Search Results

Search found 17971 results on 719 pages for 'log analyzer'.

Page 57/719 | < Previous Page | 53 54 55 56 57 58 59 60 61 62 63 64 | Next Page >

Source of Unexplained Requests in Server Logs

- by Synetech inc.

Hi, I am baffled by some entries in my server logs, specifically the web-server logs. Other than normal, expected traffic, I have noticed three types of request errors (eg 404, etc.): Broken links, ie links from old, external pages that point to pages that are no longer here Sequences of probes, ie some jerk trying to hack in by scanning my server for a series of exploitable admin type pages and such What appear to be completely random requests for things that have never existed on the server or even have anything to do with the server, and appear by themselves (ie not a series of requests like the probes) Could it somehow be a mistyped URL or IP? That’s about the only thing that I can think of, but still, how could I get a request on say, foobar.dyndns.org (12.34.56.78) for something like www.wantsfly.com/prx2.php or /MNG/LIVE or http://ant.dsabuse.com/abc.php?auth=45V456b09m&strPassword=X%5BMTR__CBZ%40VA&nLoginId=43. (Those are a few actual requests from my logs.) Can someone please explain scenario three to me? Thanks.

Read the article
NTFS Error - file system structure is corrupt and unusable

- by SomeGuy

My Windows 7 (64) keeps completely locking up, and I have to hold the power button to shit it down. Event logs are showing EventID 55. I realize that this can be a warning sign of an impending disk failure, but my data on this machine is safely backed up and I don't feel like taking the time to replace the drive right now. When I have seen this problem before, I have been able to delete the offending folder with a Linux Live CD. (When CHKDSK /F didn't work). In this case, the folder is from VSS. I assume this is from Crashplan, my online backup provider. What are the ramifications of deleting this folder from Linux? Is it safe to do? "The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy26."

Read the article
IIS EventLog Errors

- by chris

I keep getting this error in my event viewer on IIS 6. I'm trying to figure out if my error resets my connection (maybe recycles the worker processes?). The error is: An attempt was made to load filter 'C:\Program Files\Software Artisans\FileUp \FileUpIsapi.dll' but it requires the SF_NOTIFY_READ_RAW_DATA filter notification and this notification is not supported in Worker Process Isolation Mode. For more information, see Help and Support Center at http://go.microsoft.com/fwlink /events.asp.

Read the article
Elastic Beanstalk and IIS logs

- by user195744

I have an ELB app and when logging into an instance and looking at the IIS logs I see something like the following: 2013-10-18 17:14:25 10.240.27.2 GET /FSViewer/Img.aspx trcid=451847431&vhtid=391833142 80 - 10.210.107.159 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.1;+WOW64;+Trident/6.0) 200 0 0 140 The 10.240.27.2 address always repeated, which is the load balancer? So how do I find out the IP addresses that are hitting my server?

Read the article
How to analyse logs after the site was hacked

- by Vasiliy Toporov

One of our web-projects was hacked. Malefactor changed some template files in project and 1 core file of the web-framework (it's one of the famous php-frameworks). We found all corrupted files by git and reverted them. So now I need to find the weak point. With high probability we can say, that it's not the ftp or ssh password abduction. The support specialist of hosting provider (after logs analysis) said that it was the security hole in our code. My questions: 1) What tools should I use, to review access and error logs of Apache? (Our server distro is Debian). 2) Can you write tips of suspicious lines detection in logs? Maybe tutorials or primers of some useful regexps or techniques? 3) How to separate "normal user behavior" from suspicious in logs. 4) Is there any way to preventing attacks in Apache? Thanks for your help.

Read the article
Eventlog entry for allowed connection in Windows Firewall

- by Jaap

I was seeing a lot of entries in the eventlog: The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 10.xxx.xxx.xxx Source Port: 80 Destination Address: 10.xxx.xxx.xxx Destination Port: 31773 Protocol: 6 Filter Information: Filter Run-Time ID: 67903 Layer Name: Receive/Accept Layer Run-Time ID: 44 We have a loadbalancer which checks every second to see if the application is still running (a health check). The logs contain large amounts of this kind of entries, which makes the Event Viewer slow and it's difficult to find the more interesting logs. How do I make sure these messages don't end up in the event logs?

