Overview
GFI EventsManager is not collecting any events from the target machines.
In the Vistacollector/Evtcollector log, you may see a similar message as below:
2011-09-21, 15:56:50, 595, 0, 720, 125c, error, VistaCollector.dll, ScanVistaMachine, ERROR: Cannot initiate scan on machine %machinename%, log Security
2011-09-21, 15:56:50, 595, 0, 720, 125c, error, VistaCollector.dll, ScanVistaMachine, Stack trace is: at GFILog.LogError(String message, Object[] args)
In the EvtExtractor/Vstextractor log, you may see a similar message as below:
2011-09-21, 15:26:56, 065, 9, 720, 1f9c, info, VstExtractor.dll, VistaExtractor.OpenEventLogW, Opening session on machine SWIFT28FS, domain (null), user (null)
2011-09-21, 15:26:56, 066, 9, 720, 1f9c, info, VstExtractor.dll, VistaExtractor.OpenEventLogW, 4
2011-09-21, 15:26:56, 106, 0, 720, 1f9c, error, VstExtractor.dll, VistaExtractor.OpenEventLogW,
ERROR: error opening the first config for log Security on machine %machinename%, err 0x5, Access is denied.
This article serves as a reference for troubleshooting the issues described above.
Environment
- GFI EventsManager
- All Supported Environments
Root Cause
Events may not have been created or audit policies may not be enabled.
Resolution
If no event logs are being collected by GFI EventsManager, check the following:
- Ensure that the events are created on the target machines. You can use Microsoft Event Viewer on the target machines to check that the expected events are created.
- If the events are not created, you need to ensure that the correct audit policies are enabled on the machine. More information on how to enable Audit Policies can be found in the Enabling User Security Auditing section of the GFI EventsManager user manual.
- Ensure that there is no firewall preventing GFI EventsManager from collecting the Microsoft Event logs from the target machines. More information about the required ports can be found in Ports Used by GFI EventsManager.
- By default, GFI EventsManager makes use of the login account used for the GFI EventsManager service to connect to the remote computer. You may need to specify Login Credentials to connect to specific computers. This can be done either on a computer-by-computer basis or per Computer Group.
- Ensure that the account used to collect the events from the target machine has enough rights to connect to the machine. This can be tested as follows:
- From the GFI EventsManager Console, check the account used to connect to the remote computer.
- Log in to the GFI EventsManager machine using this account.
- Open Microsoft Event Viewer.
- From Action, select Connect to another computer.
- Select the machine configured in GFI EventsManager that you would like to check.
- Ensure that you can view the Event Logs from the remote machine.
Note: This can only be done for machines which belong to the same AD (Active Directory) domain.