Monitoring Windows Event Logs for a Message Where the Event ID's Description Cannot be Found

Document ID : KB000004179
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

The SysEDGE agent isn't matching/sending traps for an event log monitor that appears to be properly configured when the the Event ID's description cannot be found.

Environment:
* Supported SysEDGE agent* Running on a supported Windows version* Configured to "Use Perl Compatible Regular Expressions" in policy control settings* Event log monitor with "Prepend event ID"* A Regular Expression such as: /^\[EVENTID\] (.*\n)*.*DESCRIPTION TEXT.*/m
Cause:

Consider the following event message:

The description for Event ID 0 from source Application cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Msg:Session expired. You have to login;
StackTrace:   at Some.Code.More.Code.Method(HttpContext context) in C:\custom\applcation\path\some\code\\more\Code.ashx.cs:line 42;
InnerException:
the message resource is present but the message is not found in the string/message table

As noted in the event message above - the Event ID/Message cannot be properly found and properly written to the event log.

Resolution:

Since the Event is not properly written to the Event Log, SystemEDGE cannot read this message.

The vendor/developer of the application needs to correct the the way the application writes messages to the event logs in order for SysEDGE to be able to monitor such events.

Additional Information:

HOWTO: Troubleshooting the "Event Message Not Found" Message

EventLog.WriteEntry Method (String)