The following article describes how to remedy a Windows agent that is showing the error "Unable to query eventlog".
This error is generated when the Windows Eventlog Policy in the Alert Logic console is set up to collect on certain streams, but the agent does not have access to some or all of the selected streams. If any selected log stream does not exist on the host or cannot be collected for any reason, the log source will stay in error until the specific log stream can be collected or the selected stream is deselected.
Note: The following information applies only to customers with Alert Logic® Cloud Defender™ or Alert Logic Log Manager™ entitlements.
To remedy the Windows agent eventlog error, you can follow either of the following sets of instructions.
Verify that the log stream is being generated by the host by confirming that they are configured in the Windows Eventlog Policy Settings and that logs are being generated of that type. Event logs can be viewed in the Microsoft Windows Event Viewer of the host generating the logs.
Manually update your Windows Eventlog Policy to no longer include unnecessary log streams.
- In the Alert Logic console, click Configuration in the main menu and then click Log Management in the submenu.
- In the left sidebar, click Policies.
- In the Policies menu on the left, click Windows Eventlog.
- Find the Windows Eventlog that is in error and click its Pencil (Edit) icon. The Windows Eventlog policy configuration pane opens.
- In the Windows Eventlog policy configuration pane, select the Application, System, and Security checkboxes. Clear all other checkboxes.
You should no longer see error codes.
For more information about setting up collection policies for Windows eventlog, refer to our Work with Eventlog Policies documentation.