Stop EventSentry from writing an event to the log file?

I am testing EventSentry on a Server 2003. Since installation, the application log is getting filled with 'A scheduled task has been changed:
Event ID: 12412
Source: EventSentry
Category: Scheduled Tasks
Name: C:\Program Files\Google\Update\GoogleUpdate.exe
Field Changed: Trigger Count

It adds 2 entries every 3 minutes of this noise to the application log. The default GoogleUpdate exclusion did not work as I was getting emails each time. I figured out how to add an exclusion that worked to stop the emails. My question now is can I actually stop EventSentry from writing this particular event to the application log?

Comments

  • Hello Stephen,

    This is a bug that we are aware of with scheduled task monitoring, and affects Windows Server 2003 only. We have a patch in development for this bug, the patch is making its way through QA and we expect to release it early next week.

    In the meantime, the excessive event log entries are caused by having multiple scheduled tasks for the same exe with different parameters. So if you were to look in your scheduled tasks, you probably have a task for something like this:
    C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
    as well as a task for something like this:
    C:\Program Files\Google\Update\GoogleUpdate.exe /c

    The bug causes both tasks to be detected as only "C:\Program Files\Google\Update\GoogleUpdate.exe" and it detects the different settings on each task as multiple changes to a singular task. You could disable both tasks to bypass the bug, and then enable both tasks again when the patch is available.
  • Thanks for the quick reply.
  • edited August 2015
    I found both tasks and disabled them. However, the events continue to show up in the log. Very strange.
  • Hello Stephen,

    Build 3.1.1.88 of the agent fixes this problem with the scheduled task monitoring on Windows Server 2003. You can download the updated agent here:
    https://www.netikus.net/downloads/temp/eventsentry_svc3-1-1-88.zip

    Please note that we have completely overhauled the way that scheduled tasks are catalogued and monitored for Windows Server 2003. You will now be able to see the job name (such as "At1.job" or "custom task.job") in the event details, you will now be able to see all task and command paramaters in the event details, and the events will display more details to help with analysis when there are multiple copies of the same exact task functions but with different job schedules. The first time the agent starts with this new version, you will see several EventSentry 12411 (Scheduled Task was removed) and EventSentry 12410 (Scheduled Task was added) events in the Application log, one task removed event and one task added event for each scheduled task that currently exists. After these initial 12411 and 12410 events are generated, the scheduled task monitoring will function normally and only generate events when a task is added, modified, or removed.

    To install the update on an individual machine, you can stop the EventSentry service and then paste the new unzipped version over the existing version in C:\Windows\SysWOW64\eventsentry and then start the EventSentry service again. To upgrade all machines, stop the EventSentry service on your EventSentry server, make sure the EventSentry console is closed, paste the new unzipped version over the existing version in both C:\Windows\SysWOW64\eventsentry and C:\Program Files (x86)\EventSentry, and then start the EventSentry service and open the EventSentry console. You can then click Groups > Other Options > Upgrade/Update > Go in the toolbar, and then all of your agents will be updated.
  • edited August 2015
    Thanks for the response. I am running it on Windows Server 2003 32bit so there is no SysWOW64 folder. I tried putting it in C:\Windows\System32\eventsentry, but got an expired license error. I assume that is because I am currently running the lite version.
  • I saw that version 3.1.1.90 was released. I downloaded and upgraded. Unfortunately, that has not resolved the issue. I also did not get the "one-time "new task detected" alert for each installed task on a 2003/XP machine" in the event log on my server
  • Also, the Event Log filter does not seem to work for the following:
    System
    DNS Server
    File Replication Service

    When I put in a known event id in the filter box, I get no results. However, it works fine on Application, Security & Directory Service logs.
  • I am finding the filter is not reliable on the logs I can get it to work on. It will work the first time and then when I clear the filter and try to search on another ID, it comes up blank. If I search on another log and come back to the previous log, I can search successfully search one time. Except certain events won't come up in the filter at all. I was trying to search for 3033 in the Application log and it came up blank every time. I would clear the filter and see it in the log so I know it is there. Very strange.
  • I did find a solution to getting rid of the GoogleUpdate scheduled task warnings filling the event log. I went to Packages > System Health > Scheduled Tasks > Scheduled Tasks. I added the following to the Excluded task list:
    GoogleUpdateTaskMachineCore
    GoogleUpdateTaskMachineUA
Sign In or Register to comment.