Cheshire Cat Computing :: View topic - False positives with Application Log?

[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4688: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3823)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4690: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3823)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4691: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3823)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4692: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3823)
Cheshire Cat Computing :: View topic - False positives with Application Log?

Cheshire Cat Computing http://steveshipway.org/forum/

False positives with Application Log? http://steveshipway.org/forum/viewtopic.php?f=22&t=5199	Page 1 of 1

Author:	transmax [ Tue May 29, 2012 7:17 pm ]
Post subject:	False positives with Application Log?
Hi, Very sorry if this has been covered already. If it has, my google-fu has failed me. The Application Log filter is set to send Criticals on Errors only. So why am I getting Criticals on things such as this: Application [CertEnroll #64]: Local system Certificate enrollment for Local system successfully load policy from policy server where Level: is "Information" or this: Application [vmStatsProvider #256]: root\cimv2 The "vmStatsProvider" is successfully initialized for this Virtual Machine. WMI namespace: "root\cimv2". where Level: is "Information" I've ticked Information, reloaded Nagios Eventlog, got heaps of 'stuff', unticked it, reloaded and got the above 'Critical' events again. Any help would be appreciated. Cheers, Lee

Author:	stevesh [ Thu May 31, 2012 1:26 pm ]
Post subject:	Re: False positives with Application Log?
You can enable Debug mode in the eventlog agent; this will give detailed logs indicating which of the filters matches and why for every log parsed (can generate a LOT of additional logs). The reason ahould be that you get a match on another filter with higher priority, and this filter has a Critical status associated with it.

Author:	transmax [ Thu May 31, 2012 2:43 pm ]
Post subject:	Re: False positives with Application Log?
Hi, Thanks for the reply. I did as you suggested and turned on debug mode. The filters are the defaults (Application, Security and System). The following was sent as a Critical to nagios: - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="vmStatsProvider" /> <EventID Qualifiers="2">256</EventID> <Level>0</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2012-05-31T01:34:40.000000000Z" /> <EventRecordID>56702</EventRecordID> <Channel>Application</Channel> <Computer>tville1.streams.northern.tmr.its</Computer> <Security /> </System> - <EventData> <Data>root\cimv2</Data> </EventData> </Event> This is shown as "Level: Information" on the General tab in Event Viewer The 'debug' shows the following: ------------------------ The description for Event ID 0 from source NagiosEventLog cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: Caught an event and sent it on (Src=vmStatsProvider). Matching filter was 'Application Log' The specified resource type cannot be found in the image file ------------------- and this one as well: ------------------------- The description for Event ID 0 from source NagiosEventLog cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: NSCA: 1 data packet(s) sent to host successfully. The specified resource type cannot be found in the image file ------------------ So, still a mystery to me. Cheers, Lee

Author:	stevesh [ Thu May 31, 2012 2:50 pm ]
Post subject:	Re: False positives with Application Log?
This is telling you that the filter "Application Log" was the first match for the event in question. The default "Application Log" filter should send a Critical status to the "Application EventLog" Nagios service. However, it should only match "Error" events, not information. For some reason, this is matching. Can you confirm (a) what version of NagEventLog you are using (I have 1.9.0 here); and also exactly how you have configured your filters -- you can get these from the registry under HKEY_LOCAL_MACHINE/SOFTWARE/Cheshire Cat/Nagios It may be that you have either a older buggy version, or else you have modified your default filters and this is a true match. There is also a possibility that you are running a much later version of Windows that is no longer compatible with the binary, but that is less likely.

Author:	stevesh [ Thu May 31, 2012 2:56 pm ]
Post subject:	Re: False positives with Application Log?
Another thought that occurs to me is that it may be getting confused by the eventlog types. This happened in old servers when a new eventlog was added. To fix this, you delete all current filters, then manually recreate them.

Author:	transmax [ Thu May 31, 2012 3:21 pm ]
Post subject:	Re: False positives with Application Log?
Hello again , Nagios EventLog: Versions: Agent: (1,9,2,0) Control App: (1,9,2,0) Windows Server 2008 R2 Enterprise, SP1, 64-bit Deleted all log filters (the 3 default ones) and recreated them. I'm getting the same results as before. The registry entry for the Application Log: Class Name: <NO CLASS> Last Write Time: 31/05/2012 - 12:16 PM Value 0 Name: filterDesc Type: REG_SZ Data: Application Log Value 1 Name: eventLog Type: REG_DWORD Data: 0x2 Value 2 Name: eventLogName Type: REG_SZ Data: Application Value 3 Name: serviceName Type: REG_SZ Data: Application EventLog Value 4 Name: ID Type: REG_SZ Data: Value 5 Name: matchString Type: REG_SZ Data: Value 6 Name: source Type: REG_SZ Data: Value 7 Name: Information Type: REG_DWORD Data: 0 Value 8 Name: status Type: REG_DWORD Data: 0x2 Value 9 Name: Warning Type: REG_DWORD Data: 0 Value 10 Name: Error Type: REG_DWORD Data: 0x1 Value 11 Name: Audit Success Type: REG_DWORD Data: 0 Value 12 Name: Audit Failure Type: REG_DWORD Data: 0 Value 13 Name: notID Type: REG_DWORD Data: 0 Value 14 Name: notMatch Type: REG_DWORD Data: 0 Value 15 Name: notSource Type: REG_DWORD Data: 0

Author:	transmax [ Tue Jun 26, 2012 2:11 pm ]
Post subject:	Re: False positives with Application Log?
Unfortunately, the problem continues and I cannot find a solution to it, other than adding a lot of filters to cater to the false positives.

Author:	stevesh [ Tue Jun 26, 2012 3:44 pm ]
Post subject:	Re: False positives with Application Log?
My guess is that this is something to do with the way Win2k8 handles the parsing and string matching; I know it has preferences for multibyte chars and this can muck things up. Until I have a development environment for 64bit Win2k8 there's not much I can do (currently I develop in XP, 32bit). There is also a lot of work required to get the wide character support working.

Page 1 of 1	All times are UTC + 12 hours [ DST ]
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/