Follow

Remedy Windows Agent Eventlog Error ELC01202 "Unable to Query Eventlog" | How To

Description

The following article describes how to remedy a Windows agent that is showing the error "Unable to query eventlog".

The error looks like this:

This error is generated when the Windows Eventlog Policy in the Alert Logic console is set up to collect on certain streams, but the agent does not have access to some or all of the selected streams. If any selected log stream does not exist on the host or cannot be collected for any reason, the log source will stay in error until the specific log stream can be collected or the selected stream is deselected.

Solution

To remedy the Windows agent eventlog error, you can follow either of the following sets of instructions.

Option 1

Verify that the log stream is being generated by the host by confirming that they are configured in the Windows Eventlog Policy Settings and that logs are being generated of that type. Event logs can be viewed in the Microsoft Windows Event Viewer of the host generating the logs.

Option 2

Manually update your Windows Eventlog Policy to no longer include unnecessary log streams.

If you are using the Classic Alert Logic console, complete the following steps:

  1. Within the Alert Logic console, navigate to the Log Manager page.

  2. Under Policies in the menu on the left-hand side, choose Windows Eventlog.

  3. In the column of the Windows Eventlog Policy in question, click on the pencil icon, which indicates Edit. You are now viewing the configuration of this eventlog policy.

  4. Clear the check boxes under the section Alert and Collect on Selected Streams that are not: ApplicationSystem, or Security. In other words, only ApplicationSystem, and Security boxes should be checked, so that unnecessary log streams are not selected for collection.
    You should no longer see error codes.

If you are using the new Alert Logic console, complete the following steps:

  1. On the Alert Logic console homepage, click Log Manager from the list of tabs near the top of the screen.
  2. In the Log Manager sub-menu, click Policies.

  3. In the Policies menu on the left, click Windows Eventlog.

  4. Find the Windows Eventlog that is in error and click its Pencil (Edit) icon. The Windows Eventlog policy configuration pane opens.

  5. In the Windows Eventlog policy configuration pane, select the Application, System, and Security policies checkboxes. Clear all other checkboxes.
    You should no longer see error codes.

Additional Information

For more information about setting up collection policies for Windows eventlog, refer to our Work with Eventlog Policies documentation.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.