![]() ![]() ![]() |
For the latest Troubleshooting Tips on EventLog Analyzer, visit the Troubleshooting Tips on the website or the public user forums.
The log files are located in the <EventLogAnalyzer_Home>/server/default/log
directory. Typically when you run into a problem, you will be asked to
send the serverout.txt file from this directory to EventLog
Analyzer Support.
Make sure that the EventLog Analyzer installation folder 'ManageEngine' is not accessed by other applications. Kindly exclude the 'ManageEngine' directory (it could be in C:\ManageEngine or D:\ManageEngine) from both the Backup process and Anti-Virus Scans. It is possibile that the inbuilt mysql database of EventLog Analyzer could get corrupted if other processes are accessing these direct
Enter a proper ManageEngine license
file
" during installation.
This message could be shown in two cases:
Case 1: Your system date is set to a future or past date. In this case, contact eventloganalyzer-support@manageengine.com
Case 2: You may have provided an incorrect or corrupted license file. Verify that you have applied the license file obtained from ZOHO Corp.,
If neither is the reason, or you are still getting this error, contact licensing@manageengine.com
To bind EventLog Analyzer server to a specific interface follow the procedure given below:
For Eventlog Analyzer running as application:
Open the <EventLog Analyzer Home>\bin\runSEC.bat/sh file.
Add the following parameter in the line in any place before %* or $*: bin\SysEvtCol.exe -loglevel 3 -port 513 514 %*
-bindip <IP Address of the interface to which the EventLog Analyzer needs to be bound>
Example entry is as given below:
bin\SysEvtCol.exe -loglevel 3 -bindip 192.168.111.153 -port 513 514 %*
For Eventlog Analyzer running as service:
- Stop the Eventlog Analyzer service.
- Open the startDB.bat file which is under <Eventlog Analyzer Home>\bin directory, add option '--bind-address=<ip-address>' in the mysqld start command that starts with @start and save the file.
- Open the stopDB.bat file which is under <Eventlog Analyzer Home>\bin directory, add '-h <ip-address>>' to the command arguments and save the file.
After the change the line should like the one given below:
set commandArgs=-P %PORT% -u %USER_NAME% -h <ip-address>
- Open the wrapper.conf file which is under <Eventlog Analyzer Home>\server\default\conf and follow the below steps:
Note: Remove '#' symbol for uncommenting in the .conf file.
Uncomment the second application parameter 'wrapper.app.parameter.2=-L../lib/AdventNetDeploymentSystem.jar'.
Add the following new application parameters
wrapper.app.parameter.3=-c default
wrapper.app.parameter.4=-b <ip-address>
wrapper.app.parameter.5=-Dspecific.bind.address=<ip-address>
and save the file.
- Open the mysql-ds.xml file which is under <Eventlog Analyzer Home>\server\default\deploy directory, replace 'localhost' in connection-url tag with the <ip-address> to which you want to bind the application and save the file.
- Start the Eventlog Analyzer service.
- Verify the setting by executing the 'netstat -ano' command in the command prompt.
Probable cause: An instance of MySQL is already running on this machine.
Solution: Shut down all instances of MySQL and then start the EventLog Analyzer server.
Probable cause: Port 33335 is not free
Solution: Kill the other application running on port 33335. If you cannot free this port, then change the MySQL port used in EventLog Analyzer.
Port 8400 needed by EventLog
Analyzer is being used by another application. Please free the port
and restart EventLog Analyzer
"when trying to start the server.
Probable cause: The default web server port used by
EventLog Analyzer is not free. Solution: Kill the other application
running on port 8400. If you cannot free this port, then change
the web server port used in EventLog Analyzer.
Can't Bind
to Port <Port Number>
" when logging into the UI.
Solution:
Probable causes:
netstat -anp udp
. And if possible, try to free up this port.
Probable cause: (File opens with other program) The configureODBC.vbs file may be set to open with a program other than "wscript.exe" in WINDOWS\system32 folder (for example: Notepad.exe), hence the file was unable to execute during the application start.
Solution:
Stop the Eventlog Analyzer server/service.
Go to the Eventlog Analyzer installation folder <EventLog Analyzer Home>\bin(default path) and right click the "configureODBC.vbs" file and choose Open (or) Open With and choose the windows program wscript.exe from your Windows\System32 folder.
Start the Eventlog Analyzer server/service.
Probable cause: (File not having execute permission) The configureODBC.vbs file may not have execute permission.
Solution:
Stop the Eventlog Analyzer server/service.
Go to the Eventlog Analyzer installation folder <EventLog Analyzer Home>\bin(default path) and right click the configureODBC.vbs file and change the permission to execute the file.
Start the Eventlog Analyzer server/service.
The probable reason and the remedial action is:
- Probable cause: The host machine RPC (Remote Procedure Call) port is blocked by any other Firewall.
Solution: Unblock the RPC ports in the Firewall.
The probable reasons and the remedial actions are:
- Probable cause: The host machine is not reachable from ELA machine.
Solution: Check the network connectivity between host machine and ELA machine, by using PING command.
- Probable cause: The host machine running a System Firewall and REMOTEADMIN service is disabled.
Solution: Check whether System Firewall is running in the host. If System Firewall is running, execute the following command in the command prompt window of the host machine:netsh firewall set service type=REMOTEADMIN mode=ENABLE profile=all
The probable reasons and the remedial actions are:
Probable cause: By default, WMI component is not installed in Windows 2003 Server
Solution: Win32_Product class is not installed by default on Windows Server 2003. To add the class, follow the procedure given below:
- In Add or Remove Programs, click Add/Remove Windows Components.
