Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Log & Event Manager (LEM) > LEM Agent Connectors Not Reading the Windows Event Log

LEM Agent Connectors Not Reading the Windows Event Log

Updated November 2, 2017

Overview

If the LEM agent has been installed, and the Application, System, and Security connectors have been configured, LEM should be receiving the events from those logs. This article will help you ensure that the connectors are configured, and the service has access to each log. See detail below.

If you are able to read these logs but there are no events in the logs, this is a Windows problem.

  • It's possible that Windows is broken, preventing logging, so be sure to check Microsoft documentation for assistance.
  • Also check the auditing policies set up in group policies. See the following SolarWinds article:
    Audit Policies and Best Practices for LEM

 

In its simplest form, LEM agent connectors read the Windows event logs.

Environment

  • LEM, all versions

Detail

LEM Agent must have proper permissions

LEM Agent must first be installed with the proper permissions for the connectors to collect logs and give the events to the agent for sending to LEM.

  • If necessary, uninstall the agent from Programs & Features (or use the LEM Agent uninstaller), and delete the agent directory (C:\windows\syswow64\ContegoSPOP\).
  • Then copy the agent installer to the local hard drive, right-click to select "Run as administrator", and follow the prompts to re-install the agent. Whether this is the Remote Agent installer or the Local Agent installer, "Run as administrator" requires the installer file to be on a local hard drive when you launch it.

LEM Agent must have access to the Windows Event Log

LEM Agent uses the SYSTEM account to read the Windows event logs. Group policies (or local policies, or registry changes) can restrict access to any Windows Event Log.

Note the error message when accessing the event log with your login "...access denied...". This confirms that your user account does not have access to the event log, but we also need to verify that the LEM agent (which uses the SYSTEM account) has the access to read the event log.

The regedit image below shows the Application log being selected, but you can also see the Security and System 'log lines' under the "EventLog" in the registry. The registry access to this is located at:  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

Perform these steps:

  1. Open regedit.exe as an administrator.
  2. Navigate to the HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application key.
  3. Right click on Application and choose Permissions...
  4. Go into the Advanced screen and click the Add button.
  5. Click the "Select a principal" hyperlink.
  6. Use the Locations button to change focus from the domain/forest to the computer/server.
  7. Use the Object Types button to make sure that the "Other objects" category is checked.
  8. In the Name field, type "NT SERVICE\EventLog", check the name and accept it.
  9. Ensure the following options are checked (under Show Advanced Permissions): Query value, enumerate subkeys, notify and read control.

Since the LEM agent uses the Windows SYSTEM account, be sure this user has the permissions.
Otherwise you may need to use a "domain admin" service account for the Agent service, and be sure the user (service account) has logon-as-a-service right.
 

 

Microsoft Reference links: 

 

Microsoft changed the type of security event log used, starting with Vista and going forward. LEM configuration for agents shows "Vista Security Log", which reflects the newer type of event log. This is important to have the correct connector reading this log, not the "Security Log" which reads the Windows 2000/2003 & XP security logs. Just for information, LEM security log connectors parse 100% of the security event log (the only exception being the Windows Platform Event 'noise', which has no value).

Windows still uses the same System Log as before, so be sure to configure that connector. This connector parses the generic events generated by Windows, so it does not parse 100% of the log.

Windows still uses the same Application Log as before, so be sure to configure that connector. This connector parses the generic events generated by Windows, so if you need to read more 'informational' logging, contact SolarWinds support for the "Windows Application - All" event log connector. This connector is not normally included with LEM, just because of the additional amount of logging that would appear, if this connector was used by mistake.


Because of the amount of applications and software available for Windows, the standard application log connector (or even the 'application - all' connector) cannot parse 100% of the log, so LEM has a large number of connectors available to read third party events sent to this log. Most are available under the connector list within the agent configurations.

If GPO's or local registry changes were made, it's possible that LEM connectors may not be able to be read Windows Event Logs. If you are still unable to read the events into LEM, contact SolarWinds support.

 

 

Last modified

Tags

Classifications

Public