Resources Zone

General

1. Where do I find the log files to send to EventLog Analyzer Support?

   The log files are located in the <EventLogAnalyzer_Home>/server/default/log directory. Typically when you run into a problem, you will be asked to send the serverout.txt file from this directory to EventLog Analyzer Support.

2. I find that EventLog Analyzer keeps crashing or all of a sudden stops collecting logs. What could be the reason?

   The inbuilt MySQL database of EventLog Analyzer could get corrupted if other processes are accessing these directories. Kindly exclude the EventLog Analyzer installation directory 'Manageengine' (it could be inC:\AdventNet or D:\AdventNet) from both the Backup process and Anti-Virus Scans.

3. How to create SIF (Support Information File) and send the file to Manageengine, if you are not able to perform the same from the Web client?

   The SIF will help us to analyze the issue you have come across and propose a solution. If you are unable to create a SIF from the Web client UI, you can zip the files under 'log' folder, which is located inC:\ManageEngine\Eventlog\server\default\log (default path) and send the zip file by upload it in the following ftp link: http://bonitas.zohocorp.com/upload/index.jsp?to=eventloganalyzer-support@manageengine.com

4. How to register dll when message files for event sources are unavailable?

   To register dll, follow the procedure given in the link below: http://ss64.com/nt/regsvr32.html

Installation

1. What are the recommended minimum system requirements for EventLog Analyzer?

   It is recommended that you install EventLog Analyzer on a machine with the following configuration:

   • Processor - Pentium 4 - 1.5GHz
   • RAM - 2GB
   • Disk Space - 5GB
   • Operating System - Windows 7, 2000, XP, 2003, Linux Ubuntu 8.0/9.0
   • Web Browser - Internet Explorer 8 and later, Firefox 4 and later, and Chrome 8 and later

   Look up System Requirements to see the minimum configuration required to install and run EventLog Analyzer.

2. Can I install EventLog Analyzer as a root user?

   EventLog Analyzer can be started as a root user, but all file permissions will be changed, and later you cannot start the server as another user.

3. When I try to access the web client, another web server comes up. How is this possible?

   The web server port you have selected during installation is possibly being used by another application. Configure that application to use another port, or change the EventLog Analyzer web server port.

4. How to configure EventLog Analyzer as service in Windows, after installation?

   Normally, the EventLog Analyzer is installed as a service. If you have installed it as an application and not as a service, you can configure it as a service any time later. The procedure to configure as service, start and stop the service is given below.

   To configure EventLog Analyzer as a service after installation:

   • Stop the EventLog Analyzer application.
   • Execute the following command in the command prompt window in the \bin directory.
     service. bat -i
   • Start the EventLog Analyzer service.
5. How to configure EventLog Analyzer as service in Linux, after installation?

   Normally, the EventLog Analyzer is installed as a service. If you have installed as an application and not as a service, you can configure it as a service any time later. The procedure to configure as service, start and stop the service is given below.

   To configure EventLog Analyzer as a service after installation:

   • Stop the EventLog Analyzer application.
   • Execute the following command:
     sh configure As Service. sh -i
   • Start the EventLog Analyzer service.
6. Is a database backup necessary, or does EventLog Analyzer take care of this?

   The archiving feature in EventLog Analyzer automatically stores all logs received in zipped flat files. You can configure archiving settings to suit the needs of your enterprise. Apart from that, if you need to backup the database, which contains processed data from event logs, you can run the database backup utility, BackupDB.bat/.sh present in the /troubleshooting directory.

7. How to take database backup?

   MySQL database

   To take a backup of the existing EventLog Analyzer MySQL database, ensure that the EventLog Analyzer server or service is stopped and create a ZIP file of the contents of /mysql directory and save it.

