The description for Event ID… in source…. cannot be found

Body:

Don’t you hate it when you go to a server to review the event logs and it’s filled with

"The description for Event ID (NNNN ) in Source ( SOMETHINGGOODHERE ) cannot be found."

Now – in itself these don’t constitute a big problem. They may however be symptomatic of a larger issue. This is a pain as it means it’s very hard to read and decipher what is going on with a server and therefore how to fix it. I had this recently on one of my servers, and left it be for a while until last week when I had the sharepoint issues. I decided then that I had to take the time to clean up my servers event logs and get this fixed once and for all.

Each program or service that logs events to the event logs, needs to provide a set of registry settings that point to the location of the dll files that are used to decode the event log messages. If you take event logs from an SBS server and try to read them on an XP client then you’ll get lost of these "The description for event id.." messages simply due to the fact that the XP client has no way to interpret the messages themselves. With that knowledge in mind, we can star to look at my specific issue.

In my server I had the following error;

Event Type:                Information

Event Source:            MSSQL$MICROSOFT##SSEE

Event Category:            (2)

Event ID:                17147

Date:                        14/10/2007

Time:                        7:02:01 PM

User:                        N/A

Computer:                SERVERNAME

Description:

The description for Event ID ( 17147 ) in Source ( MSSQL$MICROSOFT##SSEE ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: .

Data: <Removed Data here as it does not matter for this blog post>

 

So the first place I looked was in the registry for this particular service to see what it was pointing to for the event log reader dlls. Under HKLM\System\CurrentControlSet\Services\EventLog you will find the sub hives of each event log. Within those you will see further sub hives for each program or service that is configured to log events to the event logs. The screen shot below shows that my event message file dll for this service is sqlevn70.dll and should be located under C:\Windows\sysmsi\ssee\mssql.2005\mssql\binn\resources – note this screen shot is from the system I was troubleshooting.


 

Knowing this, I went to that folder location and found that there was a 3kb file there with that name. Strange I thought – let’s compare it to a known working machine. The screen below is from a good server. Note that the event log dll is in a 1033 subdirectory.


 

I checked the faulty server and whilst we had this directory, it didn’t have the right file. I figured that the given there were other instances of SQL 2005 on this server, I could find the right file and put it into the right location. I did a search on the servers hard drive and found the following;


 

I then copied and pasted it into the correct location (as per my known good server), modified the registry entries to reflect the new file location, and then did a reboot of the server.


 

Ok – so after the reboot, of the server, I can now read the event log messages. The one from the top of this post now reads correctly as per below.

Event Type:        Information

Event Source:        MSSQL$MICROSOFT##SSEE

Event Category:    (2)

Event ID:        17147

Date:            14/10/2007

Time:            7:02:01 PM

User:            N/A

Computer:        SERVERNAME

Description:

SQL Server is terminating because of a system shutdown. This is an informational message only. No user action is required.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data: <Removed Data here as it does not matter for this blog post>

 

See – much easier to read now that we can see whats in the event logs. This example hopefully will help you figure out how to go about sorting things for your own event logs.

Category: Event Log Errors
Published: 16/10/2007 2:18 PM

Leave a Reply

Your email address will not be published. Required fields are marked *