Microsoft_Vista_and_Win_2008_Svr_v4.4.11 collector parse the events incorrectly
Created: 22 Feb 2013 | Updated: 22 Feb 2013 | 5 comments
Hello, friends!
I installed the ssim agent 4.7.1 and Microsoft_Vista_and_Win_2008_Svr_v4.4.11 collector to Win2008 R2 Domain Controller.
Somehow.... I configured collector to pull events from DC to SSIM.
But when i ran the qwery via ssim console i saw that all events have the same "severity-ID" and wrong "category" parsing. I mean, that the all of "system" and "application" windows events have the same category - "Application", although in the "vendor id" field is real value of this events.
Windows event that i identified on the picture must have "severity-id" higher then "1-information" (it must have "5" or "4" type)
Is there some KB for this issue? What the latest release-number of the Microsoft_Vista_and_Win_2008_Svr_v4.4.11 collector?
p/s: From the Microsoft_Vista_and_Win_2008_Svr_v4.4.11 "collector.propertis" file:
#Fri Feb 27 08:49:44 PST 2009
BuildType=indiv
FrameworkBuild=52
ProductVersion=4.40.00
SoftwareFeatureID=33010101
BuildNumber=11
FrameworkVersion=2.42.00
Operating Systems:
Discussion Filed Under:
Comments 5 Comments • Jump to latest comment
Hi,
First of all, you should run liveupdate because collector.properties content indicates that you have base installation without any further fixes.
Secondly, Category ID field isn't for Windows events - it belongs to Common Event Class and it is used across all collectors of all types. It cannot reflects source of windows events - you have Windows Source Eventlog field for this.
According to collector's documentation Vendor Severity field should have "The criticality of the event as provided by the Windows logging".
So if critical events are collected as Warnings it's a mistake and you should contact support for further information.
Regards
Ok, then I have a next question: Can you clarify, it is possible to move upgraded collectors files from on-box collector (or another off-box collector installed on the another PC, that have connect to the internet ) to my win2008r2 off-box installed collector?
thanks in advance!
Well, it may work.
I did it once but with other collector and everything worked fine, but you need to keep in mind that this is unsupported operation.
As far as I remember the most important files are:
[AGENT_HOME_DIR]\collectors\msvista\config.xml
[AGENT_HOME_DIR]\collectors\msvista\workinggroup0.xml
[AGENT_HOME_DIR]\collectors\msvista\collector.properties
[AGENT_HOME_DIR]\collectors\msvista\collector.xml
[AGENT_HOME_DIR]\collectors\msvista\lib\vista_translator_plugin.jar
[AGENT_HOME_DIR]\collectors\lib\wsmanagement.jar
good luck!
i have done msvista collector liveupdate, at this time collector.properties file contain the next information:
Severity ID values aren't the same values as Windows severity.
It's very similar situation to Category ID - the Severity ID field belongs to Common Event Class and it's also used across all collectors of all types. Or at least should be used.
As it's written in documentation the original severity should be mapped into Vendor Severity field, if it isn't then you should ask support "why?".
Would you like to reply?
Login or Register to post your comment.