I'm on the chase for a bug that causing occasional glitches in processing
some logs from IIS. parse_csv complains of an input being '' (the empty
string), and wan't able to parser the expected number of fields (14) but
instead got 0.
I've been alicing the log into ever smaller peices, essentially binary (or
rather, 10-ary) searching though it looking to the lines that cause it.
It doesn't happen often; and 17 times in about 1.6M log entries.
As I was doing this, I noticed that as I narrowed it down to big chunks of
data (processing each chunk with a different instance of nxlog-processor);
if I further subdevided the chunk into smaller chunks, I no-longer saw the
problem.
[DEV ] cameron@its-sst-ck0:/scratch/nxlog-exchange-2010-cas-iis
$ rm test-05-????-??*; split --lines 991 --numeric-suffixes test-05-0032
test-05-0032-; for test in test-05-0032-??; do echo $test; nxlog-processor
-c nxlog.conf < $test; done
test-05-0032-00
2014-08-16 01:02:05 ERROR procedure 'parse_csv' failed at line 44,
character 48 in nxlog.conf. statement execution has been aborted;Not enough
fields in CSV input, expected 14, got 0 in input ''
test-05-0032-01
[DEV ] cameron@its-sst-ck0:/scratch/nxlog-exchange-2010-cas-iis
$ rm test-05-????-??*; split --lines 990 --numeric-suffixes test-05-0032
test-05-0032-; for test in test-05-0032-??; do echo $test; nxlog-processor
-c nxlog.conf < $test; done
test-05-0032-00
test-05-0032-01
The behaviour doesn't change if I turn on DEBUG logging.
Interestingly, if I look at the size of the in the 990 (pass) and 991
(fail) cases, I see 259755 and 260001
If I remove a single byte from the LAST line of that file, then the problem
goes away.
Therefore, it seems that the number 260000 is significant (probably the
size of some buffer), and the bug lies in the management of the buffer when
it has reached the end of the buffer, and finds the start of a new message
(the rest of which has yet to be written into the buffer).
I'll see if I can create a more minimal test-case... maybe even toss it
into gdb.
My config is as follows:
$ cat nxlog.conf
define ROOT /scratch/nxlog-exchange-2010-cas-iis
Moduledir /usr/libexec/nxlog/modules
CacheDir %ROOT%/data
Pidfile %ROOT%/data/nxlog.pid
SpoolDir %ROOT%/data
LogFile %ROOT%/data/nxlog.log
#LogLevel INFO
LogLevel DEBUG
<Extension syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
#
# 010_exchange.conf
#
# Exchange 2010 CAS IIS Logs
<Extension exchange_2012_cas_iis_parser>
Module xm_csv
#2010Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port
cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
time-taken
#2013Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port
cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus
sc-win32-status time-taken
Fields $date, $time, $serverip, $HTTPMethod, $URIStem,
$URIQuery, $port, $username, $srcip, $UserAgent, $HTTPStatus, $SubStatus,
$win32Status, $responseTime
FieldTypes string, string, string, string, string, string,
string, string, string, string, string, string, string,
string
EscapeControl FALSE
Delimiter ' '
</Extension>
<Input iisfe>
Module im_file
#File "/scratch/nxlog-exchange-2010-cas-iis/u*.log"
#File "/scratch/nxlog-exchange-2010-cas-iis/u_trouble.log"
File "/dev/stdin"
ReadFromLast False
SavePos False
Exec if $raw_event =~ /^#/ drop();
Exec if $raw_event =~ /^\xEF\xBB\xBF#/ drop();
#Exec if $raw_event == '' $raw_event = "- - - - - - - - - - - - - -";
Exec exchange_2012_cas_iis_parser->parse_csv();
Exec $EventTime = parsedate($date + " " + $time);
Exec $username = replace(lc(replace($username, "\\", "")), "registry",
"");
Exec $UoO_log_type = "IIS"; $UoO_log_access = "common";
$UoO_application_stack = "exchange"; $UoO_environment = "prod";
Exec to_json();
</Input>
<Output out>
Module om_file
File "output.log"
OutputType LineBased
</Output>
<Route 1>
Path iisfe => out
</Route>
--
Cameron Kerr <cameron.kerr...@gmail.com>
See my blog at http://distracted-it.blogspot.co.nz/ (previously
http://humbledown.org/)
Skype me on cameron.kerr.nz
------------------------------------------------------------------------------
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
