If you have pulled the plug then there is no way for the event to get to the PC running WhatsUp Gold. I would suggest using some alternate test... perhaps an invalid login attempt (easy to generate on demand).
Having said that, your debug log might be revealing a problem with how "Error 800706BE" is handled - reconection should be tried in this case. I will log this so that it can be looked at. Mark Symons Ipswitch, Inc Augusta GA -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Trevor Bain Sent: Friday, March 07, 2003 14:58 To: [EMAIL PROTECTED] Subject: [WhatsUp Forum] Windows Event Log alert not generated - WUG 8.0 Eval Hi there, We are evaluating WUG 8.0 as a potential tool for monitoring our servers. Our test environment includes: - 6 servers (NT4 and 2000) in 2 NT-style domains with inter-domain trusts - 10 servers (2000) in an active directory domain structure (with a trust to only 1 of the NT domains) - 1 WUG server in the active directory domain. I have set up our Eval version of WUG to monitor (among other things) the Windows Event Log for an unexpected restart (Event ID 6008, WUG Event called "Unexpected Shutdown"). I am triggering the event by pulling the plug on the server (hey, it's a test server!). The event does get cut in the Windows event log but I don't get an alert. In this particular case, the machine I am testing is in the trusted NT4 domain. The event log definition file (don't know what to call it) located in "C:\Program Files\WhatsUp\Event\Windows Log" looks like this: [Windows Log\Unexpected Shutdown] UI_CLSID={C527AA83-5BB3-4554-8886-FD486C3E21F4} WQL=select * from __instancecreationevent where targetinstance isa 'Win32_NTLogEvent' SOURCE= EVENTID=6008 TYPE=1 TESTSTRING=The previous system shutdown at 2:23:36 PM on 3/6/2003 was unexpected. NUMMSGS=1 MSG0=~previous system shutdown I tried to do some debugging using the debug logs but am not sure about what I am seeing. Using the following extract from the debug (the entire log is appended to the bottom of the posting), can anyone shed any insight into what is going wrong (note: I have replaced the real IP with 111.000.111.000 and the servername with "Server1"): -------------- begin extract -------------- Windows Log: Removing event 'Unexpected Shutdown' from host at 111.000.111.000 (0x7DDB763F) Windows Log: Disconnecting from host 111.000.111.000 Windows Log: CancelAsyncCall(111.000.111.000) failed. Error 800706BE: 'The remote procedure call failed.' (C:\Program Files\WhatsUp\TestServers.wup) map poll complete Windows Log: Adding event 'Unexpected Shutdown' to host at 111.000.111.000 (0x7DDB763F) Windows Log: Could not connect to WMI at '111.000.111.000' WILL NOT RETRY DUE TO Error 800706BE: 'The remote procedure call failed.' -------------- end extract -------------- Thanks for any assistance that you can provide. Trevor -- Trevor Bain Information Systems & Technology (MC-1037) University of Waterloo 200 University Avenue West, Waterloo, Ontario, CANADA, N2L 3G1. email: [EMAIL PROTECTED] ph: 519-888-4567 x3738 fx: 519-884-4398 wwww: http://ist.uwaterloo.ca/~etbain -- ============= Begin: Entire Debug Log ============= ---------------- server is down ---------------- (C:\Program Files\WhatsUp\TestServers.wup) map poll start Checking Server1 : 00 : HTTP (HyperText Transfer Protocol) [111.000.111.000] >>> TCP COHS CHECK 80 on 111.000.111.000 [111.000.111.000] connect2 failed (10004) TCP/IP Service check complete. FAILED Check Complete (-2) Server1 : 00 : HTTP (HyperText Transfer Protocol) Checking Server1 : 01 : Event Log Checking the NT Service Eventlog on 111.000.111.000 Failed to open the Service Control Manager for the NT Service Eventlog on 111.000.111.000. Reason: The RPC server is unavailable. Check Complete (-2) Server1 : 01 : Event Log (C:\Program Files\WhatsUp\TestServers.wup) map poll complete ---------------- server is up now ---------------- (C:\Program Files\WhatsUp\TestServers.wup) map poll start Checking Server1 : 00 : HTTP (HyperText Transfer Protocol) [111.000.111.000] >>> TCP COHS CHECK 80 on 111.000.111.000 [111.000.111.000] connected [111.000.111.000] >>> TCP COHS CHECK 80 on 111.000.111.000 [111.000.111.000] 000: Send=HEAD / HTTP/1.0\r\nAccept: */*\r\nUser-Agent: WhatsUp_Gold/7.0\r\n\r\n HEAD / HTTP/1.0 Accept: */* User-Agent: WhatsUp_Gold/7.0 [111.000.111.000] 001: Expect=^HTTP/ HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Fri, 07 Mar 2003 19:00:52 GMT Content-Type: text/html Content-Length: 111 <html><head><title>Site Not Found</title></head> <body>No web site is configured at this address.</body></html> [111.000.111.000] <<< TCP COHS EXIT=0 TCP/IP Service check complete. OK Check Complete (2) Server1 : 00 : HTTP (HyperText Transfer Protocol) Checking Server1 : 01 : Event Log Checking the NT Service Eventlog on 111.000.111.000 The check of the NT Service Eventlog on 111.000.111.000 succeeded. Check Complete (2) Server1 : 01 : Event Log Windows Log: Removing event 'Unexpected Shutdown' from host at 111.000.111.000 (0x7DDB763F) Windows Log: Disconnecting from host 111.000.111.000 Windows Log: CancelAsyncCall(111.000.111.000) failed. Error 800706BE: 'The remote procedure call failed.' (C:\Program Files\WhatsUp\TestServers.wup) map poll complete Windows Log: Adding event 'Unexpected Shutdown' to host at 111.000.111.000 (0x7DDB763F) Windows Log: Could not connect to WMI at '111.000.111.000' WILL NOT RETRY DUE TO Error 800706BE: 'The remote procedure call failed.' ---------------- next check: server is still up ---------------- (C:\Program Files\WhatsUp\TestServers.wup) map poll start Checking Server1 : 00 : HTTP (HyperText Transfer Protocol) [111.000.111.000] >>> TCP COHS CHECK 80 on 111.000.111.000 [111.000.111.000] connected [111.000.111.000] >>> TCP COHS CHECK 80 on 111.000.111.000 [111.000.111.000] 000: Send=HEAD / HTTP/1.0\r\nAccept: */*\r\nUser-Agent: WhatsUp_Gold/7.0\r\n\r\n HEAD / HTTP/1.0 Accept: */* User-Agent: WhatsUp_Gold/7.0 [111.000.111.000] 001: Expect=^HTTP/ HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Fri, 07 Mar 2003 19:36:02 GMT Content-Type: text/html Content-Length: 111 <html><head><title>Site Not Found</title></head> <body>No web site is configured at this address.</body></html> [111.000.111.000] <<< TCP COHS EXIT=0 TCP/IP Service check complete. OK Check Complete (1) Server1 : 00 : HTTP (HyperText Transfer Protocol) Checking Server1 : 01 : Event Log Checking the NT Service Eventlog on 111.000.111.000 The check of the NT Service Eventlog on 111.000.111.000 succeeded. Check Complete (1) Server1 : 01 : Event Log (C:\Program Files\WhatsUp\TestServers.wup) map poll complete ============= End: Entire Debug Log ============= Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/
