Steven Kiergaard
asked on
cannot read SOME eventlogs remotely on windows servers
we are setting up a co-managed IBM QRadar siem but i have 7 out of 200+ targets where i cant open the application or system logs remotely. they are fine locally. i can open security and setup so doesnt look like a larger port or security issue.
error message is event viewer cannot open the event log or custom view verify that event log service is running or query is too long (5)
the entity connecting is in local security with manage auditing and security log. there are 2008 r2, 2012 r2 and a brand spanking new 2016 server involved. i cant see any reason they should not be openable(??). i have tried with the service account and a domain admin account. same result.
cant find much in a google search but thats usually failure to ask the question correctly. anyone have an idea?
error message is event viewer cannot open the event log or custom view verify that event log service is running or query is too long (5)
the entity connecting is in local security with manage auditing and security log. there are 2008 r2, 2012 r2 and a brand spanking new 2016 server involved. i cant see any reason they should not be openable(??). i have tried with the service account and a domain admin account. same result.
cant find much in a google search but thats usually failure to ask the question correctly. anyone have an idea?
Can they be opened from any other hosts ?
may be the right security permissions defined for the eventlog account in the registry
check if the issue occur when you try to restart event log service manually.
check the access privilege of C:\Windows\System32\winev t\Logs.
https://support.microsoft.com/en-sg/help/2751670/we-are-seeing-an-error-where-we-are-unable-to-access-the-security-log
https://support.microsoft.com/en-us/help/172156/how-to-delete-corrupt-event-viewer-log-files
Also may try
Disable the Windows Event log Service in Service console.
Renaming (in system32\config) 3 main Evt files such as Sysevent.evt, Appevent.evt, Secevent.evt
Re-enable the Windows Event log service.
check if the issue occur when you try to restart event log service manually.
check the access privilege of C:\Windows\System32\winev
https://support.microsoft.com/en-sg/help/2751670/we-are-seeing-an-error-where-we-are-unable-to-access-the-security-log
https://support.microsoft.com/en-us/help/172156/how-to-delete-corrupt-event-viewer-log-files
Also may try
Disable the Windows Event log Service in Service console.
Renaming (in system32\config) 3 main Evt files such as Sysevent.evt, Appevent.evt, Secevent.evt
Re-enable the Windows Event log service.
ASKER
ArneLovius: i have tried with 3 diff accounts from 6 machines so it doesnt seem to be that.
btan; i will give those a shot when i can.
btan; i will give those a shot when i can.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.