SUMMARY
When viewing events from saved event logs, you may see the
following message:
The description for Event ID
(number) in Source (name)
cannot be found. The local computer may not have the necessary registry
information or message DLL files to display messages from a remote computer.
The following information is part of the event:
Windows 2000 Event
Viewer allows the user to save an event log as an .evt file, which you can then
copy and view on another computer as an event log from Event Viewer for offline
review. However, the event descriptions and categories are only available if
the computer that is running Event Viewer has the components installed that
generated the events in the event log; otherwise, the message above is
displayed when you attempt to view events.
In particular, the logs
for DNS, File Replication Service (FRS), and Directory Service are only legible
if the computer that is running Event Viewer is itself a Windows 2000 domain
controller. This condition also applies to other optional or third-party
components (such as Microsoft Exchange Server) that create their own event logs
or that write events to the System or Application logs.
In Whistler
Server, Event Viewer contains the command-line switch,
/auxsource= to facilitate the reading of saved event logs.
MORE INFORMATION
Event Viewer contains an implicit assumption that a saved
event log should be stored and viewed on the computer that generated the log.
The originating computer supports all the required log types and components to
display its own event logs. DNS, FRS, or Directory Service logs may not be
visible when you view them from computers other than the source
computer.
When you open a saved event log in Event Viewer, you select
the type of event log to use: Application, Security, System, and so forth. The
list of event log types is read from the computer that is hosting the .evt file
on a network share, and it is then combined with the list of event log types on
the computer that is running the Event Log Snap-in. If the saved event log is
on a remote computer on which you are not an administrator, or a remote
computer on which the Remote Registry Service is not running, Event Viewer
cannot retrieve information about the log types that are supported by the
remote computer. You definitely cannot retrieve event descriptions or
categories if the actual type of the log (for example, FRS, DNS or Directory
Service) does not appear in this list.
In addition, even if the correct log type is in this list,
some events may have been generated by components that were only installed on
the computer that generated the saved event log, and not on the local computer
or the computer that is hosting the .evt file. In this case, descriptions and
categories may be available for some events in the log and not for others.
The /AUXSOURCE Switch
With the
/auxsource switch that is used in conjunction with the start up of the
Eventviewr.msc snap-in, you can specify the name of a Windows 2000 or Windows
XP domain controller that is authoritative for the log types and messages that
are contained in a saved event log. For example:
mmc /a eventvwr.msc /auxsource=name_of_reference_server
Point the /auxsource entry to the computer
(typically a domain controller or application server) that generated the saved
log file, or to a computer that has the same operating system version and
applications installed. Event Viewer reads the event log types and event
message information from the /auxsource computer, which allows log entries for
components installed on the /auxsource computer to be resolved. For example,
the /auxsource computer must have DNS installed to view saved DNS logs and
messages.
The event message support in Windows XP is expected to be a
superset of the Windows 2000 message strings, so by pointing the /auxsource
computer to a Windows XP-based domain controller, you should be able to view
messages in saved event logs from Windows 2000 and Windows XP-based computers.
Conversely, viewing saved event logs that originate from a Windows XP-based
computer while pointing the
/auxsource switch to a Windows 2000 domain controller may result in the
error that is noted in the "Summary" section in this article.
To view
event log messages beyond the base operating system, the /auxsource computer
should have the application that generates the event message installed, or the
required registry settings and message .dll files that are needed to view the
saved logs. In this way, administrators can build reference servers that
contain registry settings and message .dll files that are needed to view event
logs and messages of interest.
The /auxsource= computer can be
identified as follows:
EVENTVWR.MSC /AuxSource=ip address
EVENTVWR.MSC /AuxSource=fully qualified computername
EVENTVWR.MSC /AuxSource=netbios name
Credentials
You must be able to access the registry on the server that is
specified in the
/auxxource= switch as an administrator. If you are not logged on as an
administrator on that server, you can run Event Viewer by using the
runas command, or you can establish a connection to the IPC$ share of
the /auxsource= computer by using the following command-line syntax:
net use \\servername\ipc$ /u:domainname\username *
: If the remote computer does not allow remote registry access
(possibly because the Remote Registry Service is not running), it will not work
as the auxsource= computer even if you are an administrator on the remote
computer.
The inability to establish the necessary security rights
that are needed on the /auxsource= computer is silent, which means that no
errors are displayed but it is evident when you do not see the advanced log
types in the
Open log file dialog box. In place of the IPC$
connection, you can create matching username and passwords in the domain of the
/auxsource= server.
Performance
For best results, the client that is viewing saved event logs
should point to an /auxsource computer that is connected over a fast network
link and that is ideally in the same subnet and physical site. Using /auxsource
servers that are connected over slow links slows performance when you are
loading saved logs or scrolling through event message with the UP and DOWN
arrow keys.
Artifacts in Event Log Messages
The /auxsource= workaround only applies when you receive the
following error message:
The description for Event ID
(number) in Source (name)
cannot be found. The local computer may not have the necessary registry
information or message DLL files to display messages from a remote computer.
The following information is part of the event:
Other anomalies,
which are unrelated to this issue, may occur when you are viewing an event log.
For example:
Event Type: Warning Event Source: NtFrs
Event Category: None Event ID: 13508 Date: MM/DD/YYYY Time: HH:MM:SS AM|PM
User: N/A Computer: source dc Description: The File
Replication Service is having trouble enabling replication from
source computer to destination
computer for e:\winnt\sysvol\domain using the DNS name %4. FRS
will keep retrying.
In this case, the "%4" appears in the
description text because there are only 3 actual strings in the additional
data. This is a minor error in the software component that generated the event
log message, or it is possibly a compatibility issue between the version of the
software component which generated the event log message, and the version of
the software component running on the local computer or the /auxsource=
computer.
Using the Windows XP Els.dll File in Windows 2000-Based Computers
The
/auxsource= switch has no effect on Windows 2000-based computers. The Windows
XP Els.dll file that enables the
/auxsource= switch is not supported by Microsoft on Windows 2000-based
computers. If you copy the Windows XP Els.dll file to a Windows 2000-based
computer, and then you open Event Viewer, you receive the following error
message:
"snap-in failed to initialize". Name: event
Viewer ClSID: {975797fc-4e2a-11d0-b702-00c0rfd8dbf7
Event Logs on a Cluster Server (MSCS)
All nodes in a cluster replicate event log entries to each other.