DX Unified Infrastructure Management

 View Only
  • 1.  NTEVL error when finding an event

    Posted Sep 15, 2021 09:48 AM
    Hi everyone, 

    i've had  a problem for a while with NTEVL probe to detect a specific event in the system log. From the logs I get the following:

    Sep 15 06:18:04:213 [4524] ntevl: getPublisherHandleandStoreinHash:EvtOpenPublisherMetadata failed with error:2
    Sep 15 06:18:04:213 [4524] ntevl: (ProcessEvent) OpenPublisherMetadata failed for Publisher: "gupdate"
    Sep 15 06:18:04:213 [4524] ntevl: updateRecord called Application 280015
    Sep 15 06:18:04:213 [4524] ntevl: RecordHandler - log=0, count=0, number=280015
    Sep 15 06:18:04:213 [4524] ntevl: Event excluded:informational :Application: 280015
    Sep 15 06:18:04:213 [4524] ntevl: EvtFormatMessage failed: message or message id not found
    Sep 15 06:18:04:213 [4524] ntevl: Error getting Task category for event DETAILS: Publisher: Service Control Manager EventID: 7036
    Sep 15 06:18:04:213 [4524] ntevl: Level is :Information

    Is any of you have had this issue with the probe ? 

    here is the configuration in UIM





    Thank you for you help !!!

    ------------------------------
    Philippe-Andre Trottier
    [JobTitle]
    [CompanyName]
    Montreal,Quebec
    ------------------------------


  • 2.  RE: NTEVL error when finding an event

    Broadcom Employee
    Posted Sep 16, 2021 10:15 AM
    HI Philippe,

    Not familiar with log messages, but just from a basic troubleshooting approach:

    Is it just this watcher that does not match? If so, try using just a "*" in message and maybe user and source. Just leave the EventID field and note results. See if you can narrow down where the match problem is. I assume that is the end result; Message comes in but nothing happens(no match detected). An issue may be in order.

    Is there any relevant entry in the Security log about ntevl or robot processes?


  • 3.  RE: NTEVL error when finding an event

    Posted Sep 16, 2021 10:20 AM
    As an aside to the conversation, you have the configuration set to "poll" to find new events. This can be very expensive to do resource wise if your windows logs are large. It is much more efficient to use the "event" selection to get messages as then the probe subscribes to updates from the event service and so only consumes resources when there's an actual message to look at - as opposed to polling where you are constantly querying the log to see if any new messages have been added.