Don’t you hate it when you go to a server to review the event logs and it’s filled with
“The description for Event ID (NNNN ) in Source ( SOMETHINGGOODHERE ) cannot be found.”
Now in itself these don’t constitute a big problem. They may however be symptomatic of a larger issue. This is a pain as it means it’s very hard to read and decipher what is going on with a server and therefore how to fix it. I had this recently on one of my servers, and left it be for a while until last week when I had the sharepoint issues. I decided then that I had to take the time to clean up my servers event logs and get this fixed once and for all.
Each program or service that logs events to the event logs, needs to provide a set of registry settings that point to the location of the dll files that are used to decode the event log messages. If you take event logs from an SBS server and try to read them on an XP client then you’ll get lost of these “The description for event id..” messages simply due to the fact that the XP client has no way to interpret the messages themselves. With that knowledge in mind, we can star to look at my specific issue.
In my server I had the following error;
Event Type: Information
Event Source: MSSQL$MICROSOFT##SSEE
Event Category: (2)
Event ID: 17147
Date: 14/10/2007
Time: 7:02:01 PM
User: N/A
Computer: SERVERNAME
Description:
The description for Event ID ( 17147 ) in Source ( MSSQL$MICROSOFT##SSEE ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: ?.
Data:
So the first place I looked was in the registry for this particular service to see what it was pointing to for the event log reader dlls. Under HKLM\System\CurrentControlSet\Services\EventLog you will find the sub hives of each event log. Within those you will see further sub hives for each program or service that is configured to log events to the event logs. The screen shot below shows that my event message file dll for this service is sqlevn70.dll and should be located under C:\Windows\sysmsi\ssee\mssql.2005\mssql\binn\resources note this screen shot is from the system I was troubleshooting.
Knowing this, I went to that folder location and found that there was a 3kb file there with that name. Strange I thought let’s compare it to a known working machine. The screen below is from a good server. Note that the event log dll is in a 1033 subdirectory.
I checked the faulty server and whilst we had this directory, it didn’t have the right file. I figured that the given there were other instances of SQL 2005 on this server, I could find the right file and put it into the right location. I did a search on the servers hard drive and found the following;
I then copied and pasted it into the correct location (as per my known good server), modified the registry entries to reflect the new file location, and then did a reboot of the server.
Ok so after the reboot, of the server, I can now read the event log messages. The one from the top of this post now reads correctly as per below.
Event Type: Information
Event Source: MSSQL$MICROSOFT##SSEE
Event Category: (2)
Event ID: 17147
Date: 14/10/2007
Time: 7:02:01 PM
User: N/A
Computer: SERVERNAME
Description:
SQL Server is terminating because of a system shutdown. This is an informational message only. No user action is required.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
See much easier to read now that we can see whats in the event logs. This example hopefully will help you figure out how to go about sorting things for your own event logs.
Luis Miranda says
Thanks! I almost put all the pieces together, except i was missing a reboot, the the message .dll was picked up correctly!
Anonymous says
Now I ust have to figure out what to do for ones where the reg key for the source doesn’t exist, and i can’t find it on any other server either…. 🙁
Greg says
I never took the time to try and fix this myself, I appreciate your posting a thorough explanation of how you worked it out.
Carl says
Simplier but in the same line…
You can take a copy of the sqlevn.rll.MUI file and rename it to sqlevn70.rll in the path found in the registry. The error is due to the fact that the file is missing info. I suspect that this is because WSS use the WID database which is a subset of MS express and it is looking for error message ID that it would have found in MS SQL.