Windows EventLog parsing questions

Started by Dani@M3T, April 02, 2014, 10:49:08 AM

Previous topic - Next topic

Dani@M3T

I just started to use the windows EventLog parsing and have some questions:

1.
I would like to have a quite generic parser which parses for all errors in system eventlog (all sources and all IDs). I managed that.  Than I would like to give the event-source and the event-id as parameters to NetXMS. But I only see the possibility to extract parameters out of the eventlog-description field (with regexp). In this field there are source and ID not available. I tried [<id>(.*)</id>], but that's not supported. Is there another possibility for such parsing? I can't make a rule for each possible source and each ID.

2.
I would like to parse for 'the previous shutdown was unexpected' events (source=EventLog, id=6008). But it's not possible. I suppose the agent starts parsing the eventlog when he starts up. But this EventLog-event is earlier (between system boot and start of NetXMS agent). Is there a possibility that the agent can also parse the events between system start and agent start?

3.
Is there a good website with ideas for EventLog-events which should be monitored? In some commercial network monitoring products are a lot of predefined EventLog events. Maybe someone knows a good source.

4.
What's the best solution to deliver the parser xml files to a lot of nodes?
thanks
Dani

Dani@M3T

no one with Windows EventLog parsing experience?

hkusulja

Quote from: Dani@M3T on April 09, 2014, 01:36:53 PM
no one with Windows EventLog parsing experience?
Hi, I am interested in answers also :)

Dani@M3T


Victor Kirhenshtein

Hi!

I won't be able to help you much. #1, #2, and #4 need changes in agent (#4 also in server). #1 is implemented in 1.2.14 (event source, id, and severity passed as three additional parameters for event generated). #2 should be relatively easy to implement, I'll add this as feature request for 1.2.15. For #4 we plan to introduce new policy type to distribute parser configurations across nodes in a same way as you can distribute configuration files, but I cannot promise exact release when it will be implemented.

Best regards,
Victor

Dani@M3T

Hi Victor

Thanks for your information and your work. I agree with all points.

thanks
Dani

Dani@M3T

#6
is #2 already implemented? My newest test says NO. (I didn't saw the feature request in the bug tracker)

any plans for #4? To deliver the parser files by agent policy is in my opinion the most elegant way.

Victor Kirhenshtein

Yes, seems that it was forgotten. I've created issue in bug tracker (https://www.radensolutions.com/chiliproject/issues/641). As for #4, it will be in 2.0 branch, probably close to year end.

Best regards,
Victor

Dani@M3T


Victor Kirhenshtein

Hi,

#2 is implemented in 1.2.17. This is turned off by default to maintain compatibility with previous versions. Setting parameter ProcessOfflineEvents in LogWatch section to yes or true will enable this feature. When on, agent will save timestamp of last processed event and on start will process all events since last processed.

Best regards,
Victor

Dani@M3T

Hi Victor

I come back to #2 and #4:

#2: I tested again with V2.0.-M3 but it is not working for me. Can you please check again?

#4: For which version is this planned?

Thanks, Dani

Victor Kirhenshtein

Hi,

can you please show me your agent config and content of registry entries under HKEY_USERS\.DEFAULT\Software\NetXMS\LogParserLibrary (assuming you run agent under Local System account - otherwise check same registry path under appropriate user)?

Best regards,
Victor

Dani@M3T

agent config (put together from server agent configuration and agent policy):

MasterServers = netxms.domain.com
ListenPort = 4700
RequireAuthentication = yes
RequireEncryption = yes
EnabledCiphers = 1
SharedSecret = longkey
EnableWatchdog = yes
LogFile = {syslog}
LogFile = ${ProgramFiles}\NetXMS\nxagentd.log
DebugLevel = 0
ConfigIncludeDir = ${ProgramFiles}\NetXMS\etc\nxagentd.conf.d
FileStore = ${ProgramFiles}\NetXMS\var
SubAgent = ecs.nsm
SubAgent = portcheck.nsm
SubAgent = ping.nsm
SubAgent = winperf.nsm
SubAgent = wmi.nsm
SubAgent = logwatch.nsm
SubAgent = filemgr.nsm

[filemgr]
RootFolder = ${SystemDrive}\

[logwatch]
ProcessOfflineEvents = yes
Parser = ${ProgramFiles}\NetXMS\var\eventlog-system-parser.xml
Parser = ${ProgramFiles}\NetXMS\var\eventlog-application-parser.xml


Registry Key HKEY_USERS\.DEFAULT\Software\NetXMS\LogParserLibrary:
LogWatch.Application REG_DWORD 0x552b7a44
LogWatch.System REG_DWORD 0x552b7a78

Dani@M3T

Have you found anything in my config and the registry?

Dani@M3T

Hi Victor.
Have you found anything in my config and the registry?

thanks
Dani