RSA Admin

Erroneous "No matching data found" messages in Event Viewer?

Discussion created by RSA Admin Employee on Jan 8, 2009
Latest reply on May 7, 2015 by RSA Admin

Whenever searching for events for a particular device in the Event Viewer (Analysis | Event Viewer | Message View), does anybody else find that sometimes it wrongly returns "No matching data found"?  So you double-check to make sure that you aren't accidentally filtering the data (ex: accidently having left data in the query fields of the advanced filter options, the wrong device, or the wrong time frame), but it still returns nothing even though you know there actually are valid events?

 

I always found this to ocasionally be an issue.  But today I just spent the last hour troubleshooting a device that didn't seem to return any data even though I could confirm by looking at the actual log files (E:\nic\lsnode\data\*enVision-Node*\*device*\*IP*\*date*\) and by the NIC events that the RSA did in fact have the events.  Only after using the Event Explorer tool (Start | Programs | Network Intelligence Corporation | Event Explorer | Event Explorer) and finding the events, then going back in the Event Viewer and searching again, did I find those events.

 

I'm 99% sure its not user error.  Almost seems like a weird bug that happens randomly.  What usually fixes it is searching for events for another device, and when it returns data (any data) for that device, going back to the original device and searching again.  But today was way more involved than that.  And yes, I'm always double-checking to make sure that the query fields are clear of data, with the proper device, and the proper time frame.

 

Just wanted to check if anybody else is experiencing this, or if its just me.  I suppose it could also be an issue with my computer as well.

 

 

enVision v3.7.0 Build: 0215
Windows Server 2003 R2 Enterprise x64 Edition


IE 7.0.5730.13
Windows XP SP3

Outcomes