Syslog-ng Agent generates the following error message.
Can't open publisher metadata; publisher='APPLICATION', error='The system cannot find the file specified.'
APPLICATION is the name of the application, in case of Windows Search the error message looks like this.
Can't open publisher metadata; publisher='Microsoft-Windows-Search', error='The system cannot find the file specified.
The newer Windows event log implementation (called EVTX) does not store the entire message, only a reference ID.
To be able read the message a DLL file is needed which contains the entire log messages of the APPLICATION with reference ID.
The APPLICATION which generates the events should provide that DLL file.
When an event is generated by the APPLICATION syslog-ng Agent tries to read the message without success and gives the error message in the description.
Upgrade to the latest version, which you can download from https://support.oneidentity.com
It means that the DLL is not available on the machine with the syslog-ng Agent installed.
Event viewer neither can open the description file, the following message is displayed.
"The description for Event ID 1013 from source Microsoft-Windows-Search cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer."
1. Open Windows registry with regedit.exe.
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog and search the registry of the APPLICATION. Check EventMessageFile registry key, which contains the path of the needed DLL file. Usually it's under C:\Windows\System32, eg. tquery.dll.
3. A MUI file is necessary also, which can be found in C:\Windows\System32\en-US with additional .mui extension to the DLL filename. eg. tquery.dll.mui
Note: The directory should be different depending on your language configuration.
4. Copy the DLL and the MUI file to the same path on the machine with syslog-ng Agent.
5. Register the application in Windows Event Log. eg. Microsoft Windows Search to the "Application" container
New-EventLog -Source "Microsoft-Windows-Search" -LogName "Application" -MessageResourceFile "%SystemRoot%\System32\tquery.dll"
The solution should be the same as in case of a forwarded event. Check the installation of the APPLICATION, contact the administrator or the support of the APPLICATION.