   MSSQL database

   Steps to take backup of MSSQL database:

   Find the current location of the data file and log file for the database eventlog by using the following commands:

   use eventlog
   go
   sp_helpfile
   go

   Detach the database by using the following commands:

   use master
   go
   sp_detach_db 'eventlog'
   go

   Backup the data file and log file from the current location ( \data\eventlog.mdf and \data\attention-grabbing) by zipping and saving the files.

8. EventLog Analyzer displays "Enter a proper ManageEngine license file" during installation

   This message could be shown in two cases:

   Case 1: Your system date is set to a future or past date. In this case, uninstall EventLog Analyzer, reset the system date to the current date and time, and re-install EventLog Analyzer.

   Case 2:You may have provided an incorrect or corrupted license file. Verify that you have applied the license file obtained from ZOHO Corp.

   If neither is the reason, or you are still getting this error, contact licensing@manageengine.com

9. Unable to bind EventLog Analyzer server to a specific interface.

   To bind EventLog Analyzer server to a specific interface follow the procedure given below:

   For Eventlog Analyzer running as application:

   • Open the runSEC.exe/sh file.
   • Add the following parameter in the line in any place before %* or $*: bin\SysEvtCol.exe loglevel 3 -port 513 514 %*

   bindip<IP Address of the interface to which the EventLog Analyzer needs to be bound>

   Example entry is as given below:

   bin\SysEvtCol.exe -loglevel 3 -bindip 192.168.111.153 -port 513 514 %*

   For Eventlog Analyzer running as service:

   • Stop the Eventlog Analyzer service.
   • Open the startDB.bat file which is under <Eventlog Analyzer Home>\bin directory, add option '--bind-address=<ip-address>' in the mysqld start command that starts with @start and save the file.

   Open the stopDB.bat file which is under \bin directory, add '-h

   <ip-address>>' to the command arguments and save the file.

   After the change the line should like the one given below:

   • set commandArgs=-P %PORT% -u %USER_NAME% -h <ip-address>

   Open the wrapper.conf file which is under <Eventlog Analyzer Home>\server\default\conf and follow the below steps:

   Uncomment the second application parameter'

   wrapper.app.parameter.2=-L../lib/AdventNetDeploymentSystem.jar'.
   Add the following new application parameters
   wrapper.app.parameter.3=-c default
   wrapper.app.parameter.4=-b <ip-address>
   wrapper.app.parameter.5=-Dspecific.bind.address=<ip-address>
   and save the file.

   • Note: Remove '#' symbol for uncommenting in the .conf file.
   • Open the mysql-ds.xml file which is under <Eventlog Analyzer Home>\server\default\deploy directory, replace 'localhost' inconnection-url tag with the <ip-address> to which you want to bind the application and save the file.
   • Start the Eventlog Analyzer service.
   • Verify the setting by executing the 'netstat -ano' command in the command prompt.

Start up and Shut down

1. MySQL-related errors on Windows machines

   Probable cause:An instance of MySQL is already running on this machine.
   Solution:Shut down all instances of MySQL and then start the EventLog Analyzer server.
   Probable cause:Port 33335 is not free
   Solution: Kill the other application running on port 33335. If you cannot free this port, thenchange the MySQL port used in EventLog Analyzer.

2. EventLog Analyzer displays "Port 8400 needed by EventLog Analyzer is being used by another application. Please free the port and restart EventLog Analyzer" when trying to start the server

   Probable cause:The default web server port used by EventLog Analyzer is not free.
   Solution: Kill the other application running on port 8400. If you cannot free this port, then change the web server port used in EventLog Analyzer.

3. EventLog Analyzer displays "Can't Bind to Port <Port Number>" when logging into the UI.

   Probable cause:The syslog listener port of EventLog Analyzer is not free.

   Solution:

   • Check for the process that is occupying the syslog listener port, using netstat -anp -pudp . And if possible, try to free up this port.
   • If you have started the server in UNIX machines, please ensure that you start the server as a root user.
   • or, configure EventLog Analyzer to listen to a different syslog listener port and ensure that all your configured hosts send their syslog to the newly configured syslog listener port of EventLog Analyzer.
4. When the application is started, configureODBC.vbs throws script error or opens with another application. How to overcome this?

