Re: [nxlog-ce-users] nxlog windows eventlog im_msvistalog crashes with INFO but not with DEBUG

Thu, 13 Nov 2014 00:13:39 -0800 

Hi,
  Thanks for the reply.
  I'll try to add more details and om_null when it will crash again, so far
it did not stop from yesterday.

  But why it's not crashing in DEBUG mode but only in INFO ?
  If i start it after a crash with DEBUG leave it for a few seconds then
stop and start in INFO mode all works fine, and no more crashes until next
unknown when crash.


On Wed, Nov 12, 2014 at 1:15 PM, Botond Botyanszki <b...@nxlog.org> wrote:

> Hi,
>
> There is a similar issue recently posted in the community forum, it's
> likely the same bug.
> The condigcache.dat file contains the XML bookmark for the last record
> that was successfully read when nxlog is stopped cleanly. For the
> nxlog community edition this does not get updated when it crashes so when
> you restart the service it tries to read the eventlog from the same
> position again and again.
>
> Can you try with om_null to make sure the issue is with im_msvistalog?
>
> Can you provide a POC test case which can be used to reproduce the bug by
> using eventcreate or some other tool to inject the offending eventlog
> entry?
>
> Regards,
> Botond
>
> On Tue, 11 Nov 2014 10:37:45 +0100
> Andrian Bulat <coju...@gmail.com> wrote:
>
> > Hello,
> >                 We are trying to use nxlog for shipping logs from windows
> > event to elastic search.
> > Sometimes nxlog is crashing with, somehow this is a random behavior it
> may
> > crash on different messages in EventLog
> >
> > Crash log:
> > Faulting application name: nxlog.exe, version: 0.0.0.0, time stamp:
> > 0x53ca79be
> > Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp:
> > 0x521ea8e7
> > Exception code: 0xc0000005
> > Fault offset: 0x0005e8d1
> > Faulting process id: 0x3454
> > Faulting application start time: 0x01cffd8c7ee035f3
> > Faulting application path: C:\Program Files (x86)\nxlog\nxlog.exe
> > Faulting module path: C:\Windows\SysWOW64\ntdll.dll
> > Report Id: bdaf2722-697f-11e4-a98b-0050569747fd
> >
> > Looking out in cache configcache.dat point to an specific windows log,
> xml
> > export is like this:
> >
> > <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
> >                                 <System>
> >                                                 <Provider
> > Name='BackendServiceHost'/>
> >                                                 <EventID
> > Qualifiers='0'>0</EventID>
> >                                                 <Level>4</Level>
> >                                                 <Task>0</Task>
> >
> > <Keywords>0x80000000000000</Keywords>
> >                                                 <TimeCreated
> > SystemTime='2014-11-10T10:17:18.000000000Z'/>
> >
> > <EventRecordID>2735489</EventRecordID>
> >                                                 <Channel>Kalixa</Channel>
> >
> > <Computer>ATVT6WABPP002.tst.pay</Computer>
> >                                                 <Security/>
> >                                 </System>
> >                                 <EventData>
> >                                                 <Data>INFO
> >  CQRPayments.PaymentService.Implementation.Engine [(null), 2014-11-10
> > 10:17:17,891, 1, ]
> > Engine Started in: 00:00:00.0099056
> >                                                 </Data>
> >                                 </EventData>
> >                 </Event>
> >
> > When LogLevel is  INFO  it crashes and restarting service does not help
> > it’s keep crashing.
> > However it LogLevel Is DEBUG it goes through and message Is read without
> > any crashes.
> >
> > Machine is running windows 2008 R2 Standard, x64
> > Related configs
> >
> > define ROOT C:\Program Files (x86)\nxlog
> > define CERTDIR %ROOT%\cert
> >
> > Moduledir %ROOT%\modules
> > CacheDir %ROOT%\data
> > Pidfile %ROOT%\data\nxlog.pid
> > SpoolDir %ROOT%\data
> > LogFile D:\LogFiles\nxlog\nxlog.log
> >
> > LogLevel INFO
> >
> > <Input eventlog>
> >   Module  im_msvistalog
> >   SavePos True
> >   ReadFromLast True
> >   #PollInterval 5
> >   Query <QueryList> \
> >           <Query Id="0"> \
> >             <Select Path="Kalixa">*</Select> \
> >             <Select Path="Application">*[System[(Level='2' or
> > Level='3')]]</Select> \
> >           </Query> \
> >         </QueryList>
> >
> >   Exec $Hostname = hostname(); \
> >        $DateEventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%S+00:00");
> > </Input>
> >
> > <Output out_http_eventlog>
> >   Module  om_http
> >   URL     http://elasticSearchURL/
> >   Exec set_http_request_path("logstash-" + strftime(now(), "%Y.%m.%d") +
> > "/nx_eventlog");
> >
> >   Exec $raw_event = to_json();
> > </Output>
> >
> > # Let's tie all pieces together with a NXlog route
> > <Route eventlog_route>
> >   Path   eventlog => out_http_eventlog
> > </Route>
> >
> >
> > --
> > br,
> > Andrian Bulat
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> nxlog-ce-users mailing list
> nxlog-ce-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
>



-- 
br,
Andrian Bulat

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users

Reply via email to