Jump to content

ERA 5 - Log forwarding - Event 503


Go to solution Solved by jacortijo,

Recommended Posts

Hi,

 

I am trying to forward the logs to the OS event log and I cannot do it. I am using a Win2008 server and a client Windows 7.

 

Once activating the forwarding, I only see two ERA_SERVER events 500 and 503.  The related to the infection looks seems to be the 503. See below.

 

Does anyone knows what is going on? some that I need to install? the event says that some component is missing in the computer....

 

Thanks in advance.

Jose

 

-----------------------

 

Nombre de registro:Application
Origen:        ERA_SERVER
Fecha:         22/06/2015 7:59:55
Id. del evento:503
Categoría de la tarea:Ninguno
Nivel:         Información
Palabras clave:Clásico
Usuario:       No disponible
Equipo:        ALC-TEST.finalin.es
Descripción:
No se encuentra la descripción del id. de evento 503 en el origen ERA_SERVER. El componente que provoca este evento no está instalado en el equipo local, o bien la instalación está dañada. Puede instalar o reparar el componente en el equipo local.
 
Si el evento se originó en otro equipo, la información que se va a mostrar tenía que haberse guardado con el evento.
 
Se incluyó la siguiente información con el evento:
[2015-06-22 07:59:55.898] V3 [000000000006] [00080023] <notification>    BEFORE:
    Active: 1
    Name: #!$Forward Threat Log$!#
    Type: 7
    Description: Pre-defined rule
    Priority: 4
    Trigger Date: 0000-00-00 00:00:00
    Last Triggered: 0000-00-00 00:00:00
 
 
El recurso de mensaje está presente, pero el mensaje no se encuentra en la tabla de cadenas o mensajes
 
XML de evento:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ERA_SERVER" />
    <EventID Qualifiers="16384">503</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-06-22T05:59:55.000Z" />
    <EventRecordID>2261</EventRecordID>
    <Channel>Application</Channel>
    <Computer>ALC-TEST.finalin.es</Computer>
    <Security />
  </System>
  <EventData>
    <Data>[2015-06-22 07:59:55.898] V3 [000000000006] [00080023] <notification>    BEFORE:
    Active: 1
    Name: #!$Forward Threat Log$!#
    Type: 7
    Description: Pre-defined rule
    Priority: 4
    Trigger Date: 0000-00-00 00:00:00
    Last Triggered: 0000-00-00 00:00:00
</Data>
  </EventData>
</Event>

Link to comment
Share on other sites

  • Administrators

If you look at the Logging tab, there's no section called Threat log.  There is Audit log, Server log and Debug log. Only the first two can be set to log to the operating system's log.

Link to comment
Share on other sites

Hi Marcos, I know... those settings are in the Tools -->Server Options-->Logging tab and I already checked both to "Log to OS application log"....

Then in the Thread log there is a check called Forwarding and I also checked it.

 

After doing both things, visiting the eicar site to test the detection... it doesn't generate any specific event log in the OS application log...

see the attachments.

 

Thanks.

Jose

post-7275-0-97211900-1434980243_thumb.png

post-7275-0-57995700-1434980259_thumb.jpg

Link to comment
Share on other sites

  • Administrators

The option is called "Threat forwarding to syslog". Not sure if you are using a syslog server, probably not as you don't have any of the "Log to syslog" boxes selected.

Link to comment
Share on other sites

  • Solution

Yes , I used syslog server and it worked. The option to log into the Os event logger is not working neither in Win2003 nor W2008.

thanks.

Link to comment
Share on other sites

  • 9 months later...

If the option to log into Event Logger is not working may be the Application is corrupted. Try reinstalling  a new copy or try Event Log Explorer for better Event Log management and Log Forwarding as Windows Event viewer lacks advanced features in Win 7 and WIN 10.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...