none
Eventlog Forwarding Issues - Either the component that raises this event is not installed on your local computer or the installation is corrupted.....

    Question

  • Hello all,

    OK so I do have Event Forwarding working - but I've noticed that when it's first configured I get messages similar to:

    The description for Event ID 104 from source Microsoft-Windows-Eventlog cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    The locale specific resource for the desired message is not present

    If I alter the subscription (wecutil ss subname /cf:events) the forwarded events are rendered correctly.

    However a product we are evaluating (which depends on event forwarding to work) always ends up with a couple of mal-rendered lines - always look something like:

    Required Privs: %9

    I built a standalone AD domain and joined the same 'problem' clients to this domain and re-configured Event Forwarding - there was no need to change the subscription format type to "events" and the events were forwarded correctly and also the product we are looking at worked straight away.

    It seems that when event forwarding is configured in our live domain (or any of the test labs we have) I always get the attached errors....

    I've read a number of blogs that describe the issue and most recommend altering the subscription format - this however does not solve the issue entirely...

    Has anyone else seen this issue and maybe found out how to resolve?

    Thanks all

    Carl

     

    Friday, November 4, 2011 10:03 AM

Answers

  • Again expecting a massive echo in the room when I say this but anyway...it's there for future reference:

    On your Collector Machine change the regional settings - on the formats tab change this to English (United States) and Event Forwarding with the format of renderedtext will work correctly.

    This change is obviously only suitable for environments that are pre-production/test labs

    Hoping to hear from MS regarding a workaround - will post back....

     

    ------------------------------------------------------------------

    Edit: For now this is the answer...


    • Proposed as answer by DL1 Monday, November 14, 2011 11:03 AM
    • Marked as answer by Carl_B_ Wednesday, November 23, 2011 10:43 PM
    • Edited by Carl_B_ Wednesday, November 23, 2011 10:43 PM
    Tuesday, November 8, 2011 3:46 PM

All replies

  • Just an update here - this appears to be a Server 2008 R2 issue - when you have R2 as your DC(s) then event forwarding doesnt work as expected.

    Would be great to hear from an MS guy on this.....

    thanks

    Friday, November 4, 2011 9:00 PM
  • I might be talking to myself here but anyway...

    Its appears to be an issue with Server 2008 and regional settings - I've built my server for use in England (en-gb) and experience the issue - if I replicate the same configuration but build my DC with 2008 R2 for US (en-us I guess) then Event Forwarding works as expected.

    I'm in the process of raising this with Microsoft UK so will post back what is discovered. 

    Tuesday, November 8, 2011 10:52 AM
  • Again expecting a massive echo in the room when I say this but anyway...it's there for future reference:

    On your Collector Machine change the regional settings - on the formats tab change this to English (United States) and Event Forwarding with the format of renderedtext will work correctly.

    This change is obviously only suitable for environments that are pre-production/test labs

    Hoping to hear from MS regarding a workaround - will post back....

     

    ------------------------------------------------------------------

    Edit: For now this is the answer...


    • Proposed as answer by DL1 Monday, November 14, 2011 11:03 AM
    • Marked as answer by Carl_B_ Wednesday, November 23, 2011 10:43 PM
    • Edited by Carl_B_ Wednesday, November 23, 2011 10:43 PM
    Tuesday, November 8, 2011 3:46 PM
  • Thanks for posting the workaround Carl, changing the region on my event collector got the descriptions coming through. A bit poor really when you consider both the event collector and the source computers were in the same region (en-gb)!

    Hopefully MS will fix shortly.

    Dave

    Monday, November 14, 2011 11:05 AM
  • No probs, glad it helped you Dave - there's also an option in the wecutil.exe to set the locale as en-gb, it doesnt fix the issue though....

    (for those interested the command is wecutil.exe ss (SubscriptionName) /locale:en-gb)

    Tuesday, November 15, 2011 1:47 PM
  • Worth noting that the problem appears to effect only 2008 R2 and Windows 7 clients - changing the regional settings to US on the machine setup to collect events will fix the issue - so no need to re-configure regional settings on your DCs....unless of course they are set up to collect events.

    Tuesday, November 15, 2011 1:50 PM
  • Hi all,

    changing regional settings help here also.

    But I thinks this is only cosmetic problem, because my SCOM and ACS write data to DB without problems from event collector machine.

    Tuesday, November 15, 2011 2:12 PM
  • So they're passed from source computer, to Event Collector, to SCOM and ACS?

