Test : Policy change on server (Server)
Method: check NT Event Log
Status : Unknown
Date : 4/30/2010 4:10:54 PM
Reply : System Error. Code: 87.
The parameter is incorrect
In this security test I put the event ID`s manualy into Hostmonitor. but it keep reply to back with this error msg. I realy want to know how to fix this issue and to get the right reply .
System Error Code 87
I know this is old but it makes sense to post here.
I have the same issue sort of.
Environment:
Server 2008 R2 SP1
HM v8.86 Agent v4.15
Event log configured to monitor event id 4625 "An account failed to log on".
Log Source
Log/Channel: Security
Event Source: Microsoft-Windows-Security-Auditing
Alert Condition
Event Type: Failure Audit
Event Id: 4625
This works fine but when other events are triggered comes
Reply: RMA: 301 - System Error. Code: 87
In this particular case the event in the security log at the same time hm reported the "error reply" was
I guess the questions are:
Should hm ignore this event?
Does this particular security event have something to do with the operation of the agent or test? If so, what is the relation?
Is this a proper descriptive response from the agent?
This behavior is seen on other servers but this is the starting point of my investigation.
Regards
I have the same issue sort of.
Environment:
Server 2008 R2 SP1
HM v8.86 Agent v4.15
Event log configured to monitor event id 4625 "An account failed to log on".
Log Source
Log/Channel: Security
Event Source: Microsoft-Windows-Security-Auditing
Alert Condition
Event Type: Failure Audit
Event Id: 4625
This works fine but when other events are triggered comes
Reply: RMA: 301 - System Error. Code: 87
In this particular case the event in the security log at the same time hm reported the "error reply" was
Code: Select all
Windows Firewall did not apply the following rule:
Rule Information:
ID: CoreNet-Teredo-In
Name: Core Networking - Teredo (UDP-In)
Error Information:
Reason: Local Port resolved to an empty set.Should hm ignore this event?
Does this particular security event have something to do with the operation of the agent or test? If so, what is the relation?
Is this a proper descriptive response from the agent?
This behavior is seen on other servers but this is the starting point of my investigation.
Regards
Unknown status means HostMonitor/RMA cannot perform test due to some problem.
Reply "RMA: 301 - System Error. Code: 87" means Windows API return error code 87. HostMonitor/RMA cannot check Event Log records at all.
According to Microsoft there were bug in Windows NT 4.0
======================
The ReadEventLog() Win32 API function might fail and GetLastError() returns 87 (ERROR_INVALID_PARAMETERS) while having all valid parameters passed to ReadEventLog().
This problem is only encountered when the .EVT file is 2MB in size or larger.
Microsoft has confirmed this to be a bug in the Microsoft products. We are researching this bug and will post new information here in the Microsoft Knowledge Base as it becomes available.
======================
Unfortunatelly we cannot find official (Microsoft) document with updated status of this problem. While other programmers said there is still problem in Windows 2000/XP.
Not sure about Windows 2008...
What is the size of your event log file?
What "log size" options do you use?
- Overwrite events as needed
- Overwrite events older than...
- Do not overwrite
Regards
Alex
Reply "RMA: 301 - System Error. Code: 87" means Windows API return error code 87. HostMonitor/RMA cannot check Event Log records at all.
According to Microsoft there were bug in Windows NT 4.0
======================
The ReadEventLog() Win32 API function might fail and GetLastError() returns 87 (ERROR_INVALID_PARAMETERS) while having all valid parameters passed to ReadEventLog().
This problem is only encountered when the .EVT file is 2MB in size or larger.
Microsoft has confirmed this to be a bug in the Microsoft products. We are researching this bug and will post new information here in the Microsoft Knowledge Base as it becomes available.
======================
Unfortunatelly we cannot find official (Microsoft) document with updated status of this problem. While other programmers said there is still problem in Windows 2000/XP.
Not sure about Windows 2008...
What is the size of your event log file?
What "log size" options do you use?
- Overwrite events as needed
- Overwrite events older than...
- Do not overwrite
Regards
Alex