Read the article
What is a quick way to report login/logout times on Windows 2003?

- by blueberryfields

I have about a dozen servers, and I am looking to quickly find out all of the login/logout times, for a subset of users, for all servers, during January. Is there a quick, easy way to get this information (faster and easier than manually combing through the security logs)? I would rather not replicate any work - are there any publicly posted tools or scripts that already implement a solution to this problem?

Read the article
Lots of strange IP addresses in my Windows Firewall logs. Concern?

- by gmoore

Was trying to debug a Samba sharing issue with Mac OS X so I turned on logging for my Windows Firewall. I didn't expect a lot of conections but the thing filled up quickly. Here's a sample: 2009-12-21 08:49:32 OPEN-INBOUND TCP 192.168.0.4 192.168.0.3 56335 139 - - - - - - - - - 2009-12-21 08:49:33 OPEN-INBOUND TCP 192.168.0.4 192.168.0.3 56337 139 - - - - - - - - - 2009-12-21 08:50:02 OPEN UDP 192.168.0.3 68.87.73.242 1389 53 - - - - - - - - - 2009-12-21 08:50:02 CLOSE TCP 192.168.0.3 212.96.161.238 1391 80 - - - - - - - - - 2009-12-21 08:50:02 OPEN UDP 192.168.0.3 68.87.71.226 60290 53 - - - - - - - - - 2009-12-21 08:50:02 OPEN TCP 192.168.0.3 212.96.161.238 1391 80 - - - - - - - - - 2009-12-21 08:50:02 OPEN TCP 192.168.0.3 212.96.161.238 1393 80 - - - - - - - - - 2009-12-21 08:50:04 CLOSE TCP 192.168.0.3 212.96.161.238 1393 80 - - - - - - - - - 2009-12-21 08:50:41 CLOSE UDP 192.168.0.3 192.168.0.4 137 50300 - - - - - - - - - I can pick out the local IP addresses (192.168.0.3 is my Windows XP machine, 192.169.0.4 is Mac OS X) as I debug the Samba issue. But some of the others resolve to Comcast (my ISP) and others resolve to weird hosts like van-dns.com and navisite.net. It doesn't look like any connection sent/received any bytes. I used the reference here: http://technet.microsoft.com/en-us/library/cc758040%28WS.10%29.aspx. Is it a cause for concern?

Read the article
Make logwatch reports more interesting?

- by Alexander Shcheblikin

Is it possible to improve the quality of reports from logwatch? Like make it not just report disk usage which doesn't even change much in daily operation, but report significant changes in usage or approaching critical capacity levels? If I cannot do that with logwatch and instead have to write custom scripts to produce such reports, logwatch appears to be pretty useless, or even dangerous, as many users reportedly grow to ignore emails from it knowing they are so boring.

Read the article
Timestamp in Tomcat logs is wrong

- by Thody

For some reason, the timestamp in my Tomcat logs is off. The system clock is correct, and set to PST, but the Tomcat logs appear to be using GMT. I haven't been able to find this setting anywhere...hoping someone can shed some light. Thanks

Read the article
Distributed Server Monitoring Solution

- by MaterialEdge

I belong to an independent IT firm that manages and maintains about 50 business clients networks, ranging from small 5 system networks to 200+ systems. Because we are unable to directly monitor each server at these locations (distributed over a very large area) on a regular basis I am looking for a method to monitor and alert us to any problems that may arise so that we can respond quickly with, hopefully, preventative measures. I'm not sure what solutions are available for this type of situation, but something that utilizes a central server at our business with all client servers sending alerts or logs to it for daily monitoring might work best. All these servers are running a Windows Server OS. In your opinion, what would be the best course of action to accomplish this?

Read the article
SQL Server plus small files

- by user1467163

I have a MSSQL server, 3 volumes, that runs some processes that seem to take way too long. One of these processes reads in a zip file, then writes to a database based on what's in the zip file.... for each record. I have 2 volumes in use and am creating the third- so I am trying to plan how to do this. OS has to remain on vol. 1. The TLogs should probably go on the new volume and the mdf's on the existing vol.2.. Do I put the file store on the volume with the MDF's so they don't interfere with the TLog writes, or with the TLogs so they don't interfere with the TLog flush to the MDFs? I know it's best to have more servers / volumes but I have to make do with whats on hand for now. I appreciate any suggestions.

