search

hanhongwen / eventlog-to-syslog

Automatically exported from code.google.com/p/eventlog-to-syslog
0 stars 0 forks source link

Message from typ information came as err when the message file was not found. #28

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1.Event log entries like this:

Event Type: Information
Event Source:   sshd
Event Category: None
Event ID:   0
Date:       21.02.2011
Time:       13:33:09
User:       PEXXXX\cyXXXXXXX
Computer:   PEXXXXXX  Description:
The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The 
local computer may not have the necessary registry information or message DLL 
files to display messages from a remote computer. You may be able to use the 
/AUXSOURCE= flag to retrieve this description; see Help and Support for 
details. The following information is part of the event: sshd: PID 260: 
Accepted publickey for cyXXXXXXXX from XXXXXXXXXX port 56861 ssh2.

came in the syslog

syslog PEXXXXX daemon err 2011-02-21 13:33:13 find message file key for 
"SYSTEM\CurrentControlSet\Services\Eventlog\Application\sshd" 

What is the expected output? What do you see instead?

The Priority as information and the option -l=3 (level) should not show this 
message.

What version of the product are you using? On what operating system?

Product Version 4.4.0
Operating System is Windows Server 2003 R2 64Bit standard.
Application in this eventlog message is cygwin ssh deamon.

Original issue reported on code.google.com by ronny.bu...@perdata.de on 21 Feb 2011 at 1:18

GoogleCodeExporter commented 9 years ago 
The reason for this is the utility tries to lookup the message definition for 
the log entry. When it cannot find a message file, it logs that as an error and 
then continue.

If sshd has an error or invalid login does that also get logged as information?

Original comment by sherwin....@gmail.com on 22 Feb 2011 at 12:04

GoogleCodeExporter commented 9 years ago 
I am going to close this as it is currently not something I can fix easily. The 
utility logs missing message definitions as errors by design. What you can do 
is configure evtsys to ignore messages from sshd with id 0.

Let me know if you need any further assistance.

-Sherwin

Original comment by sherwin....@gmail.com on 1 Apr 2011 at 4:32