers > My Computer
  4. Right-click and select Properties
  5. Select the Default Properties tab
  6. Select the Enable Distributed COM in this machine checkbox
  7. Click OK
User account is invalid in the target machine

Check if the user account is valid in the target machine by opening a command prompt and executing the following commands:

net use \\<RemoteComputerName>\C$ /u:<DomainName\UserName> "<password>"
net use \\<RemoteComputerName>\ADMIN$ /u:<DomainName\UserName> "<password>"

If these commands show any errors, the provided user account is not valid on the target machine.

0x80041003 The user name provided for scanning does not have sufficient access privileges to perform the scanning operation. Probably, this user does not belong to the Administrator group for this host machine Move the user to the Administrator Group of the workstation or scan the machine using an administrator (preferably a Domain Administrator) account.
0x800706ba A firewall is configured on the remote computer. Such exceptions mostly occur in Windows XP (SP 2), when the default Windows firewall is enabled.
  1. Disable the default Firewall in the Windows XP machine:
    1. Select Start > Run
    2. Type Firewall.cpl and click OK
    3. In the General tab, click Off
    4. Click OK
  2. If the firewall cannot be disabled, launch Remote Administration for administrators on the remote machine by executing the following command:
    netsh firewall set service RemoteAdmin

    After scanning, you can disable Remote Administration using the following command:
    netsh firewall set service RemoteAdmin disable
0x80040154
  1. WMI is not available in the remote windows workstation. This happens in Windows NT. Such error codes might also occur in higher versions of Windows if the WMI Components are not registered properly.
  2. WMI Components are not registered
  1. Install WMI core in the remote workstation. This can be downloaded from the Microsoft web site.
  2. Register the WMI DLL files by executing the following command in the command prompt:
    winmgmt /RegServer
0x80080005 There is some internal execution failure in the WMI Service (winmgmt.exe) running in the host machine. The last update of the WMI Repository in that workstation could have failed.

Restart the WMI Service in the remote workstation:

  1. Select Start > Run
  2. Type Services.msc and click OK
  3. In the Services window that opens, select Windows Management Instrumentation service.
  4. Right-click and select Restart
For any other error codes, refer the MSDN knowledge base

I have added an Custom alert profile and enabled it. But the alert is not generated in EventLog Analyzer even though the event has occured in the host machine

Probable cause: The alert criteria have not been defined properly
Solution: Please ensure that the required fields in the Add Alert Profile screen have been given propelrly.Check if the e-mail address provided is correct. Ensure that the Mail server has been configured correctly.

When I create a Custom Report, I am not getting the report with the configured message in the Message Filter

Probable cause: The message filters have not been defined properly

Solution: When you are entering the string in the Message Filters for matching with the log message, ensure you copy/enter the exact string as shown in the Windows Event Viewer.
e.g., Logon Name:John

Back to Top

For any other issues, please contact EventLog Analyzer Technical Support