Read the article
Windows Login Failure

- by Chris Bateson

I'm getting an error in the Event Viewer, which is also generating a lot of Logon Failure messages on our syslog server. Pretty much stuck on how to resolve. EventID: 536 Logon Type: 3 Reason: The NetLogon component is not active This is for a Windows Server 2003 system. I have checked here We're using Shavlik Protect 9 to scan and deploy patches. Shavlik stores the credentials for the systems and uses those stored credentials to deploy patches. This system is able to scan and deploy to other systems on the network using those credentials and no errors are generated. When installing to the local system that Shavlik is physically on then this error is generated. Whats interesting is that it doesn't generate during a scan, and the patches install fine. We've contacted Shavlik to get the response that they are unable to help since it's a Microsoft error. Has anyone seen this?

Read the article
How to strip logfile with grep to remove various dispensable information?

- by NES

My logfile has the following format: Dec 26 13:11:48 192.168.1.1 kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.2 DST=74.125.43.147 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=9312 DF PROTO=TCP SPT=11733 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B4) Now i'm trying to remove some dispensable information to make the output better readable and well arranged and put it into a new file. The result should look like this and should only have the following information: Dec 26 13:11:48 192.168.1.2 74.125.43.147 TCP SPT=11733 DPT=80 How to do it?

Read the article
Network Services disabled (not starting) on Windows XP

- by Rickesh John

I am currently running Windows XP Service Pack 3 on my system. But today, when I failed to connect to the internet, via a LAN cable, I realized that almost all of the vital network services had stopped functioning. Any attempts to start it through services.msc gives me the following message: Could not start the DNS Client Service on Local Computer Error 1068: The dependency service group failed to start All my software or services that are related to networking have stopped functioning, for example, Windows Firewall is turned off permanently, so is my Avast Anti-Virus' service of Real Time Shields and Web Shield. When I insert the LAN wire into my laptop, it registers itself, but this is what I get when I do a ping localhost C:>ping localhost Unable to contact IP driver, error code 2 Moveover, with ipconfig I get this : Windows IP Configuration An internal error occurred: The request is not supported. Please contact Microsoft Product Support Services for further help. Additional Information: Unable to query host name On some further poking around, I saw that none of the "NETWORK SERVICE" process in task manager, except svchost.exe were running. Also, when I first opened the task manager, I saw some 20 processes running with username column empty for most of them. With some search in Google, I found out that these services were important, DHCP DNS Net logon Network connection Network location Awareness TCP/IP Net BIOS Helper none of them, except Network Connections are working, they do not start. The event viewer of my system shows a bunch of 7000 and 7001 event errors. I have tried re installing the network driver, booting in safe mode with networking and tried to enable those services mentioned above. I had disabled System Restore some time back, so I have no restore points for my system. I tried a lot of things from Google searches but none of them worked. Also, with such a long list of issue, I am a little confused as to what should I search on the internet. :( One more thing I would like to mention, previous morning, my anti-virus Avast detected a RootKit buried deep in my system folders. It was removed, but maybe this was a problem caused by the root kit. I did run a boot-time scan but no viruses were found. Please please please advice. Is formatting and re-installation of Windows my only option?

Read the article
Tell if IIS is being asked to serve compressed pages?

