KBI 310166 Cannot Consolidate W2008 Security Logs from W2003
Version
Argent Data Consolidator 8.0A-0901-B
Date
2 June 2009
Summary
Attempting to consolidate a Windows 2008 Security log from a Windows 2003 machine causes the Argent Data Consolidator Engine Log to fill up with the following messages:
ALERT IS NOT FIRED for error |
Cannot Format Event Log Content (Formatting error of event log ‘SECURITY’ of server ‘XXXXX’. Failed to open registry key SYSTEM\CurrentControlSet\Services\EventLog\SECURITY\Microsoft-Windows-Security-Auditing of node XXXXX. (Error: Overlapped I/O operation is in progress.). Try local registry to determine message DLL required. Failed to open registry key |
Technical Background
This is not an Argent issue; it is a known Microsoft issue that occurs on Windows servers because the API for Security logging changed in Windows Vista and in Windows Server 2008.
The newer security logging API cannot be read from a server running the legacy API, eg: Windows 2003.
This is confirmed by the fact that it is not possible to read the remote Windows 2008 Server Security logs from the native Windows 2003 Event Viewer.
Resolution
This is not an Argent issue, is a known Microsoft issue with Windows 2003/2008 – a hotfix is available from Microsoft to resolve it:
http://support.microsoft.com/kb/961099
“An application that uses Windows NT security event log APIs cannot read the description of an event log message from a computer that is running Windows Vista or Windows Server 2008”
Registration with Microsoft is necessary to obtain this hotfix. Upon registration, Microsoft will send an email with the download details and passwords.
The Microsoft hotfix will need to be applied to all Windows 2008 servers that need to be monitored from Windows 2003 server.
NOTE: A reboot is required following the installation of the Microsoft hotfix.