Unable to access System & Application logs

[Amit Kaushal]

Hi,

I have a windows 2000 domain with 2 DC's, both of them have SP4
installed.

After i did a reboot about 2 days, back i am unable to access the
System & Application logs on both the servers. I am logged in as the
administrator.
I can view the security log, Directory service, DNS server and File
Replication service without any issues. I am unable to access the
above mentioned 2 logs even if i am accessing them from the server.


Any pointers/ help will be highly appreciated.

TIA
Best Regards
amit kaushal
(e-mail address removed)

 

[Steven L Umbach]

See if you can clear those logs, which you may be able to do even if you can
not access them in case of corruption though that would be unusual for that
to happen to both dc's at the same time. Check the group membership of your
account to make sure it is not a member of the guests group as guests may be
blocked from accessing those logs by Group Policy [stranger things have
happened]. Check the ntfs permissions on the .evt logs on the dc's to make
sure administrators have allow permissions and no deny permissions. ---
Steve

 

[Amit Kaushal]

Hi Steve,

Thanks, as suggested by you, i went and checked the permissions for
administrator they are correct :-( anything else ?

Pls check the link below and suggest if i should try it :

http://www.windowsnetworking.com/kb...gs/HowtoDeleteCorruptEventViewerLogFiles.html

It suggests this Assuming the .evt files is corrupt:
One of the .evt files is corrupt. You will not be able to rename or
delete Sysevent.evt, Appevent.evt, or Secevent.evt since they are
always in use by the system. The EventLog service cannot be stopped
because it is required by other services. If you can start a registry
editor locally or if you have remote registry access, change the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Start
value from 0x02 to 0x04 and reboot. Various services will fail at
reboot. Delete the event logs, %SystemRoot%\system32\config\*.evt.
Change the Start value back to 0x02 and reboot. The system will
automatically generate new, clear logs.



BTW the servers are in a production environment.

Best Regards
amit

See if you can clear those logs, which you may be able to do even if you can
not access them in case of corruption though that would be unusual for that
to happen to both dc's at the same time. Check the group membership of your
account to make sure it is not a member of the guests group as guests may be
blocked from accessing those logs by Group Policy [stranger things have
happened]. Check the ntfs permissions on the .evt logs on the dc's to make
sure administrators have allow permissions and no deny permissions. ---
Steve

Hi,

I have a windows 2000 domain with 2 DC's, both of them have SP4
installed.

After i did a reboot about 2 days, back i am unable to access the
System & Application logs on both the servers. I am logged in as the
administrator.
I can view the security log, Directory service, DNS server and File
Replication service without any issues. I am unable to access the
above mentioned 2 logs even if i am accessing them from the server.


Any pointers/ help will be highly appreciated.

TIA
Best Regards
amit kaushal
(e-mail address removed)

 

[Guest]

Amit,

Yes the procedure you referenced would be the way to clear out the corrupt
evt files. Also documented in MS KB Article
http://support.microsoft.com/default.aspx?scid=kb;en-us;172156

However note this process requires at least one reboot so you would need to
schedule a reboot this as you noted it to be a production server. or make the
change so the event log service then will not start on the next scheduled
reboot. Then you can take care of the files and then just change the service
back as described in article 172156

Also you may want to review this article for possible hotfix in case issue
is wit event logs becoming full:
http://support.microsoft.com/default.aspx?scid=kb;en-us;829246
This version of eventlog.dll is
16-Oct-2003 04:31 5.0.2195.6866 47,376 Eventlog.dll

Check properties of your eventlog.dll file to see if yours is an earlier
version. If you run into this issue when your logs become full then you may
want to call MS to request it. Call would be free.

-Joe Tuck

Hi Steve,

Thanks, as suggested by you, i went and checked the permissions for
administrator they are correct :-( anything else ?

Pls check the link below and suggest if i should try it :

http://www.windowsnetworking.com/kb...gs/HowtoDeleteCorruptEventViewerLogFiles.html

It suggests this Assuming the .evt files is corrupt:
One of the .evt files is corrupt. You will not be able to rename or
delete Sysevent.evt, Appevent.evt, or Secevent.evt since they are
always in use by the system. The EventLog service cannot be stopped
because it is required by other services. If you can start a registry
editor locally or if you have remote registry access, change the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Start
value from 0x02 to 0x04 and reboot. Various services will fail at
reboot. Delete the event logs, %SystemRoot%\system32\config\*.evt.
Change the Start value back to 0x02 and reboot. The system will
automatically generate new, clear logs.



BTW the servers are in a production environment.

Best Regards
amit

See if you can clear those logs, which you may be able to do even if you can
not access them in case of corruption though that would be unusual for that
to happen to both dc's at the same time. Check the group membership of your
account to make sure it is not a member of the guests group as guests may be
blocked from accessing those logs by Group Policy [stranger things have
happened]. Check the ntfs permissions on the .evt logs on the dc's to make
sure administrators have allow permissions and no deny permissions. ---
Steve

Hi,

I have a windows 2000 domain with 2 DC's, both of them have SP4
installed.