   Probable cause: (File opens with other program)The configureODBC.vbs file may be set to open with a program other than "wscript.exe" in WINDOWS\system32 folder (for example: Notepad.exe), hence the file was unable to execute during the application start.

   Solution:

   • Stop the Eventlog Analyzer server/service.
   • Go to the Eventlog Analyzer installation folder <EventLog Analyzer Home>\bin(default path) and right click the "configureODBC.vbs" file and choose Open (or) Open With and choose the windows programwscript.exe from your Windows\System32 folder.
   • Start the Eventlog Analyzer server/service.

   Probable cause: (File not having execute permission) The configureODBC.vbsfile may not have execute permission.

   Solution:

   • Stop the Eventlog Analyzer server/service.
   • Go to the Eventlog Analyzer installation folder <EventLog Analyzer Home>\bin(default path) and right click the configureODBC.vbs file and change the permission to execute the file.
   • Start the Eventlog Analyzer server/service.

Configuration

1. How do I add hosts to EventLog Analyzer so that it can start collecting event logs?

   For Windows hosts, enter the host name and the authentication details, and then add the host. For Unix hosts, enter the host name and the port number of the syslog service, and then add the host. (Ensure that the syslog service is running, and that it is using the same port number specified here.)

2. How do I see session information of all users registered to log in to EventLog Analyzer?

   The session information for each user can be accessed from the User Management link. Click the View link under Login Details against each user to view the active session information and session history for that user.

3. How to move EventLog Analyzer to a different machine/server?

   Please follow the below steps to move an existing EventLog Analyzer server to a new machine/server.

   MySQL database

   1. Stop the existing EventLog Analyzer server/service
   2. Ensure that the process 'java.exe', 'mysqld-nt.exe' and 'SysEvtCol.exe' are not running/present in the task manager, kill these processes manually if some of them are still running
   3. As a precautionary measure, copy the following complete folders (including the files and sub-folders) to another drive or to a mapped network drive. This will help us to restore to the settings and data in-case of any issue with the new machine installation.
      • The folder, MySQL located under <EventLog Analyzer Home>\ directory
      • The folder, Archive located under <EventLog Analyzer Home>\archive directory
      • The folder, Indexes located uncer <Eventlog Analyzer Home>\server\default directory
        if MySQL password is set in the old server
      • startDB.bat and configureODBC.vbs located under <Eventlog Analyzer Home>\bin directory.
      • myodbc3.dll and myodbc3s.dll located under <Eventlog Analyzer Home>\lib directory.
      • mysql-ds.xml located under <Eventlog Analyzer Home>\server\default\deploy directory
   4. Please download and install in the new machine/server the latest build of Eventlog Analyzer from the following link: download.html
   5. Do not start the newly installed EventLog Analyzer server/service.
   6. In the newly installed EventLog Analyzer machine/server, rename the folder MySQL located under <EventLog Analyzer Home>\ as OldMySQL.
   7. Copy the MySQL folder (including the files and sub-folders), which is located under <EventLog Analyzer Home>\ , from the old machine/server to the newly installed Eventlog Analyzer machine/server. Note: Kindly take extra care that the EventLog Analyzer is not running on both the systems while performing this operation.
   8. Start the EventLog Analyzer on the new machine and check whether the data and configurations are intact.

   MSSQL database

   1. Stop Eventlog Analyzer server/service.
   2. Download and install the latest build of Eventlog Analyzer in the new server using the following link: https://www.manageengine.com/download.html
   3. Once you install the application in the new machine, kindly make sure that you do not start the application or shutdown the Eventlog Analyzer if started.
   4. Please configure the MSSQL server credentials of the earlier Eventlog Analyzer server installation as explained in the Configuring MSSQL Database topic.
   5. Start the Eventlog Analyzer server/service on the new machine and check whether the data and the configurations are intact.

