Cheshire Cat Computing

After reading through this topic: viewtopic.php?f=22&t=941
I'm finding that I'm seeing many of the same problems with Win 2k3 Service Pack 2. I'm not seeing these problems with Win 2k3 SP1.

The problem: I try to filter out events with source "TermServDevices" on two servers. The server with SP2 continues to forward the errors to Nagios. The server with SP1 properly blocks the errors from being forwarded to Nagios.

I'd like to get you some debug info to help solve this problem but after turning on debug mode I was unable to find where the debug log is.

Hello, NetworkNinja

i have had similar problem like you. But the Debug-Function is very helpful to find out where something strange happens ...

There are no "Logfile" the Debug Info will appear by itself in the application eventlog of the w2k3 host.

Possible Problem i have had is, that in security-eventlog are appearing so much entries per second, that the eventloginterpreter cannot finish scan on this log. Only with active debugging info i see hundrets of entries of debuginfos in eventlog per second. So i could determine, that the problem was to excessive security logging in security eventlog.

The reason for notfunctioning of eventlogagent was in my case, that ALL security relevant events was logging in security log - from all over our ads. This was happend through wrong settings in grouppolicy in ADS. After corrective actions in our grouppolicy settings we get a lot of CPU usage back .

I hope this story helps you a little bit.

I know, my english is not very good -- but i hope you understand what i tried to tell you

Greetings from Germany
wollila

Don't worry, your English is great.

I'm having a different problem. I have very few events on the server I am testing with Service Pack 2 (about 5 events per hour). The events I am blocking are a known issue that we don't worry about and I don't want to go to Nagios. There are a few every time a person logs on or off of the server via Terminal Services.

I'm trying to block events with sources Print and TermServDevices. I know I'm typing the names correctly and that the filter works because I use the same setup on a Service Pack 1 server with more traffic.

I think there is a possibility that Win 2k3 sp2 stores/reports the source differently than sp1. Now that you've told me where to look for debug info, I will check there. Thanks.

I figured out where the bug is GUI-wise, haven't looked at any code.

In SP1 the "NOT" check box works as expected. In SP2 you must uncheck the NOT box to get the expected behaviour.

In SP2:

Setting: NOT is checked. Source=Print,TermServDevices
Result: TermServDevices events are sent to Nagios

Setting: NOT is un-checked. Source=Print,TermServDevices
Result: TermServDevices doesn't match filters and is not sent to Nagios

I used the same installer for both computers. I have only tested this on a single SP2 computer and a single SP1 computer. I'll look for another SP2 computer to test on.

Nagios EventLog version: Agent: 1,8,1,0 Control App: 1,8,0,0

This is an odd one, and I wont be able to test until I get SP2 installed here on my dev PC.

It is possible that under SP2 Microsoft have broken the string library for non-wide characters. I'm going to change the program to completely use wide characters (so as to correctly support internations windows rather than just ascii-only) but this will need a bit of work and a recompile.

To track down what SP2 has broken, I'd need to use debug mode and track the application log to see how the comparisons were carried out - possibly it is now using wide chars in the variables.

Try undefining and redefining the filter, in case this fixes things (if the filter is defined using SP2 mayb e the comparison will also work under SP2)?

_________________
Steve Shipway
UNIX Systems, ITSS, University of Auckland, NZ
Woe unto them that rise up early in the morning... -- Isaiah 5:11

Unfortunately my Manager changed my priority project away from Nagios when I got back from vacation today. I'll try to get some debug information for you but for now I'll be devoting my time to other things.