Viewing Saved FRS, DNS and Directory Service Event Logs and Events on Windows XP Non-Domain Domain Controllers

When viewing events from saved event logs, you may see the following message: Windows 2000 Event Viewer allows the user to save an event log as an .evt file, which you can then copy and view on another computer as an event log from Event Viewer for offline review. However, the event descriptions and categories are only available if the computer that is running Event Viewer has the components installed that generated the events in the event log; otherwise, the message above is displayed when you attempt to view events.

In particular, the logs for DNS, File Replication Service (FRS), and Directory Service are only legible if the computer that is running Event Viewer is itself a Windows 2000 domain controller. This condition also applies to other optional or third-party components (such as Microsoft Exchange Server) that create their own event logs or that write events to the System or Application logs.

In Whistler Server, Event Viewer contains the command-line switch, /auxsource= to facilitate the reading of saved event logs.

Event Viewer contains an implicit assumption that a saved event log should be stored and viewed on the computer that generated the log. The originating computer supports all the required log types and components to display its own event logs. DNS, FRS, or Directory Service logs may not be visible when you view them from computers other than the source computer.

When you open a saved event log in Event Viewer, you select the type of event log to use: Application, Security, System, and so forth. The list of event log types is read from the computer that is hosting the .evt file on a network share, and it is then combined with the list of event log types on the computer that is running the Event Log Snap-in. If the saved event log is on a remote computer on which you are not an administrator, or a remote computer on which the Remote Registry Service is not running, Event Viewer cannot retrieve information about the log types that are supported by the remote computer. You definitely cannot retrieve event descriptions or categories if the actual type of the log (for example, FRS, DNS or Directory Service) does not appear in this list. In addition, even if the correct log type is in this list, some events may have been generated by components that were only installed on the computer that generated the saved event log, and not on the local computer or the computer that is hosting the .evt file. In this case, descriptions and categories may be available for some events in the log and not for others.

The /AUXSOURCE Switch

With the /auxsource switch that is used in conjunction with the start up of the Eventviewr.msc snap-in, you can specify the name of a Windows 2000 or Windows XP domain controller that is authoritative for the log types and messages that are contained in a saved event log. For example: Point the /auxsource entry to the computer (typically a domain controller or application server) that generated the saved log file, or to a computer that has the same operating system version and applications installed. Event Viewer reads the event log types and event message information from the /auxsource computer, which allows log entries for components installed on the /auxsource computer to be resolved. For example, the /auxsource computer must have DNS installed to view saved DNS logs and messages.

The event message support in Windows XP is expected to be a superset of the Windows 2000 message strings, so by pointing the /auxsource computer to a Windows XP-based domain controller, you should be able to view messages in saved event logs from Windows 2000 and Windows XP-based computers. Conversely, viewing saved event logs that originate from a Windows XP-based computer while pointing the /auxsource switch to a Windows 2000 domain controller may result in the error that is noted in the "Summary" section in this article.

To view event log messages beyond the base operating system, the /auxsource computer should have the application that generates the event message installed, or the required registry settings and message .dll files that are needed to view the saved logs. In this way, administrators can build reference servers that contain registry settings and message .dll files that are needed to view event logs and messages of interest.

The /auxsource= computer can be identified as follows:

Credentials

You must be able to access the registry on the server that is specified in the /auxxource= switch as an administrator. If you are not logged on as an administrator on that server, you can run Event Viewer by using the runas command, or you can establish a connection to the IPC$ share of the /auxsource= computer by using the following command-line syntax: Note: If the remote computer does not allow remote registry access (possibly because the Remote Registry Service is not running), it will not work as the auxsource= computer even if you are an administrator on the remote computer.

The inability to establish the necessary security rights that are needed on the /auxsource= computer is silent, which means that no errors are displayed but it is evident when you do not see the advanced log types in the Open log file dialog box. In place of the IPC$ connection, you can create matching username and passwords in the domain of the /auxsource= server.

Performance

For best results, the client that is viewing saved event logs should point to an /auxsource computer that is connected over a fast network link and that is ideally in the same subnet and physical site. Using /auxsource servers that are connected over slow links slows performance when you are loading saved logs or scrolling through event message with the UP and DOWN arrow keys.

Artifacts in Event Log Messages

The /auxsource= workaround only applies when you receive the following error message: Other anomalies, which are unrelated to this issue, may occur when you are viewing an event log. For example: In this case, the "%4" appears in the description text because there are only 3 actual strings in the additional data. This is a minor error in the software component that generated the event log message, or it is possibly a compatibility issue between the version of the software component which generated the event log message, and the version of the software component running on the local computer or the /auxsource= computer.

Using the Windows XP Els.dll File in Windows 2000-Based Computers

The /auxsource= switch has no effect on Windows 2000-based computers. The Windows XP Els.dll file that enables the /auxsource= switch is not supported by Microsoft on Windows 2000-based computers. If you copy the Windows XP Els.dll file to a Windows 2000-based computer, and then you open Event Viewer, you receive the following error message:

Event Logs on a Cluster Server (MSCS)

All nodes in a cluster replicate event log entries to each other.