   In-case of any issues while performing the above steps, please do not continue any further and contact eventlog-support@manageengine.com to assist you better.

4. How can I assign password to 'root' user in the EventLog Analyzer database?
   The procedure to set a password for the Eventlog Analyzer’s MySQL database. This procedure is applicable for Eventlog Analyzer version 6.0 onwards.

   1. Stop the EventLog Analyzer server /service.
   2. Click on Start > Control panel > Administrative Tools > Data Sources (ODBC) > User DSN > Select the name CherrySADSN and ‘Remove’ it.
   3. Rename the files <EventLog Analyzer Home>\bin\configureODBC.vbs as configureODBC_old.vbs and \lib\myodbc3.dll as myodbc3_old.dll
   4. Now download the *.zip file from the below link and place the files in the following locations
      http://bonitas.zohocorp.com/patches/cherry/15Sep2009/Mysql_Password_Set_ELA_6.zip
      1. configureODBC.vbs > \bin folder
         Note: Please use the appropriate configureODBC.vbs (either 32 bit or 64 bit) file based on the platform you are running the Eventlog Analyzer under
      2. myodbc3.dll and myodbc3s.dll > \lib folder
      3. MysqlPwdSet.bat > \mysql\bin folder
   5. Open a command prompt window, go to the folder <EventLog Analyzer Home>\bin and run the command 'startDB.bat' to start the database.
   6. In the command prompt window, go to the folder <EventLog Analyzer Home>\mysql\bin folder and execute the 'MysqlPwdSet.bat' as given below:
      <EventLog Analyzer Home>\mysql\bin> MysqlPwdSet.bat <mysql password>
   7. In the command prompt window, go to <EventLog Analyzer Home>\tools folder, execute the 'changeDBServer.bat' provide the <mysql password> in the Password field and click on 'Test'. If the connection is established click 'Save'. Please ignore the error message 'database already exists'.
   8. Edit (in Wordpad) 'stopDB.bat', located in <EventLog Analyzer Home>\bin folder, as given below. This entry is used only for stopping the current instance of mysql database.
      Old Entry:
      set PASSWORD=%4
      New Entry:
      set PASSWORD=<mysql password>
   9. In the command prompt window, go to the folder <EventLog Analyzer Home>\bin and execute the command 'stopDB.bat', to stop the database.
   10. Edit (in notepad) again the ‘stopDB.bat’ and redo the above change as given below Old Entry:
       set PASSWORD=
       New Entry:
       set PASSWORD=%4
   11. Restart the EventLog Analyzer Server/Service.

   This procedure is applicable only for Eventlog Analyzer version less than 6.0

   To assign/change MySQL Database password, follow the below given steps:

   • Connect to EventLog Analyzer's MySQL. Go to /mysql directory, execute the following command
     ./bin/mysql -u root- h localhost-- port=33335 -D EVENTLOG
   • Execute the following queries in the database
     USE mysql
     update user set password=password ('New Password') where user = 'root';
     FLUSH PRIVILEGES;
   • Stop EventLog Analyzer.
   • Go to /data directory, edit dbparam.conf file and change the password to the 'New' password.
   • Restart EventLog Analyzer.
5. While adding host for monitoring, the 'Verify Login' action throws RPC server unavailable error

   The probable reason and the remedial action is:

   Probable cause: The host machine RPC (Remote Procedure Call) port is blocked by any other Firewall.

   Solution: Unblock the RPC ports in the Firewall.

6. While adding host for monitoring, the 'Verify Login' action throws 'Access Denied' error.

   The probable reasons and the remedial actions are:

   Probable cause: The host machine is not reachable from ELA machine.

   Solution: Check the network connectivity between host machine and ELA machine, by using PING command.

   Probable cause: The host machine running a System Firewall and REMOTEADMIN service is disabled.

