Tag: Eventlog

Error: IIS6 Error EventID 1059 and 1021

Just a had a problem with an application pool which always crashed after start. The application pool worked some days ago without any problems. After watching den System Eventlog I got the Error with Event ID 1059 and a Warning with Event ID 1021.
I had this problem on a Windows Server 2003 SP2 with all the latest patches
EventID 1059
Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1059
Date: 27.05.2011
Time: 11:49:31
User: N/A
Computer: WEB-WIN
Description:
A failure was encountered while launching the process serving application pool 'www.domain.ch'. The application pool has been disabled.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

EventID 1021
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 1021
Date: 27.05.2011
Time: 11:50:01
User: N/A
Computer: WEB-WIN
Description:
The identity of application pool, 'www.domain.ch' is invalid. If it remains invalid when the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 07 80 ...€

The Solution for this problem is very simple. Just reset the password of the specific IUSR and don’t forget to reset the password for the application pool identity.


PowerShell

PowerShell: How to export Windows Eventlogs with PowerShell

This is a little dirty Windows PowerShell script which exports or backups Windows Eventlogs. The script creates a .evt file which can be used with the Windows Eventlog Viewer.

# Config
$logFileName = "Application" # Add Name of the Logfile (System, Application, etc)
$path = "C:\temp\" # Add Path, needs to end with a backsplash
 
# do not edit
$exportFileName = $logFileName + (get-date -f yyyyMMdd) + ".evt"
$logFile = Get-WmiObject Win32_NTEventlogFile | Where-Object {$_.logfilename -eq $logFileName}
$logFile.backupeventlog($path + $exportFileName)

And with the next code it cleans up older exported Eventlogs.

# Deletes all .evt logfiles in $path
# Be careful, this script removes all files with the extension .evt not just the selfcreated logfiles
$Daysback = "-7"
 
$CurrentDate = Get-Date
$DatetoDelete = $CurrentDate.AddDays($Daysback)
Get-ChildItem $Path | Where-Object { ($_.LastWriteTime -lt $DatetoDelete) -and ($_.Extension -eq ".evt") } | Remove-Item

UPDATE: If you wanna clean the Eventlog after the export you can do that by using the Clear-Eventlog cmdlet. (Thanks to Michel from server-talk.eu)

Clear-Eventlog -LogName $logFileName

And here the whole “script”

# Config
$logFileName = "Application" # Add Name of the Logfile (System, Application, etc)
$path = "C:\temp\" # Add Path, needs to end with a backsplash
 
# do not edit
$exportFileName = $logFileName + (get-date -f yyyyMMdd) + ".evt"
$logFile = Get-WmiObject Win32_NTEventlogFile | Where-Object {$_.logfilename -eq $logFileName}
$logFile.backupeventlog($path + $exportFileName)
 
# Deletes all .evt logfiles in $path
# Be careful, this script removes all files with the extension .evt not just the selfcreated logfiles
$Daysback = "-7"
 
$CurrentDate = Get-Date
$DatetoDelete = $CurrentDate.AddDays($Daysback)
Get-ChildItem $Path | Where-Object { ($_.LastWriteTime -lt $DatetoDelete) -and ($_.Extension -eq ".evt") } | Remove-Item
Clear-Eventlog -LogName $logFileName

Also check out my blog post about deleting files older than a specific date using PowerShell.