Citrix Event IDs 1000 to 1201 to Monitor with Splunk

Citrix Event ID

Splunk loves logs. Here is the next batch of Citrix Event Codes to search for when monitoring Citrix XenDesktop in your environment. These are all produced in the regular Windows Application Event Log. So monitor that and you’ll find these. More Citrix Event Codes to follow. Let me know if you find one that is not on the list and I’ll add it. I’m also working on Splunk queries to find these Event IDs. I’ll post those as well.

Looking for Citrix Event IDs 1 to 509

Looking for Citrix Event ID 2000 to 2102

Event ID to Monitor
Event Message Text
Event ID 1000
Application Error; Faulting Application name: SoapServer.exe
Event ID 1000
Citrix XYZ
Event ID 1000
Service Started Successfully – Task Category = None
Event ID 1001
BEX64; Problem signature: StreamProcess.exe; SoapServer.exe; APPCRASH
Event ID 1001
The Citrix Desktop Service failed to obtain a list of delivery controllers with which to register. Please ensure that the Active Directory configuration for the farm is correct, that this machine is in the appropriate Active Directory domain and that one or more delivery controllers have been fully initialized. Refer to Citrix Knowledge Base article CTX117248 for further information. Error details: Exception ‘Exception of type ‘System.OutOfMemoryException’ was thrown.’ of type ‘System.OutOfMemoryException’
Event ID 1001
Service Stopped Successfully
Event ID 1002
The Citrix Broker Service is ready to accept connections from virtual machines
Event ID 1011
The Citrix Broker Service successfully initialized the Windows Communication Foundation (WCF) services required for interaction between this machine and virtual machines.
Event ID 1023
SoapServer.exe The process was terminated due to an internal error in the .NET Runtime
Event ID 1026
SoapServer.exe The process was terminated
Event ID 1028
Citrix XYZ Service
Event ID 1028
Service stopped successfully
Event ID 1029
Restart required
Event ID 1030
Otherwise unhandled exception in WCF call : Citrix.Fma.Sdk.ServiceCore.AuthorizationFailureException: Missing delegated admin provider
Event ID 1038
Windows Installer requires a system restart
Event ID 1039
Exception ‘Client is unable to finish the security negotiation within the configured timeout (00:03:20).
Event ID 1039
Broker serviced failed to contact virtual machine
Event ID 1040
The Citrix Broker Service failed to contact several virtual machines.
Event ID 1041
The Citrix Broker Service successfully communicated with virtual machines registered with this server. It is no longer suppressing related messages (event ID 1039).
Event ID 1042
Ending Windows Installer Transaction
Event ID 1060
The Citrix Broker Service failed to apply settings on the virtual machine
Event ID 1060
Check that the virtual machine can be contacted from the controller
Event ID 1061
The Citrix Broker Service successfully applied settings on virtual machine
Event ID 1063
The Citrix Broker Service failed to apply settings on several virtual machines.
Event ID 1064
The Citrix Broker Service successfully applied settings on virtual machines registered with this server, It is no longer suppressing related messages (event ID 1060).
Event ID 1065
The Citrix Broker Service failed to determine the base settings needed for the VDA of machine
Event ID 1065
Please restart this machine
Event ID 1066
The Citrix Broker Service successfully determined the base settings needed for the Virtual Desktop Agent of machine ‘NVDE01S0PRD0630.eucom.mil’.
Event ID 1101
The Citrix Broker Service cannot find any available virtual machines.
Event ID 1101
Please add more virtual machines to the site.
Event ID 1102
The Citrix Broker Service failed to broker a connection for user to resource ‘InteractionDesktop 2016 R4’. The virtual machine ‘..’ rejected a request to prepare itself for a connection. This problem usually indicates that the virtual machine is engaged in an activity such as restarting, entering a suspended state, or processing a recent disconnection or logoff.
Event ID 1102
If this problem persists please restart the virtual machine
Event ID 1106
Client printer auto-creation failed. The driver could not be installed. Possible reasons for the failure: The driver is not in the list of drivers on the server. The driver cannot be located. The driver has not been mapped. The driver is a V4 driver. Client name: (NVDE01S0PRD0420) Printer: (ODC Moldova Xerox on NEMD01CPV01 (from NVDE01S0PRD0420) in session 2) Printer driver: (Xerox GPD PCL6 V3.5.404.8.0)
Event ID 1110
To avoid excessive event logging, the service is temporarily suppressing related messages (event IDs 1100-1109, 1112-1118).
Event ID 1112
The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.
Event ID 1114
An error or timeout occurred when starting up a hosted virtual machine
Event ID 1116
The Citrix Broker Service failed to broker a connection for user
Event ID 1116
A communication error occurred when attempting to prepare the virtual machine. Exception ‘Client is unable to finish the security negotiation within the configured timeout (00:03:20
Event ID 1150
The Citrix Broker Service successfully contacted the license server
Event ID 1151
The Citrix Broker Service cannot contact the license server
Event ID 1154
This controller has entered an emergency licensing grace period because it could not contact the license server
Event ID 1156
This controller is no longer in an emergency licensing grace period
Event ID 1193
Registration request for worker S-1-5-21-349569451-1364216223-538272213-207502 (EUCOM\NVDE01S0PRD0238) was rejected due to an unknown error
Event ID 1194
Registration Rejected Broker was unable to contact the worker during the registration process
Event ID 1196
This controller has entered a licensing grace period due to exhausting all usable licenses on the license server
Event ID 1196
You have 360 hour(s) remaining before this controller stops providing desktop and application sessions
Event ID 1198
The Citrix Broker Service is successfully consuming licenses from the license server
Event ID 1200
The connection between the Citrix Broker Service and the database has been restored
Event ID 1200
The connection to the database has been restored
Event ID 1201
The connection between the Citrix Broker Service and the database has been lost
Event ID 1201
The connection to the database has been lost

