ERA 5 - Log forwarding - Event 503

[jacortijo 0]

Hi,

 

I am trying to forward the logs to the OS event log and I cannot do it. I am using a Win2008 server and a client Windows 7.

 

Once activating the forwarding, I only see two ERA_SERVER events 500 and 503.  The related to the infection looks seems to be the 503. See below.

 

Does anyone knows what is going on? some that I need to install? the event says that some component is missing in the computer....

 

Thanks in advance.

Jose

 

-----------------------

 

Nombre de registro:Application
Origen:        ERA_SERVER
Fecha:         22/06/2015 7:59:55
Id. del evento:503
Categoría de la tarea:Ninguno
Nivel:         Información
Palabras clave:Clásico
Usuario:       No disponible
Equipo:        ALC-TEST.finalin.es
Descripción:
No se encuentra la descripción del id. de evento 503 en el origen ERA_SERVER. El componente que provoca este evento no está instalado en el equipo local, o bien la instalación está dañada. Puede instalar o reparar el componente en el equipo local.
 
Si el evento se originó en otro equipo, la información que se va a mostrar tenía que haberse guardado con el evento.
 
Se incluyó la siguiente información con el evento:
[2015-06-22 07:59:55.898] V3 [000000000006] [00080023] <notification>    BEFORE:
    Active: 1
    Name: #!$Forward Threat Log$!#
    Type: 7
    Description: Pre-defined rule
    Priority: 4
    Trigger Date: 0000-00-00 00:00:00
    Last Triggered: 0000-00-00 00:00:00
 
 
El recurso de mensaje está presente, pero el mensaje no se encuentra en la tabla de cadenas o mensajes
 
XML de evento:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ERA_SERVER" />
    <EventID Qualifiers="16384">503</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-06-22T05:59:55.000Z" />
    <EventRecordID>2261</EventRecordID>
    <Channel>Application</Channel>
    <Computer>ALC-TEST.finalin.es</Computer>
    <Security />
  </System>
  <EventData>
    <Data>[2015-06-22 07:59:55.898] V3 [000000000006] [00080023] <notification>    BEFORE:
    Active: 1
    Name: #!$Forward Threat Log$!#
    Type: 7
    Description: Pre-defined rule
    Priority: 4
    Trigger Date: 0000-00-00 00:00:00
    Last Triggered: 0000-00-00 00:00:00
</Data>
  </EventData>
</Event>

[Marcos 5,070]

If you look at the Logging tab, there's no section called Threat log.  There is Audit log, Server log and Debug log. Only the first two can be set to log to the operating system's log.

[jacortijo 0]

Hi Marcos, I know... those settings are in the Tools -->Server Options-->Logging tab and I already checked both to "Log to OS application log"....

Then in the Thread log there is a check called Forwarding and I also checked it.

 

After doing both things, visiting the eicar site to test the detection... it doesn't generate any specific event log in the OS application log...

see the attachments.

 

Thanks.

Jose

[Marcos 5,070]

The option is called "Threat forwarding to syslog". Not sure if you are using a syslog server, probably not as you don't have any of the "Log to syslog" boxes selected.

[jacortijo 0]

Yes , I used syslog server and it worked. The option to log into the Os event logger is not working neither in Win2003 nor W2008.

thanks.

[Mike carter 0]

If the option to log into Event Logger is not working may be the Application is corrupted. Try reinstalling  a new copy or try Event Log Explorer for better Event Log management and Log Forwarding as Windows Event viewer lacks advanced features in Win 7 and WIN 10.