- In the Windows Components Wizard, select Management and Monitoring Tools, then click Details.
- In the Management and Monitoring Tools dialog box, select WMI Windows Installer Provider and then click OK.
- Click Next.
The probable reasons and the remedial actions are:
Probable cause: The object access log is not enabled in Linux OS.
Solution: Steps to enable object access in Linux OS, is given below:
In the file /etc/xinted.d/wu-ftpd, edit the server arguments as mentioned below:
server_args = -i -o -L
The probable reasons and the remedial actions are:
Probable cause: Unable to start or stop Syslog Daemon in Solaris 10
Solution: In Solaris 10, the commands to stop and start the syslogd daemon are:
# svcadm disable svc:/system/system-log:default
# svcadm enable svc:/system/system-log:default
In Solaris 10, to restart the syslogd daemon and force it to reread /etc/syslog.conf:
# svcadm refresh svc:/system/system-log:default
or
# svcadm -v restart svc:/system/system-log:default
Probable cause: You do not know whether the logs are sent from the host machine (Only for Syslog sources)
Solution: If you want to find out whether the syslog packets are being sent by the host (source) to the EventLog Analyzer (destination) at the configured port, click the Syslog Viewer icon in the Sub-Tab and you can mention the Host IP Address (by default it is 'Any') and syslog port of this hosts (by default it '513','514') and click Apply Filter. With the filter applied, you can find out whether the raw log packets are sent from the specific host to EventLog Analyzer server in real time.
Probable cause: The host machine is not reachable from the EventLog Analyzer server machine
Solution: Check if the host machine responds to a
ping
command.
If it does not, then the machine is not reachable. The host machine has to be reachable from the EventLog Analyzer server in order to collect event logs.
Probable cause: You do not have administrative rights on the host machine
Solution: Edit the host's details, and enter the Administrator login credentials of the host machine. Click Verify Login to see if the login was successful.
Probable cause: There may be other reasons for
the Access Denied error. Solution: Refer the Cause and Solution for the Error Code you got during Verify login. To enable DCOM on Windows XP hosts: Check if the user account is valid in the target machine
by opening a command prompt and executing the following commands: Restart the WMI Service in the remote workstation:
Error Code
Cause
Solution
0x80070005
Scanning of the Windows workstation
failed due to one of the following reasons:
The login name and password provided for scanning
is invalid in the workstation
Check if the login name and password are entered correctly
Remote DCOM option is disabled in the remote
workstation
Check if Remote DCOM is enabled in the remote workstation.
If not enabled, then enable the same in the following way:
dcomcnfg
in the text box and click OK
dcomcnfg
in the text box and click OK
User account is invalid in the target machine
net use \\<RemoteComputerName>\C$ /u:<DomainName\UserName>
"<password>"
net use \\<RemoteComputerName>\ADMIN$ /u:<DomainName\UserName>
"<password>"
If these commands show any errors, the provided user account
is not valid on the target machine.
0x80041003
The user name provided for scanning does not
have sufficient access privileges to perform the scanning operation.
Probably, this user does not belong to the Administrator group
for this host machine
Move the user to the Administrator Group of the workstation
or scan the machine using an administrator (preferably a Domain
Administrator) account.
0x800706ba
A firewall is configured on the remote computer.
Such exceptions mostly occur in Windows XP (SP 2), when the
default Windows firewall is enabled.
Firewall.cpl
and click OK
netsh firewall set service RemoteAdmin
After scanning, you can disable Remote Administration using
the following command:
netsh firewall set service RemoteAdmin disable
0x80040154
winmgmt /RegServer
0x80080005
There is some internal execution failure in the
WMI Service (winmgmt.exe) running in the host
machine. The last update of the WMI Repository in that workstation
could have failed.
For any other error codes, refer
the MSDN
knowledge base
Probable cause: The alert criteria have not been defined properly
Solution: Please ensure that the required fields in the Add Alert Profile screen have been given propelrly.Check if the e-mail address provided is correct. Ensure that the Mail server has been configured correctly.
Probable cause: The message filters have not been defined properly
Solution: When you are entering the string in the Message Filters for matching with the log message, ensure you copy/enter the exact string as shown in the Windows Event Viewer.
e.g., Logon Name:John
Probable cause: The transaction logs of MS SQL could be full
Solution: If the EventLog Analyzer MS SQL database transaction logs are full, shrink the same with the procedure given below:
- Stop the Eventlog Analyzer Server/Service (Check the Eventlog Analyzer server machine's Task Manager to ensure that the processes 'SysEvtCol.exe', 'Java.exe' are not running).
- Connect MS SQL client (using Microsoft SQL Server Management Studio) and execute the below query:
sp_dboption 'eventlog', 'trunc. log on chkpt.', 'true'
To execute the query, select and highlight the above command and press F5 key.- After executing the above command, select and highlight the below command and press F5 key to execute it.
DBCC SHRINKDATABASE (eventlog)
Note: This process will take some time, based on the EventLog Analyzer database size.
- Start the Eventlog Analyzer.
If Oracle host is Windows, open Event viewer in that machine and check for Oracle source logs under Application type. If Linux, check the appropriate log file to which you are writing Oracle logs. If the Oracle logs are available in the specified file, still ELA is not collecting the logs, contact EventLog Analyzer Support.
For any other issues, please contact EventLog Analyzer Technical Support.
![]() ![]() ![]() |