    The SCOM and ACS DBs are fine...but the Event Collector has similar issues to the one I mention?

    Is that correct?

    Cheers for replying Sergei

    Wednesday, November 16, 2011 2:39 PM
  • Yes,

    I have ACS forwarder and OPSmgr Agent on Event log collector computer.

    Event log collector computer shows some of the forwarded events incorrectly like "The description for Event ID 104 from source Microsoft-Windows-Eventlog cannot be found"

    When I change regional settings on Collector computer, event log shows all events(also previous) correctly.

    Forwarded with ACS and Opsmgr Agent events  from collector computer were saved in DB correctly, even when event log show them incorrectly like "The description for Event ID 104 from source Microsoft-Windows-Eventlog cannot be found"

    Wednesday, November 16, 2011 3:07 PM
  • So must be a rendering issue on the collector machine via Event Viewer only....

    Still waiting for some news from MS, the 3rd party product team are looking at fixing their software so for us we may not have an issue - would be good to hear from MS though......

    Monday, November 21, 2011 11:36 AM
  • Any update from MS. We are having similar issue.
    Thursday, December 8, 2011 9:46 PM
  • Still being looked into Ntimbadia - will post if there's any update
    Carl Barrett | Twitter: @Mosquat
    Friday, December 9, 2011 8:56 AM
  • MS have listed this as a bug and arranged for it to be raised against their Windows 8 bug database.

    My call with MS has been closed so not expecting any further updates


    Carl Barrett | Twitter: @Mosquat

    Tuesday, February 21, 2012 4:07 PM
  • Thank you Barrett,

    I created subscripition on W2008R2 DC collector computer and collected certain event ID from other W2008R2 member server. On my collector computer I forwarded events log showed only:

    "The description for Event ID 104 from source Microsoft-Windows-Eventlog cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer."

    After I followed your tip, all forwarded events were displayed correctly on my collector computer. Thanks!

    Friday, February 8, 2013 12:21 PM
  • No problem, glad someone was/has read the thread ;)

    Carl Barrett | Twitter: @Mosquat

    Friday, February 8, 2013 12:44 PM
  • well I read this today because I was referred here by a moderator in the IT forum. I probably shouldn't have posted my problem there (I don't normally post them because I usually find my answers there without having to post anything) because after reading the posts here it seems this issue (now at least 3 years old and still not fixed) has to do with a work domain and multiple computers. And I'm not in a work domain nor is my computer set up that way. Its a home pc and its not a regional issue because I'm in the US and my regional settings have always been set to English, united states. Even weirder is I've had this pc for 5 years and its never had these errors until a month ago. some are critical errors. (see)

    http://social.technet.microsoft.com/Forums/windows/en-US/72163cf9-c361-4f90-af45-ac30c955179f/kernel-registry-analytical-event-critical?forum=w7itproperf

    I've run scannow and chkdsk to be sure - no problems reported. I've even disabled the log but the errors keep happening.


    Of course, it's just my opinion....I could be wrong!

    Tuesday, March 4, 2014 1:32 AM
  • On the off chance you still look at this!

    I set up a collector initated subscription for server 2012 servers to be collected by a server 2012 server.

    When I tried to do a source initated one from a shedload of W7/W8 ones I had the same issue as you.

    Changed my collector machine to a (virtual) W7 one in case the OS wasnt recognising something in the events. All to no avail.

    Changed the regional settings and all worked within minutes!

    Thanks for posting. This would have taken me ages otherwise and probably led to a butt ugly hack.

    Friday, January 30, 2015 10:00 AM
  • Great news, glad I helped - looks like I do still have an alert for this post :)

    Cheers

    Carl


    Carl Barrett | Twitter: @Mosquat

    Friday, January 30, 2015 10:54 AM
  • Hello,

    I have Server 2012 environment (source and collector) and by changing the locale to en-us helped all logs but the Application log is still not showing properly. 

    Is your Application log working properly? Any ideas?

    Many thanks in advance

    Saturday, November 14, 2015 11:31 AM
  • Hello,

    I have a server 2012 environment (source and collector) and by changing the locale to en-us helped all logs but the Application log is still not showing properly. 

    Is your Application log working properly? 

    Many thanks in advance

    Saturday, November 14, 2015 11:32 AM
  • Unbelievable.... C'mon MS... stop putting your head in the cloud!
    Wednesday, May 25, 2016 12:14 PM