Mar 02 2011

Windows 2008 Event Collector: XP and 2003 clients

In this post we will describe how to configure a Windows 2008 Event Collector server to process events forwarded from Windows XP and Windows 2003 clients. The event forwarding system (aka syslog) relies on WinRM, there are two versions of the WinRM service: v1.1 and v2.0, each version of the service listen on a different default port (HTTP 80 + HTTPS 443 for WinRM 1.1, HTTP 5985 + HTTPS 5986 for WinRM 2.0). That is why you should upgrade WinRM 1.1 to WinRM v2.0 on your XP and 2003 clients in order to use event forwarding. For more details abour WinRM I suggest you read this article.

Once your clients are set up and the event collector server properly configured, clients forward to your server’s Forwarded Events logfile the events you have subscribed to. Some event descriptions might not show up correctly on the server, although you can read the event description on the client. The event description will look like this on the server side:

The description for Event ID ( %ID% ) in Source ( %SOURCE% ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer

This happens because the event message file (*.dll or *.exe which helps you translate the event description) located on the Windows 2008 server, is missing or is not compatible with the one located on the Windows XP/2003 client.

In order to solve this issue and have a better understanding of the event message files you can read this Event Log Blog article. In our case we could not read the description of Event IDs from source KmsRequests logged into the Key Management Services log file. So we checked if the HKLM\System\CurrentControlSet\Services\Eventlog\Key Management Services\KmsRequests registry entry existed:

It did exist, however we noticed that the sppsvc.exe file given by the EventMessageFile value, had a different version between the Windows 2008 server and the Windows 2003/XP client:

So we copied the sppsvc.exe file from the Windows 2003/XP client to the Windows 2008 server in a directory named C:\XP2003clients and modified the EventMessageFile value under HKLM\System\CurrentControlSet\Services\Eventlog\Key Management Services\KmsRequests like this:

Once the Windows 2008 Event Collector had rebooted the event descriptions forwarded by the Windows XP/2003 clients showed up correctly:

Now you can, for example, process the event description with powershell by using the Get-WinEvent cmdlet.

This post is also available in: French

1 Comment

  • By Ammesiah, March 2, 2011 @ 4:53 pm

    Vraiment sympa la customisation de la source de l’event.
    Après, faut pas que les .exe/.dll soient trop lourds dans le cas où tu te retrouve avec x versions d’OS et donc x versions de custom event ^^
    Sinon, il va en falloir de la tétrachier de gamelle pour héberger tout ça !!

Other Links to this Post

RSS feed for comments on this post. TrackBack URI

Leave a comment

*

WordPress Themes

Blossom Icon Set

Software Top Blogs