[logs] Some remarks regarding Vista's event logging

Rainer Gerhards rgerhards at hq.adiscon.com
Thu Apr 12 02:38:38 PDT 2007 

Eric,

from my experience, there at least sometimes is erratic behaviour even
on freshly-installed machines. From time to time we have the connection
problems Frank mentions. At other times, everything works flawlessly. We
have not yet tried to solve these mysteries as they pose no real problem
for our products. The key thing is that the event logging system
starting with Vista is totally different. There is a legacy layer, but
we do not think it is smart to use it. Consequently, we have created a
new implementation of our event log monitor in EventReporter and
MonitorWare Agent. That one is based on the new APIs and capabilities
and works well in all cases.

I have speculated a bit about the reasons on this page:

http://www.mwagent.com/Common/en/FAQ/vista-event-log.php

Maybe you can tell me if I've speculated correct ;)

Of course, that does not fix potential issues with tools included in
Windows itself. I, too, think there is some room for fixes and I am
positive you guys will handle that. It would be most benefitial to learn
about potential problems. If you could post your findings, that would be
a very valuable ressource.

One thing I can mention is that there are issues if a 32bit application
uses the legacy event log api on a 64bit machine. In that case, message
libraries may not load correctly (if there is no 32bit library as well).
This mostly depends on the way the API is called and the requested
language. If you do not know about this limitation, the behaviour looks
quite erratic. If you know the reason, it looks perfectly OK ;) So
knowing cases and reasons is pretty useful.

Rainer

> -----Original Message-----
> From: loganalysis-bounces at loganalysis.org [mailto:loganalysis-
> bounces at loganalysis.org] On Behalf Of Eric Fitzgerald
> Sent: Wednesday, April 11, 2007 10:29 PM
> To: loglist at heysoft.de; loganalysis at loganalysis.org
> Subject: RE: [logs] Some remarks regarding Vista's event logging
> 
> Frank, it appears that your test machine was upgraded (perhaps
multiple
> times) from pre-release version of Windows and that THAT had been
> upgraded from Windows XP, and that your registry contains entries that
> were bugs in pre-release versions that are not present in RTM.
> 
> I would encourage you to repeat your test on a clean, new installation
> of a RTM Windows Vista machine (not an upgrade from a beta), and
report
> any problems that still remain.
> 
> We know that Windows XP's Event Viewer does NOT have full support for
> uplevel logs, and it probably never will, but things are not quite as
> bad as you describe.
> 
> Best regards,
> Eric
> 
> 
> -----Original Message-----
> From: loganalysis-bounces at loganalysis.org
> [mailto:loganalysis-bounces at loganalysis.org] On Behalf Of Frank Heyne
> Sent: Wednesday, April 11, 2007 1:58 AM
> To: loganalysis at loganalysis.org
> Subject: Re: [logs] Some remarks regarding Vista's event logging
> 
> > You can't look at a Vista event log on  an XP.
> 
> This is not entirely true:
> 1. You can look at the Application, System and Security log of a Vista
> machine from NT 5 very well, (and much better as the Event Viewer
does,
> by
> the way).
> 2. You could look at the other logs mentioned in the article as well,
> if
> the Registry values would not be as buggy as they are.
> 3. You could look at all Vista logs from NT 5 if the OpenEventlog
> function
> would work as documented (that is, would open all event files under
> Vista)
> 
> As I wrote at the end of the article,  the logs mentioned do not work
> at
> all, because Vista does not write any events into them. So it does not
> matter from where you want to open them.
> 
> 
> > Service pack has nothing to do with this issue..
> 
> I would not wonder when the errors in the Registry would go away with
> SP1
> of Vista ;-)
> 
> 
> > I can't look at my Vista group policy settings on my 2k3 box, I have
> to
> > manage Vista group policies from a Vista workstation as well.
> 
> I could imagine Microsoft will provide the ADM files soon.
> Currently there is no server version of NT 6 available, so they will
> care
> to provide a comfortable way for such customers who want to use Vista
> already, won't they?
> Is it too much of a wish when the admin wants to be able to administer
> a
> domain from one machine?
> 
> Microsoft already was forced to provide Winhlp32 for Vista, sure the
> will
> provide Vista ADM files for W2K3 and remove some bugs as well ;-)
> 
> > Frank Heyne wrote:
> > > May be this is new for you, may not:
> > > http://www.heysoft.de/Frames/Vista_Remarks1_en.htm
> 
> Have fun
> Frank Heyne
> http://www.heysoft.de/
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
> 
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis

More information about the LogAnalysis mailing list