Setup:
HostMon 9.x running on Win2008 x64 R2 box.
No RMAs
An old installtion which has been working OK for a long time.
I set up a new test.
Looking at the Security log on a Win2003 box and looking for 'bad password' entries.
What happens?
The test 'works' with no errors but rather than returning the correct error msg from the log it returns a blank template with % parameters and the message "Not enough insertion data for the message (MsAuditE.dll). "
Observations:
Now I thought that this was caused by the MsAuditE.dll being the wrong version and thus not having the correct strings to populate the message and as such it occurred only if the MS system with the error was newer than that running the copy of hostmon - say running HostMon on a 2003 box which was looking at event logs on a 2008 box. But our setup is the other way around.
Alex - any thoughts please?
Thanks!
NT Security Event log problems with MsAuditE.dll
-
david.matthewson
- Posts: 94
- Joined: Tue Oct 24, 2006 12:45 pm
-
david.matthewson
- Posts: 94
- Joined: Tue Oct 24, 2006 12:45 pm
Yes, this error caused by DLLs version mismatch
---------
Known problems
3rd party DLLs version mismatch
When HostMonitor calls Windows API to format event description, Windows does not check the accordance between the number of variables in a template (that is stored in resource file) and the number of variables stored in an event log. This could lead to access violation errors when some software was installed or updated incorrectly (e.g. version mismatch between different DLLs).
HostMonitor checks the template (retrieved from the DLL) and verifies the number of insertion strings before calling Windows API. If problem detected, HostMonitor shows "Not enough insertion data for the message <dllname>" error in Reply field of the test.
Solution:
If there is DLLs version mismatch (described above), you may copy appropriate DLL (e.g. copy file from another system) into <HostMonitor>\EventLogDlls\ directory. If HostMonitor detects DLL in EventLogDlls subdirectory, this DLL will be used instead of installed DLL (installed DLL - DLL that is specified in the system registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<log name>\<event source name> key).
---------
If you check only old systems, you may copy DLL from Windows 2003 system into <HostMonitor>\EventLogDlls\ directory.
But I assume you need to check various systems, then I think best solution - use RMA installed on some Windows 2003 system to check old systems for this event.
Regards
Alex
---------
Known problems
3rd party DLLs version mismatch
When HostMonitor calls Windows API to format event description, Windows does not check the accordance between the number of variables in a template (that is stored in resource file) and the number of variables stored in an event log. This could lead to access violation errors when some software was installed or updated incorrectly (e.g. version mismatch between different DLLs).
HostMonitor checks the template (retrieved from the DLL) and verifies the number of insertion strings before calling Windows API. If problem detected, HostMonitor shows "Not enough insertion data for the message <dllname>" error in Reply field of the test.
Solution:
If there is DLLs version mismatch (described above), you may copy appropriate DLL (e.g. copy file from another system) into <HostMonitor>\EventLogDlls\ directory. If HostMonitor detects DLL in EventLogDlls subdirectory, this DLL will be used instead of installed DLL (installed DLL - DLL that is specified in the system registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<log name>\<event source name> key).
---------
If you check only old systems, you may copy DLL from Windows 2003 system into <HostMonitor>\EventLogDlls\ directory.
But I assume you need to check various systems, then I think best solution - use RMA installed on some Windows 2003 system to check old systems for this event.
Regards
Alex
-
david.matthewson
- Posts: 94
- Joined: Tue Oct 24, 2006 12:45 pm