   Solution: Check whether System Firewall is running in the host. If System Firewall is running, execute the following command in the command prompt window of the host machine:
   netsh firewall set service type=REMOTEADMIN mode=ENABLE profile=all

7. When WBEM test is carried out. it fails and shows error message with code 80041010 in Windows Server 2003.

   The probable reasons and the remedial actions are:

   Probable cause: By default, WMI component is not installed in Windows 2003 Server

   Solution:Win32_Product class is not installed by default on Windows Server 2003. To add the class, follow the procedure given below:

   1. In Add or Remove Programs, click Add/Remove Windows Components.
   2. In the Windows Components Wizard, select Management and Monitoring Tools, then click Details.
   3. In the Management and Monitoring Tools dialog box, select WMI Windows Installer Provider and then click OK.
   4. Click Next.
8. How to enable Object Access logging in Linux OS?

   The probable reasons and the remedial actions are:

   Probable cause: The object access log is not enabled in Linux OS.

   Solution: Steps to enable object access in Linux OS, is given below:

   In the file /etc/xinted.d/wu-ftpd, edit the server arguments as mentioned below:

   server_args = -i -o -L

9. What are commands to start and stop Syslog Deamon, in Solaris 10?

   The probable reasons and the remedial actions are:

   Probable cause: Unable to start or stop Syslog Daemon in Solaris 10

   Solution: In Solaris 10, the commands to stop and start the syslogd daemon are:

   # svcadm disable svc:/system/system-log:default

   # svcadm enable svc:/system/system-log:default

   In Solaris 10, to restart the syslogd daemon and force it to reread /etc/syslog.conf:

   # svcadm refresh svc:/system/system-log:default
   or
   # svcadm -v restart svc:/system/system-log:default

Log collection and Reporting

1. Why am I seeing empty graphs?

   Graphs are empty if no data is available. If you have started the server for the first time, wait for at least one minute for graphs to be populated.

2. What are the types of report formats that I can generate?

   Reports can be generated in HTML, CSV, and PDF formats. All reports are generally viewed as HTML in the web browser, and then exported to CSV or PDF format. However, reports that are scheduled to run automatically, or be emailed automatically, are generated only as PDF files.

3. I've added a host, but EventLog Analyzer is not collecting event logs from it

   Probable cause:The host machine is not reachable from the EventLog Analyzer server machine

   Solution: Check if the host machine responds to a ping command. If it does not, then the machine is not reachable. The host machine has to be reachable from the EventLog Analyzer server in order to collect event logs.Probable cause: You do not have administrative rights on the host machine

   Solution:Edit the host's details, and enter the Administrator login credentials of the host machine. Click Verify Loginto see if the login was successful.

4. I get an Access Denied error for a host when I click on "Verify Login" but I have given the correct login credentials

   Probable cause:There may be other reasons for the Access Denied error.Solution: From a Windows machine, follow the steps below to find out the exact code of the Access Denied error:

   • Select Start > Run
   • Type wbemtest in the text box and clickOK
   • In the WMIT window that opens, click Connect
   • In the Namespace text box, enter \\<machine_name>\root\cimv2 where <machine_name>is the host machine that you are trying to connect to.
   • In the User text box, enter <machine_name/domain_name>\user_name
   • In the Password text box, enter the password to log in to the host machine
   • Click Connect

   If no error dialog box is shown, the login is successful. Otherwise, refer the table for a description of the usually thrown Access Denied error codes.