Citrix Event IDs 1 to 509 in Windows Event Logs

Citrix Event ID

I’ve had trouble finding a list of Citrix Event ID’s to search for with Splunk when monitoring Windows Event Logs on the servers in our Citrix XenDesktop environment. So I’m documenting the Citrix XenDesktop Event IDs here. I hope you find it useful.

Looking for Citrix Event IDs 1000 to 1201

Looking for Citrix Event ID 2000 to 2102

Event ID to Monitor
Event Message Text
Event ID 1
PVS Stream Service Started
Event ID 2
Unexpected Error Occurred
Event ID 3
The broker service reported an error
Event ID 4
The requested data could not be found in the data ‘Active directory’
Event ID 5
Failed to connect to data source Verify that the data source is available
Event ID 6
Citrix Director Service unexpected error occurred
Event ID 7
Your logon attempt was unsuccessful
Event ID 11
StreamProcess; AquireLock Failed
Event ID 12
The OS Started at system time XXYYZZ
Event ID 13
The OS is shutting down at system time XXYYZZ
Event ID 20
The last shutdown’s success status was true. The last boot’s success status was true.
Event ID 50
A time difference of greater than XYZ
Event ID 101
Unable to contact Citrix License Server XXYYZZ
Event ID 108
VMTools The service was stopped
Event ID 109
The kernel power manager has initiated a shutdown transition
Event ID 129
Reset to device, XXY, was issued
Event ID 153
The IO operation at logical block address XXYYZZ for Disk X was retired
Event ID 509
The Citrix Broker Service is starting
Event ID 506
The Citrix Broker Service started successfully
Event ID 507
The Citrix Broker Service is shutting down
Event ID 508
The Citrix Broker Service shut down successfully
Event ID 509
The Citrix Broker Service SDK support started

Getting Splunk Running On The Laptop

So tonight I’m going to get Splunk installed in a virtual machine on my laptop. I’m doing this to get better at Splunk and to document the progress. Hopefully I can get ready for the first Splunk test.

So after I got the ovf I made the last time I setup an Ubuntu VM I was greeted with all the joys of running apt updates. This is way faster than trying to install Ubuntu Server from scratch though so we are still ahead of the game.

I prefer to use the .tgz of the Splunk distro since all you have to do with it is copy it over and untar it. Then run the install. Done. Super easy for me. What do method do you use to install Splunk?

 

Well I read the download page for comprehension this time and found Splunk to have a cool tooltip on how use wget for the install.

 

 

That worked amazingly well after I remembered to sudo the wget command.

 

 

 

 

 

I know the .tgz is the least automated way of deploying Splunk but this is only for the VM on my laptop for testing and dev not an attempt to deploy at scale or automate the deployment for a smaller shop. Probably will do that later on.

I put Splunk in the /opt folder and untar’d it. Then to save time in the future exported the updated Splunk VM as an ovf.

So now the install of Splunk $SPLUNK_HOME/bin/splunk start –accept-license command. Which is nice so you dont have to wade through a bazillion lines of license legalese.

So the Help Us Improve Splunk Software splash is new since 6.4.x

 

 

 

 

 

 

Well that’s it. All installed. Next up the Apps and Add-ons to install and create some VMs for the Universal Forwarders to collect data from.