After i did a reboot about 2 days, back i am unable to access the
System & Application logs on both the servers. I am logged in as the
administrator.
I can view the security log, Directory service, DNS server and File
Replication service without any issues. I am unable to access the
above mentioned 2 logs even if i am accessing them from the server.


Any pointers/ help will be highly appreciated.

TIA
Best Regards
amit kaushal
(e-mail address removed)

 

[Steven L Umbach]

Take a look at Joe's post also. While corruption is a possibility it seems
strange to me that it would happen to two servers at the same time, but you
won't know until you try it and it would rule out that possibility. If the
logs are corrupt you still may be able to clear them and then access them
until they fill up again. Also take a look at the link below for some
registry settings to check. For instance compare the permission settings
[including advanced] on the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application
key to that on the keys for logs you can access. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323076

Hi Steve,

Thanks, as suggested by you, i went and checked the permissions for
administrator they are correct :-( anything else ?

Pls check the link below and suggest if i should try it :

http://www.windowsnetworking.com/kb...gs/HowtoDeleteCorruptEventViewerLogFiles.html

It suggests this Assuming the .evt files is corrupt:
One of the .evt files is corrupt. You will not be able to rename or
delete Sysevent.evt, Appevent.evt, or Secevent.evt since they are
always in use by the system. The EventLog service cannot be stopped
because it is required by other services. If you can start a registry
editor locally or if you have remote registry access, change the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Start
value from 0x02 to 0x04 and reboot. Various services will fail at
reboot. Delete the event logs, %SystemRoot%\system32\config\*.evt.
Change the Start value back to 0x02 and reboot. The system will
automatically generate new, clear logs.



BTW the servers are in a production environment.

Best Regards
amit

See if you can clear those logs, which you may be able to do even if you
can
not access them in case of corruption though that would be unusual for
that
to happen to both dc's at the same time. Check the group membership of
your
account to make sure it is not a member of the guests group as guests may
be
blocked from accessing those logs by Group Policy [stranger things have
happened]. Check the ntfs permissions on the .evt logs on the dc's to
make
sure administrators have allow permissions and no deny permissions. ---
Steve

Hi,

I have a windows 2000 domain with 2 DC's, both of them have SP4
installed.

After i did a reboot about 2 days, back i am unable to access the
System & Application logs on both the servers. I am logged in as the
administrator.
I can view the security log, Directory service, DNS server and File
Replication service without any issues. I am unable to access the
above mentioned 2 logs even if i am accessing them from the server.


Any pointers/ help will be highly appreciated.

TIA
Best Regards
amit kaushal
(e-mail address removed)

 

[Guest]

Hi there, I also have about the same problem, cannot access eventlogs
remotely, however they are accessible local on the server. Messages is
"access is denied" when trying to open one of the eventlogs from another
machine.

Also 'just happended after an reboot' ...
--
MCSE Admin for medium organisation

Hi Steve,

Thanks, as suggested by you, i went and checked the permissions for
administrator they are correct :-( anything else ?

Pls check the link below and suggest if i should try it :

http://www.windowsnetworking.com/kb...gs/HowtoDeleteCorruptEventViewerLogFiles.html

It suggests this Assuming the .evt files is corrupt:
One of the .evt files is corrupt. You will not be able to rename or
delete Sysevent.evt, Appevent.evt, or Secevent.evt since they are
always in use by the system. The EventLog service cannot be stopped
because it is required by other services. If you can start a registry
editor locally or if you have remote registry access, change the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Start
value from 0x02 to 0x04 and reboot. Various services will fail at
reboot. Delete the event logs, %SystemRoot%\system32\config\*.evt.
Change the Start value back to 0x02 and reboot. The system will
automatically generate new, clear logs.



BTW the servers are in a production environment.

Best Regards
amit

See if you can clear those logs, which you may be able to do even if you can
not access them in case of corruption though that would be unusual for that
to happen to both dc's at the same time. Check the group membership of your
account to make sure it is not a member of the guests group as guests may be
blocked from accessing those logs by Group Policy [stranger things have
happened]. Check the ntfs permissions on the .evt logs on the dc's to make
sure administrators have allow permissions and no deny permissions. ---
Steve

Hi,

I have a windows 2000 domain with 2 DC's, both of them have SP4
installed.

After i did a reboot about 2 days, back i am unable to access the
System & Application logs on both the servers. I am logged in as the
administrator.
I can view the security log, Directory service, DNS server and File
Replication service without any issues. I am unable to access the
above mentioned 2 logs even if i am accessing them from the server.


Any pointers/ help will be highly appreciated.

TIA
Best Regards
amit kaushal
(e-mail address removed)