[osiris] The description for Event ID ( 0 ) in Source (osirismd ) cannot be found.

Joseph A. Kocan JKocan at neweve.net
Sat Oct 13 03:26:59 EDT 2007 

Jim,

I played around with it and found a solution that worked for me. I built a Windows message dll that reports for an event ID 0. When I appended it to the registry the event got reported properly to event viewer like you said. Instead of using Snare on my Osiris management box, I used event sys: https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys I use Snare on everything but the Osiris management server.

My message .dll file is here in case you think it would help you. ftp://ftp.joeslab.com/alertmsg.dll

I appreciate your response to me. Your post was the key to me figuring this out.

Joe


From: Jim Kirkland [mailto:JKirkland at darden.com]
Sent: Friday, September 28, 2007 3:16 PM
To: Joseph A. Kocan
Subject: RE: [osiris] The description for Event ID ( 0 ) in Source (osirismd ) cannot be found.

Joe,

What I have tracked down is a reference in the logging.c source module.   I found it by searching the source for Event ID.   You will find the code pushing the event ID there. Even if you change it, you still get the AUX message.  This is because there is also a message.dll which is delivered with the source and referenced in the registry of the Management console machine.   There is no source for this module.    After searching around for awhile, I found that you can actually make your own message dll and concatenate this on the registry entry so that the message is resolved rather than getting the AUX message.

The next step for me was to be able to have these messages go to syslog.   The error message's referenced in this msdn site started showing up in syslog for whatever number I set the message number to.   I use SNARE to send messages to a central syslog server.   So while I have solved the message showing up in event log properly, the syslog collection of this message still yields erroneous messages instead of the one shown in the event viewer description.      If you happen across a solution for this I would appreciate the feedback.


http://msdn2.microsoft.com/en-us/library/ms681381.aspx

Hope this helps,


Jim Kirkland

Sr. Security Analyst

Darden Restaurants

jkirkland at darden.com<mailto:jkirkland at darden.com>

407-245-6603



"Every employee of Darden is responsible for the security and protection of our information and technology resources"

This e-mail message is for the sole use of the intended recipient and may contain information that is confidential, proprietary or privileged. Any unauthorized review, use, distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, please notify sender of the delivery error by replying to this message and then delete it from your system. Receipt by anyone other than the intended recipient is not a waiver of confidentiality or privilege.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/osiris/attachments/20071013/9f59a73a/attachment.htm

More information about the osiris mailing list