   Access Denied Code	Cause	Solution
   0x80070005	Scanning of the Windows workstation failed due to one of the following reasons:
   	The login name and password provided for scanning is invalid in the workstation	Check if the login name and password are entered correctly
   	Remote DCOM option is disabled in the remote workstation	Check if Remote DCOM is enabled in the remote workstation. If not enabled, then enable the same in the following way: Select Start > Run Type dcomcnfg in the text box and click OK Select the Default Propertiestab Select the Enable Distributed COM in this machinecheckbox Click OK To enable DCOM on Windows XP hosts: Select Start > Run Type dcomcnfg in the text box and clickOK Click on Component Services > Computers > My Computer Right-click and selectProperties Select the Default Properties tab Select the Enable Distributed COM in this machine checkbox Click OK
   	User account is invalid in the target machine	Check if the user account is valid in the target machine by opening a command prompt and executing the following commands: net use \\<RemoteComputerName>\C$ /u:<DomainName\UserName> "<password>" net use \\<RemoteComputerName>\ADMIN$ /u:<DomainName\UserName>"<password>" If these commands show any errors, the provided user account is not valid on the target machine.
   0x80041003	The user name provided for scanning does not have sufficient access privileges to perform the scanning operation. Probably, this user does not belong to the Administrator group for this host machine	Move the user to the Administrator Group of the workstation or scan the machine using an administrator (preferably a Domain Administrator) account.
   0x800706ba	A firewall is configured on the remote computer. Such exceptions mostly occur in Windows XP (SP 2), when the default Windows firewall is enabled.	Disable the default Firewall in the Windows XP machine:Select Start > Run TypeFirewall.cpl and click OK In the Generaltab, click Off Click OK
   0x80040154	WMI is not available in the remote windows workstation. This happens in Windows NT. Such error codes might also occur in higher versions of Windows if the WMI Components are not registered properly. WMI Components are not registered	Install WMI core in the remote workstation. This can be downloaded from theMicrosoft web site. Register the WMI DLL files by executing the following command in the command prompt: winmgmt /RegServer
   0x80080005	There is some internal execution failure in the WMI Service (winmgmt.exe) running in the host machine. The last update of the WMI Repository in that workstation could have failed.	Restart the WMI Service in the remote workstation: Select Start > Run Type Services.msc and click OK In the Services window that opens, select Windows Management Instrumentationservice. Right-click and select Restart
   For any other error codes, refer the MSDN knowledge base

5. I have added an Custom alert profile and enabled it. But the alert is not generated in EventLog Analyzer even though the event has occured in the host machine

   Probable cause: The alert criteria have not been defined properly

   Solution: Please ensure that the required fields in the Add Alert Profile screen have been given propelrly.Check if the e-mail address provided is correct. Ensure that the Mail server has been configured correctly.

6. When I create a Custom Report, I am not getting the report with the configured message in the Message Filter

   Probable cause:The message filters have not been defined properly

   Solution:When you are entering the string in the Message Filters for matching with the log message, ensure you copy/enter the exact string as shown in the Windows Event Viewer.

   e.g.,Logon Name:John

7. MS SQL server for EventLog Analyzer stopped

   Probable cause:The transaction logs of MS SQL could be full

   Solution: If the EventLog Analyzer MS SQL database transaction logs are full, shrink the same with the procedure given below:

   • Stop the Eventlog Analyzer Server/Service (Check the Eventlog Analyzer server machine's Task Manager to ensure that the processes 'SysEvtCol.exe', 'Java.exe' are not running). Connect MS SQL client (using Microsoft SQL Server Management Studio) and execute the below query:
     sp_dboption 'eventlog', 'trunc. log on chkpt.', 'true'
   • To execute the query, select and highlight the above command and press F5 key. After executing the above command, select and highlight the below command and press F5 key to execute it.
   • DBCC SHRINKDATABASE (eventlog)
   • Note: This process will take some time, based on the EventLog Analyzer database size.
     Start the Eventlog Analyzer.
8. I successfully configured Oracle host(s),still cannot view the data
   If Oracle host is Windows, open Event viewer in that machine and check for Oracle source logs under Application type. If Linux, check the appropriate log file to which you are writing Oracle logs. If the Oracle logs are available in the specified file, still ELA is not collecting the logs, contact eventlog-support@manageengine.com