- by Graham

Hi, I'm trying to find out if our IIS server is being asked to serve pages compressed. I'm a noob regarding a lot of this so am working my way through the issues. We're using IIS 6.0 and have correctly turned compression on. If I use Fiddler2 to analyse the HTTP requests via localhost, then Fiddler reports that the pages are compressed. If we then access the server over the network, either via its external URL or via the internal server name, Fiddler reports those pages as uncompressed. Therefore, it's logical to assume that something is getting in the way - presumably our ISA server. Our ISA administrator states that ISA is configured to allow compressed requests but what I want to do is to look at the requests coming through to IIS to see if IIS is being asked to serve pages compressed. I'm fairly convinced that our request is going to ISA, ISA is forwarding these, but not with the "compression" details - therefore IIS is not performing any compression. I've looked at the IIS logs but can't see anything obvious about the HTTP request. Is there any way I can check, on the web server itself, this sort of information? One thing that is confusing, but it may be normal, is that the Client IP making the request is not the orignal PC (i.e. mine) and not the ISA firewall, but the web server itself... Thanks

Read the article
Get Zipped Logs from a Remote Server

- by Jonathan

I am tasked with trying to find a way to download zipped logs from a remote server. There are quite a bit of these logs and they are constantly created. I do have limited ssh access to the remote server and can scp or rsync the files. However, due to the sheer size of these logs file, I do not want to rsync all of them. The logs could get to terabytes and for rsync to compare them may take some time. I only want to get any new file that was created/last updated an hour ago. I also am worried that I will rsync logs that are in the process of being created, so I was thinking to only rsync files that were last modified 3-5 minutes ago. Would anyone be so kind as to help me with such a process? Thank you in advance.

Read the article
Server 2008 email on Event variables

- by Jeff Miles

One of the new features of Server 2008 is the ability to attach a task to a specific event in the event logs. One of the actions available is to send an email through a SMTP server. This is working great, however it would be ideal if in the message body, the Event contents could be placed. I have tried using $eventdescription and %eventdescription%, but those are just shots in the dark. Any amount of googling produces no results. Does anyone know if this is possible? Update: Sparks' suggestion below is a step in the right direction I believe, however that method doesn't seem to work for all values. For example, I can pull the RecordID, Severity and Channel as shown, but I can't use the same method to retreive the EventID, or most importantly the description. Here's the raw XML from one event: [Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"] [System] [Provider Name="DFSR" /] [EventID Qualifiers="16384"]4412[/EventID] [Level]4[/Level] [Task]0[/Task] [Keywords]0x80000000000000[/Keywords] [TimeCreated SystemTime="2009-05-14T18:18:09.000Z" /] [EventRecordID]45692[/EventRecordID] [Channel]DFS Replication[/Channel] [Computer]servername.domain.com[/Computer] [Security /] [/System] [EventData] [Data]9046C3F4-843E-4A53-B941-4B20764072E5[/Data] [Data]D:\departments\Geomatics\Plan Quality\Data Processing\CG3533017 2009-05-13 KT FIXED[/Data] [Data]D:\departments[/Data] [Data]{26D5F604-E603-4F87-8EC3-DE9A945DA8FD}-v927199[/Data] [Data]Departments[/Data] [Data]domain.ca\files\departments[/Data] [Data]B8242CE2-F5EB-47DA-BA5B-1DD2F7EE3AB9[/Data] [Data]DFAA7A54-66CB-4C31-81A0-0F861382C32C[/Data] [Data]CG3533017 2009-05-13-{26D5F604-E603-4F87-8EC3-DE9A945DA8FD}-v927199[/Data] [/EventData] [/Event] I have tried using a ValueQuery for EventData, but it returns no data.

Read the article
What could cause a flurry of Microsoft-Windows-Servicing events?

- by MattUebel

I have a windows 2k8 machine that generated almost 40,000 WinEventLog:System events in the period of about 20 minutes. The breakdown of these events by eventcode was approximately: 4373 46% 4371 46% 4383 7% 4372 1% Microsoft-Windows-Servicing seemed to go crazy for a short time.... looking at updates, changing the state of updates etc. What could have caused this? UPDATE: Many of the events seem to come in pairs of: Windows Servicing started a process of changing package KBfoobar state from Installed(Installed) to Installed(Installed) and Windows Servicing successfully set package KBfoobar state to Installed(Intstalled)

