Tip 11: Troubleshooting SharePoint Events Log Entries with EventTriggers.exe
This tip is for Windows SharePoint Services 2.0/3.0, SharePoint Portal Server 2003, Microsoft Office SharePoint Server 2007, SharePoint Foundation 2010, SharePoint Server 2010 and really any Windows computer, XP and up which is writing an Event Log entry that needs investigation.
If you have ever had to troubleshoot specific Windows Event Log events on your SharePoint servers you know it can be quite challenging. There may be instances when the servers are producing an event on off hours or the event does not occur at a specific time each day, this usually makes collecting the needed information hard to accomplish. This tip will help you collect any information you would like to help narrow down and resolve issues that occur when a Windows event occurs.
So you don’t want to stay up until 3:00AM gathering information for an event, I don’t blame you. Let’s see how we can use Windows 2003 or Windows 2008 EventTriggers.exe to collect some information for us. We will pretend that a server is logging Application event 3355 each day at 3:00AM. *See here for more information if you are actually seeing this event. We will collect some information each time the 3355 event occurs and log the information to a log file that you can look at, at a more reasonable time.
Create a batch file that will be used to run the commands needed to capture the data. Open an Explorer window and enter C:Temp in the address line. If there is no Temp folder, then create one. You can use any folder, but will have to change the EventTriggers command to whichever path you choose below. Right-Click and create a new text file called event.cmd.
Open the event.cmd file in Notepad and add the following lines and save the file; you can change the commands depending on what you would like to capture, but this is a good baseline of some information to capture.
If you have Network Monitor installed on the server and are troubleshooting a possible networking issue like the above example; you can also add the lines below to the event.cmd file like the following to capture network traffic for 30 seconds when the event occurs.
New commands can be added to the event.cmd file by using the format:
COMMAND ARGUMENTS > “.%LOG%LOGNAME.log”
Create the event trigger scheduled task that will run our event.cmd file each time an event occurs.
Now whenever the event 3355 occurs on the server; there will be process and network information in the C:TempEvent3355_DateTime folder which can be investigated at any time.