Solarwinds Event Log Forwarder for Windows issues

I installed the tool on a Windows 2012 R2 server. Setup the subscription (Basic events: Application, System, Security). Logs going to my Solarwinds Orion syslog server (which we paid for) . I can see the logs in the syslog server but I don't get the expected info I want I get the following info from the logs:

<Servername> MSWinEventLog 6 System 9389 Tue Apr 24 15:14:38 2018 7036 Service Control Manager N/A Information  <Servername> 0 The description for Event ID 7036 from source Service Control Manager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: Windows Update. FormatMessage failed with error 15033, The locale specific resource for the desired message is not present.

OR

<Servername> MSWinEventLog 5 Security 9387 Tue Apr 24 15:08:08 2018 4624 Microsoft-Windows-Security-Auditing N/A Audit Success <Servername> 12544 The description for Event ID 4624 from source Microsoft-Windows-Security-Auditing cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: S-1-0-0. FormatMessage failed with error 1815, The specified resource language ID cannot be found in the image file.

OR

<Servername> MSWinEventLog 6 System 9374 Tue Apr 24 14:54:35 2018 16 Microsoft-Windows-Kernel-General S-1-5-18 N/A Information <Servername> 0 The description for Event ID 16 from source Microsoft-Windows-Kernel-General cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 33. FormatMessage failed with error 15100, The resource loader failed to find MUI file.

I get different severity levels (Info, Notice Warning) but the same error messages.

Any ideas?

Parents
  • Hi there - i'm having a very similar issue.  I'm using Solarwinds Kiwi SysLogger (paid for), and i've set up the Event Log Forwarder on a couple of Windows 2012 R2 servers and this is what i'm getting forwarded:

    <servername> MSWinEventLog   5   Security   2784   Wed Apr 25 10:13:06 2018   4663   Microsoft-Windows-Security-Auditing      N/A   Audit Success   <servername>   12800   The description for Event ID 4663 from source Microsoft-Windows-Security-Auditing cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: S-1-5-21-65952106-316416316-5522801-3136. FormatMessage failed with error 1815, The specified resource language ID cannot be found in the image file.

    I tried logging a ticket with support - but they've basically told me that they don't provide support for the Event Log Forwarder as its free software.

    The events are showing correctly in the local event viewer on the servers.

  • For us this occurs when the version of Log forwarder is version 1.2 and  Region > Administrative > Language for non-Unicode programs (system locale) is "not" set to   English (United States).

    e.g. we sometimes need to set to English (Australia).  The fix prior to WFor us this occurs when the version of Log forwarder is version 1.2 and  Region > Administrative > Language for non-Unicode programs (system locale) is not set to English (United States).  e.g. we sometimes need to set to English (Australia).  The fix prior to Windows 2016 was to either change Locale back to United States  OR  revert to Log forwarder v1.1.19  client which doesn't exhibit this issue.  In Windows Server 2016 I'm not sure 1.1.19 works at all given it's age. I think a response such as it's free and therefore not supported is steep given we pay for the Syslog back end server software to pair with it.  You either maintain it or state it's no longer being developed. Windows 2016 was to either change Locale back to United States  OR  revert to Log forwarder v1.1.19  client which doesn't exhibit this issue.  In Windows Server 2016 I'm not sure 1.1.19 works at all given it's age.

    I think a response such as it's free and therefore not supported is steep given we pay for the Syslog back end server software to pair with it.  You either maintain it or state it's no longer being developed.

  • We are getting the same issue on Server 2016, for example:

    The description for Event ID 10016 from source Microsoft-Windows-DistributedCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: application-specific. FormatMessage failed with error 15033, The locale specific resource for the desired message is not present."

    We were also told by SolarWinds support it was not supported and they would not help. I found that if you set the system locale for non unicode programs to English (United States) on all servers then the messages are correctly displayed in syslog viewer.

  • I can confirm that Changing the Non-Unicode Language to English (United States) does work for Windows Server 2016. All of our servers were set to English (United Kingdom) previously.

Reply Children
No Data