Re: All events showing in each event log

From: Gabe Knuth (news_at_gabeknuth.com)
Date: 11/15/04


Date: Mon, 15 Nov 2004 10:58:21 -0600

Thanks for the tip. I checked there, and they are not as you've shown, nor
are they all the same.

My application log source is full of entries, only a few of them that are on
your list. The rest of them (16385 in all) are from an application that I
think is an in-house app. Makes ya wonder....

The system log source is simply the word "system" repeated 2603 times, same
for the security log (just the word "security").

So, I'm thinking the homegrown app really messed some things up. Guess I'll
find out soon enough. Thanks.

Gabe

"Dave Patrick" <mail@Nospam.DSPatrick.com> wrote in message
news:#LXEMBzyEHA.3836@TK2MSFTNGP12.phx.gbl...
> No, I've never seen this one. Within each of the keys below is a
> Reg_Multi_SZ string named 'Sources'. It sounds like they all contain the
> same list. Here's what I have on a newly built Windows 2003 standard
server.
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security
>
> Application:
> ---------------------------
> WSH
> WMIAdapter
> WmdmPmSN
> WinMgmt
> Winlogon
> Windows Product Activation
> Windows 3.1 Migration
> WebClient
> VxSvc_VMNT
> VxSvc_pnp
> VxSvc_PercPro
> VxSvc_Perc2Pro
> VxSvc_Mylex
> VxSvc_mount
> VxSvc_ftdisk
> VxSvc_fsys
> VxSvc_disk
> VxSvc_ASPIPro
> vxsvc_alert
> vxsvc
> VSS
> VBRuntime
> Userinit
> Userenv
> UploadM
> TrustMonitor
> Tlntsvr
> SysmonLog
> SQLSERVERAGENT
> SQLFTHNDLR
> SQLCTR
> SpoolerCtrs
> Software Installation
> SclgNtfy
> SceSrv
> SceCli
> safrslv
> SAFrdms
> Remote Assistance
> PerfProc
> PerfOS
> PerfNet
> Perfmon
> Perflib
> PerfDisk
> Perfctrs
> PassportManager
> Offline Files
> Oakley
> ntbackup
> Network Optional Components
> MSSQLServerAgent
> MSSQLServerADHelper
> MSSQLSERVER/MSDE
> MSSQLSERVER
> MssCi
> MsiInstaller
> MSDTC Client
> MSDTC
> mnmsrvc
> Microsoft Search
> LoadPerf
> LicenseService
> HelpSvc
> Folder Redirection
> File Deployment
> EventSystem
> EventCreate
> ESENT
> DSReplicationProvider
> DrWatson
> DiskQuota
> DataTransformationServices
> crypt32
> COM+
> Ci
> Chkdsk
> CertEnterprisePolicy
> AutoEnrollment
> Autochk
> Application Management
> Application Hang
> Application Error
> apphelp
> .NET Runtime
> Application
> ---------------------------
>
> System:
> ---------------------------
> WZCSVC
> Workstation
> WMIxWDM
> WLBS
> WinHttpAutoProxySvc
> Windows Script Host
> Windows File Protection
> Win32k
> Wd
> W32Time
> Volume Shadow Copy Service Task
> VolSnap
> Virtual Disk Service
> viaide
> VgaSave
> VDS Dynamic Provider 1.0
> VDS Basic Provider 1.0
> USER32
> UPS
> ultra
> udfs
> toside
> TermServSessDir
> TermServJet
> TermService
> TermServDevices
> TermDD
> tdi
> TCPMon
> Tcpip
> System Error
> sym_u3
> sym_hi
> symmpi
> symc8xx
> symc810
> StillImage
> Srv
> Software Restriction Policy
> sndblst
> Simbad
> SideBySide
> sfloppy
> Setup
> Service Control Manager
> Server Administrator
> Server
> serial
> scsiport
> Schedule
> Schannel
> SCardSvr
> Save Dump
> SAM
> Removable Storage Service
> RemoteAccess
> redbook
> Rdbss
> RasMan
> RasAuto
> ql2300
> ql2200
> ql2100
> ql1280
> ql1240
> ql12160
> ql10wnt
> ql1080
> Processor
> Print
> PptpMiniport
> PolicyAgent
> PlugPlayManager
> perc2
> pcmcia
> pciide
> pci
> Parvdm
> partmgr
> parport
> OSPFMib
> OSPF
> null
> NtServicePack
> ntfs
> npfs
> Nla
> nfrd960
> Netlogon
> NetDDE
> NetBT
> NetBIOS
> NdisWan
> ndis
> Mup
> msfs
> msadlib
> MrxSmb
> MRxDAV
> mraid35x
> mouclass
> Modem
> LsaSrv
> lp6nds35
> LmHosts
> LDMS
> LDM
> Kerberos
> KDC
> kbdclass
> isapnp
> IPXSAP
> IPXCP
> ipsraidn
> IPSec
> IPRouterManager
> IPRIP2
> IPNATHLP
> IPMGM
> IPBOOTP
> intelide
> iirsp
> IGMPv2
> i8042prt
> i2omp
> i2omgmt
> Http
> hpt3xx
> hpn
> ftdisk
> fs_rec
> flpydisk
> Fips
> fdc
> fastfat
> eventlog
> efs
> E1000
> dpti2o
> Dnscache
> Dnsapi
> dmio
> dmboot
> Distributed Link Tracking Server
> Distributed Link Tracking Client
> disk
> Dhcp
> DfsSvc
> DfsDriver
> dellcerc
> DCOM
> dac960nt
> dac2w2k
> cryptsvc
> cpqfcalm
> cpqcissm
> cpqarry2
> cpqarray
> cmdide
> changer
> cdrom
> Cdm
> cdfs
> cd20xrnt
> cbidf2k
> Browser
> BITS
> beep
> Atmarpc
> ati2mpad
> atdisk
> atapi
> AsyncMac
> Application Popup
> ami0nt
> aliide
> Alerter
> aic78xx
> aic78u2
> afcnt
> AFAMGT
> adpu320
> adpu160m
> acpiec
> acpi
> abiosdsk
> System
> ---------------------------
>
> Security:
> ---------------------------
> Spooler
> Security Account Manager
> SC Manager
> NetDDE Object
> LSA
> DS
> Security
> ---------------------------
>
>
> --
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
> "Gabe Knuth" wrote:
> | Hello,
> |
> | I have an odd problem, and a tough one to search for, although it could
> | simply be too early in the morning.
> |
> | I've got a Win2k3 server that is sending all event log entries to each
> event
> | log. All the logs are identical - i.e. the App log has the exact same
> | entries as the System and Security logs. It's almost like all events are
> | getting logged to the same place, since each log contains all the other
> | logs. (Apps log has Security and System log info in it, ...).
> |
> | I checked the files that the logs were pointing to, and they are all
> | different (and pointed to the correct locations).
> |
> | Has anyone seen this before? It certainly is odd.
> |
> | Thanks,
> | Gabe
> |
> |
>
>