Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1009 Source: ClusSvc

Microsoft Cluster Server could not join an existing cluster and could not form a new cluster. Microsoft Cluster Server has terminated.
This problem occurs if the Cluster Disk driver (Clusdisk.sys) is not running. See ME923838 to solve this problem.

As per Microsoft: "This problem may occur after you apply a security template through a domain policy or by manually setting the LAN Manager Authentication Level Local Security Policy option to anything other than Send LM and NTLM responses on the nodes in a Windows 2000-based cluster". See ME272129 for details on this issue.
In my case, this event occured after a recent migration from EMC storage to IBM storage. The disk signatures were overwritten (as per the cluster log). The fix was to run dumpcfg.exe to force clusdb to recognize the new signatures.
This behavior is caused by the Windows NT Option Pack overwriting some newer SP4 components with older Windows NT Option Pack components. There are several Microsoft articles with information about this event: ME169414, ME171451, ME218922, ME258469, ME295091, ME296594, and ME886717.

As per ME251284 this behavior can occur if the disk that contains the Quorum log file does not have any free disk space.
The cluster service started and attempted to join a cluster. The node may not be a member of an existing cluster because of an eviction by an administrator. After a cluster node has been evicted from the cluster, the cluster software must be removed and reinstalled if you want it to rejoin the cluster. And, because a cluster already exists with the same cluster name, the node could not form a new cluster with the same name. Solution: Remove MSCS from the affected node, and reinstall MSCS on that system if desired.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.