Hi, There is a similar issue recently posted in the community forum, it's likely the same bug. The condigcache.dat file contains the XML bookmark for the last record that was successfully read when nxlog is stopped cleanly. For the nxlog community edition this does not get updated when it crashes so when you restart the service it tries to read the eventlog from the same position again and again.
Can you try with om_null to make sure the issue is with im_msvistalog? Can you provide a POC test case which can be used to reproduce the bug by using eventcreate or some other tool to inject the offending eventlog entry? Regards, Botond On Tue, 11 Nov 2014 10:37:45 +0100 Andrian Bulat <coju...@gmail.com> wrote: > Hello, > We are trying to use nxlog for shipping logs from windows > event to elastic search. > Sometimes nxlog is crashing with, somehow this is a random behavior it may > crash on different messages in EventLog > > Crash log: > Faulting application name: nxlog.exe, version: 0.0.0.0, time stamp: > 0x53ca79be > Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: > 0x521ea8e7 > Exception code: 0xc0000005 > Fault offset: 0x0005e8d1 > Faulting process id: 0x3454 > Faulting application start time: 0x01cffd8c7ee035f3 > Faulting application path: C:\Program Files (x86)\nxlog\nxlog.exe > Faulting module path: C:\Windows\SysWOW64\ntdll.dll > Report Id: bdaf2722-697f-11e4-a98b-0050569747fd > > Looking out in cache configcache.dat point to an specific windows log, xml > export is like this: > > <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> > <System> > <Provider > Name='BackendServiceHost'/> > <EventID > Qualifiers='0'>0</EventID> > <Level>4</Level> > <Task>0</Task> > > <Keywords>0x80000000000000</Keywords> > <TimeCreated > SystemTime='2014-11-10T10:17:18.000000000Z'/> > > <EventRecordID>2735489</EventRecordID> > <Channel>Kalixa</Channel> > > <Computer>ATVT6WABPP002.tst.pay</Computer> > <Security/> > </System> > <EventData> > <Data>INFO > CQRPayments.PaymentService.Implementation.Engine [(null), 2014-11-10 > 10:17:17,891, 1, ] > Engine Started in: 00:00:00.0099056 > </Data> > </EventData> > </Event> > > When LogLevel is INFO it crashes and restarting service does not help > it’s keep crashing. > However it LogLevel Is DEBUG it goes through and message Is read without > any crashes. > > Machine is running windows 2008 R2 Standard, x64 > Related configs > > define ROOT C:\Program Files (x86)\nxlog > define CERTDIR %ROOT%\cert > > Moduledir %ROOT%\modules > CacheDir %ROOT%\data > Pidfile %ROOT%\data\nxlog.pid > SpoolDir %ROOT%\data > LogFile D:\LogFiles\nxlog\nxlog.log > > LogLevel INFO > > <Input eventlog> > Module im_msvistalog > SavePos True > ReadFromLast True > #PollInterval 5 > Query <QueryList> \ > <Query Id="0"> \ > <Select Path="Kalixa">*</Select> \ > <Select Path="Application">*[System[(Level='2' or > Level='3')]]</Select> \ > </Query> \ > </QueryList> > > Exec $Hostname = hostname(); \ > $DateEventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%S+00:00"); > </Input> > > <Output out_http_eventlog> > Module om_http > URL http://elasticSearchURL/ > Exec set_http_request_path("logstash-" + strftime(now(), "%Y.%m.%d") + > "/nx_eventlog"); > > Exec $raw_event = to_json(); > </Output> > > # Let's tie all pieces together with a NXlog route > <Route eventlog_route> > Path eventlog => out_http_eventlog > </Route> > > > -- > br, > Andrian Bulat ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
