I installed the latest Win32-EventLog the other day and can query my EventLog fine, but there are cases where I can see a description in the EventViewer, but my Ruby code gets a nil for description. I first noticed this while trying to pull out all the failed ssh logins that were reported (I've been under siege the last week or so from the ssh exploit script). I was able to get at those records that were from sshd, all of which had text like this shown in the EventViewer: The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: invalid login. But Ruby shows me nil for the description. I've also seen this with other processes. The pattern seems to be that if the Event Id is 0, a message like that shows up, with the last sentence saying "in part of the event" and them some info that is actually useful. But with Ruby, all I get is nil for the description. I've briefly looked at the C source for this, but I'm not familiar with the EventLog code in Windows... So, is there anything that I can do to get the description that the EventViewer displays instead of nil, in those cases where the Event Id is 0 (or the event can't be found, or whatever the problem is)? It seems like the EventViewer has access to something that we don't. BTW, this is on a WindowsXP Pro sp1 system. (Actually two different systems.) Joey -- She drove a Plymouth Satellite Faster than the Speed of Light... http://www.joeygibson.com/blog http://www.joeygibson.com/blog/life/Wisdom.html Atlanta Ruby User Group http://www.AtlRUG.org