Read the article
Server 2008 email on Event variables

- by Jeff Miles

One of the new features of Server 2008 is the ability to attach a task to a specific event in the event logs. One of the actions available is to send an email through a SMTP server. This is working great, however it would be ideal if in the message body, the Event contents could be placed. I have tried using $eventdescription and %eventdescription%, but those are just shots in the dark. Any amount of googling produces no results. Does anyone know if this is possible? Update: Sparks' suggestion below is a step in the right direction I believe, however that method doesn't seem to work for all values. For example, I can pull the RecordID, Severity and Channel as shown, but I can't use the same method to retreive the EventID, or most importantly the description. Here's the raw XML from one event: [Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"] [System] [Provider Name="DFSR" /] [EventID Qualifiers="16384"]4412[/EventID] [Level]4[/Level] [Task]0[/Task] [Keywords]0x80000000000000[/Keywords] [TimeCreated SystemTime="2009-05-14T18:18:09.000Z" /] [EventRecordID]45692[/EventRecordID] [Channel]DFS Replication[/Channel] [Computer]servername.domain.com[/Computer] [Security /] [/System] [EventData] [Data]9046C3F4-843E-4A53-B941-4B20764072E5[/Data] [Data]D:\departments\Geomatics\Plan Quality\Data Processing\CG3533017 2009-05-13 KT FIXED[/Data] [Data]D:\departments[/Data] [Data]{26D5F604-E603-4F87-8EC3-DE9A945DA8FD}-v927199[/Data] [Data]Departments[/Data] [Data]swg.ca\files\departments[/Data] [Data]B8242CE2-F5EB-47DA-BA5B-1DD2F7EE3AB9[/Data] [Data]DFAA7A54-66CB-4C31-81A0-0F861382C32C[/Data] [Data]CG3533017 2009-05-13-{26D5F604-E603-4F87-8EC3-DE9A945DA8FD}-v927199[/Data] [/EventData] [/Event] I have tried using a ValueQuery for EventData, but it returns no data.

Read the article
Sun Directory Server 5.2 performance

- by tmow

Hi all, I'm using logconv.pl (provided by Sun), to measure performance on my server. These two metrics results, are worrying me a bit: Binds: 192164 Unbinds: 111569 In fact the difference between the two it's quite big, how can I determine which are the unbound requests? As stated by Lodovic: Many applications just close the connections without sending an Unbind request. This simply can explain the difference. But the logconv.pl doesn't show details about the unbound requests, do you know any other tools or can you suggest some queries or whatever that can help me find out the root cause? Do you think anyway that the performances may improve fixing the issue?

Read the article
windows 2003 server policy error

- by air

i saw these two errors on my windows 2003 server from last few days can you please tell me what is these errors and how to remove them

Read the article
Starting scheduled task by detecting connection of USB drive

- by gemisigo

I know it has been discussed before several times that it is not possible to start an application from an usb drive when connecting it due to limitations of autorun (or autoplay??) in Win 7. But it is possible to create a scheduled task having On an event type trigger and surely there must be an event occurring when the drive is connected. Does anybody have the slightest idea which Event ID should I use? Or at least what type of event? There are too many logs to pick from.

Read the article
How to monitor Windows Server events with Centreon Nagios

- by Miss M

I want to monitor events on a Windows Exchange Server (Windows 2008 R2) and have installed NSclient ++ so I can use Centreon Nagios to monitor it. I did a bit of research and came across this question that I found somewhat helpful: How to monitor Windows host with Nagios? Nick Kavadias gave a good answer but it did not provide an explanation on how to configure the Nagios config file in such a way that it would monitor a specific service on the server. So, how do I set up a service in Nagios in such a way that it will detect when a windows event occurs on a server?

Read the article
What are these files ,can I delete them manually?

- by apache

[root@jiaoyou mysql]# pwd /var/lib/mysql [root@jiaoyou mysql]# ls -ls 338256 -rw-rw---- 1 mysql mysql 346030080 2010-04-22 08:08 ibdata1 626812 -rw-rw---- 1 mysql mysql 641222072 2010-01-26 07:17 mysql-bin.000008 316892 -rw-rw---- 1 mysql mysql 324173772 2010-03-25 12:51 mysql-bin.000009 These three files ibdata1,mysql-bin.000008 and mysql-bin.000009 are taking up too much of my space,will it be ok for me to delete some of them manually?

Read the article

< Previous Page | 53 54 55 56 57 58 59 60 61 62 63 64 | Next Page >