The following article describes how to remedy a Windows agent that is showing the error "Unable to query eventlog".
The error looks like this:
This error is generated when the Windows Eventlog Policy in the Alert Logic user interface (UI) is set up to collect on certain streams, but the agent does not have access to some or all of the selected streams. If any selected log stream does not exist on the host or cannot be collected for any reason, the log source will stay in error until the specific log stream can be collected or the selected stream is deselected.
To remedy the Windows agent eventlog error, you can follow either of the following sets of instructions.
Verify that the log stream is being generated by the host by confirming that they are configured in the Windows Eventlog Policy Settings and that logs are being generated of that type. Event logs can be viewed in the Microsoft Windows Event Viewer of the host generating the logs.
Manually update your Windows Eventlog Policy to no longer include unnecessary log streams.
- Within the Alert Logic UI, choose Log Manager from the drop-down menu in the top left corner.
- Under Policies in the menu on the left-hand side, choose Windows Eventlog.
- In the column of the Windows Eventlog Policy in question, click on the pencil icon, which indicates Edit. You are now viewing the configuration of this eventlog policy.
- Clear the check boxes under the section Alert and Collect on Selected Streams that are not: Application, System, or Security. In other words, only Application, System, and Security boxes should be checked, so that unnecessary log streams are not selected for collection.
You should no longer see error codes.
For more information about setting up collection policies for Windows eventlog, refer to our Work with Eventlog Policies documentation.