KBI 310137 Argent Data Consolidator and 64-bit Event Logs

Version

Argent Data Consolidator 8.0A-0810

Date

27 Dec 2008

Summary

The Argent Data Consolidator Scheduling Engine log will contain entries similar to the following:

12 Oct 2008 15:17:20.863 ARGENTMONITOR03 argent ALERT IS NOT FIRED for error Cannot Format Event Log Content (Formatting error of event log ‘SECURITY’ of server ‘SQLDB07’.

Failed to LoadLibraryEx \\SQLDB07\C$\WINDOWS\System32\MsAuditE.dll. (Error: %1 is not a valid Win32 application.)

Failed to LoadLibraryEx \\SQLDB07\C$\WINDOWS\System32\ws03res.dll. (Error: %1 is not a valid Win32 application.)

Failed to LoadLibraryEx \\SQLDB07\C$\WINDOWS\System32\xpsp2res.dll. (Error: %1 is not a valid Win32 application.)

)

The Argent Data Consolidator Transfer Engine log will contain entries similar to the following:

12 Oct 2008 15:30:03.520 ARGENT-ADC-TE1 argent Failed to LoadLibraryEx \\SQLDB07\C$\WINDOWS\System32\MsAuditE.dll. (Error: %1 is not a valid Win32 application.)

12 Oct 2008 15:30:03.520 ARGENT-ADC-TE1 argent Failed to LoadLibraryEx \\SQLDB07\C$\WINDOWS\System32\ws03res.dll. (Error: %1 is not a valid Win32 application.)

12 Oct 2008 15:30:03.520 ARGENT-ADC-TE1 argent Failed to LoadLibraryEx \\SQLDB07\C$\WINDOWS\System32\xpsp2res.dll. (Error: %1 is not a valid Win32 application.)

12 Oct 2008 15:30:03.551 ARGENT-ADC-TE1 argent Failed to LoadLibraryEx \\WLOGIC18\C$\WINDOWS\System32\MsAuditE.dll. (Error: %1 is not a valid Win32 application.)

12 Dec 2008 15:30:03.551 ARGENT-ADC-TE1 argent Failed to LoadLibraryEx \\WLOGIC18\C$\WINDOWS\System32\ws03res.dll. (Error: %1 is not a valid Win32 application.)

12 Oct 2008 15:30:03.551 ARGENT-ADC-TE1 argent Failed to LoadLibraryEx \\WLOGIC18\C$\WINDOWS\System32\xpsp2res.dll. (Error: %1 is not a valid Win32 application.)

Technical Background

32-bit programs (such as the Argent Data Consolidator) are unable to load the 64-bit .DLLs required to scan the event log from a system hosting an OS such as Windows Server 2003 x64 Edition.

Argent has provided its customers with a way to handle these situations. WMI is the mechanism used to handle the logs on x64 targets.

Resolution

Enable the WMI scanning feature for the Argent Data Consolidator.

Step 1

Open the Argent Data Consolidator, and select Administration. Click License Manager, and click Licensed Servers on the bottom-right tab.



Click For Full Size

Step 2

Double-click a licensed server to bring up its properties.

Note: the server you are selecting will be an x64 target, i.e. a 64-bit machine you wish to collect or scan logs from.

Step 3

In the example shown here, we are selecting the server “ARGENT-DEV”

Enable the setting Read W200x Event Log by WMI



Click For Full Size

Step 4

Click OK to accept the changes.

Your 64-bit target server should now be ready for event log analysis and consolidation.