logwach does not send syslog entries

Started by vmgracia, May 17, 2013, 02:46:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

vmgracia

May 17, 2013, 02:46:43 PM
Hi all

I do not get any entry on the Syslog arrives from a server with Windows agent and the  logwatch subagent

the parser i use in the agent  is:

<parser>
   <file>*System</file>
   <rules>
      <rule>
         <level>1</level>
         <match>(.*)</match>
         <event params="1">100008</event>
      </rule>
   </rules>
</parser>

any idea?

Victor Kirhenshtein

#1
May 17, 2013, 05:54:58 PM
Hi!

Parser looks correct. It should generate an event for each critical event in Windows system event log. I suggest to check the following:

1. Agent config - you should have logwatch subagent, and you should have parser definition set in LOGWATCH section.
2. Check event log on NetXMS server - do you see events coming?
3. Check that there really was new critical events.
4. Run agent in debug mode and see if there are any errors/warnings related to log monitoring.

Also, don't be confused by syslog view in NetXMS - agent send events to server, not syslog records - and so you should see them in event log in NetXMS.

Best regards,
Victor

vmgracia

#2
May 18, 2013, 12:16:04 AM
Hi Victor

here is the complete configuration with debug
nxagentd.conf
#
# NetXMS agent configuration file
# Created by agent installer at Mon May 13 15:13:48 2013
#

MasterServers = 10.25.1.20
ConfigIncludeDir = C:\NetXMS\etc\nxagentd.conf.d
LogFile = c:\NetXMS\NetXMSlog.log
FileStore = C:\NetXMS\var
SubAgent = ecs.nsm
SubAgent = ping.nsm
SubAgent = logwatch.nsm
SubAgent = portcheck.nsm
SubAgent = winperf.nsm
SubAgent = wmi.nsm

*LogWatch
Parser = C:\NetXMS\p1.xml


p1.xml

parser debug="7">
   <file>*System</file>
   <rules>
      <rule>
   <level>7</level>
         <match>(.*)</match>
         <event params="1">100008</event>
      </rule>
   </rules>
</parser>

the event monitor is working and receiving events from other devices on same network


the debug report:

C:\NetXMS\bin>nxagentd.exe -D9
[17-May-2013 23:13:37.761] Additional configs was loaded from C:\NetXMS\etc\nxag
entd.conf.d
[17-May-2013 23:13:37.761] Debug level set to 9
[17-May-2013 23:13:37.761] Subagent API initialized
[17-May-2013 23:13:37.917] Subagent "WINNT.NSM" loaded successfully
[17-May-2013 23:13:37.917] Debug callback set for DB library
[17-May-2013 23:13:37.917] Subagent "ecs.nsm" loaded successfully
[17-May-2013 23:13:37.917] Subagent "ping.nsm" loaded successfully
[17-May-2013 23:13:37.917] LogWatch: registered parser for file *System, trace l
evel set to 7
[17-May-2013 23:13:37.917] LogWatch: Process RSS after parser creation is 701235
2 bytes
[17-May-2013 23:13:37.917] LogWatch: cannot load wevtapi.dll: No se puede encont
rar el m¾dulo especificado.
[17-May-2013 23:13:37.964] LogWatch: Start watching event log "System"
[17-May-2013 23:13:37.964] LogWatch: Process RSS is 7229440 bytes
[17-May-2013 23:13:38.120] Subagent "logwatch.nsm" loaded successfully
[17-May-2013 23:13:38.120] Subagent "portcheck.nsm" loaded successfully
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \System\Threads ==> \Sis
tema\Subproceso o subproceso
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \System\System Up Time =
=> \Sistema\Tiempo de actividad del sistema
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \System\Processor Queue
Length ==> \Sistema\Longitud de la cola del procesador
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \System\Processor Queue
Length ==> \Sistema\Longitud de la cola del procesador
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \System\Processor Queue
Length ==> \Sistema\Longitud de la cola del procesador
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \Processor(_Total)\% Pro
cessor Time ==> \Procesador(_Total)\% de tiempo de procesador
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \Processor(_Total)\% Pro
cessor Time ==> \Procesador(_Total)\% de tiempo de procesador
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \Processor(_Total)\% Pro
cessor Time ==> \Procesador(_Total)\% de tiempo de procesador
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \PhysicalDisk(_Total)\Av
g. Disk Queue Length ==> \DiscoFÝsico(_Total)\Long. media de la cola de disco
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \PhysicalDisk(_Total)\%
Disk Time ==> \DiscoFÝsico(_Total)\% Tiempo de disco
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \Processor(0)\% Processo
r Time ==> \Procesador(0)\% de tiempo de procesador
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \Processor(0)\% Processo
r Time ==> \Procesador(0)\% de tiempo de procesador
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \Processor(0)\% Processo
r Time ==> \Procesador(0)\% de tiempo de procesador
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \Processor(1)\% Processo
r Time ==> \Procesador(1)\% de tiempo de procesador
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \Processor(1)\% Processo
r Time ==> \Procesador(1)\% de tiempo de procesador
[17-May-2013 23:13:38.136] WINPERF: Counter translated: \Processor(1)\% Processo
r Time ==> \Procesador(1)\% de tiempo de procesador
[17-May-2013 23:13:38.151] WINPERF: CollectorThread_B waiting for set change
[17-May-2013 23:13:38.151] WINPERF: CollectorThread_A waiting for set change
[17-May-2013 23:13:38.151] WINPERF: CollectorThread_C waiting for set change
[17-May-2013 23:13:38.151] Subagent "winperf.nsm" loaded successfully
[17-May-2013 23:13:38.151] WINPERF: CollectorThread_A: set changed
[17-May-2013 23:13:38.151] Subagent "wmi.nsm" loaded successfully
[17-May-2013 23:13:38.151] WINPERF: CollectorThread_A entered data collection lo
op
[17-May-2013 23:13:39.151] External parameters providers poller thread will not
start
[17-May-2013 23:13:39.151] PushConnector: named pipe created, waiting for connec
tion
[17-May-2013 23:13:39.151] StorageDiscoveryConnector: named pipe created, waitin
g for connection
[17-May-2013 23:13:39.151] Trying to bind on 0.0.0.0:4700
[17-May-2013 23:13:39.151] Listening on socket 0.0.0.0:4700
[17-May-2013 23:13:40.151] NetXMS Agent started
Agent running. Press ESC to shutdown.
[17-May-2013 23:14:03.667] LogWatch: Message file "C:\WINDOWS\system32\WsmRes.dl
l" loaded
[17-May-2013 23:14:03.667] Match event: source="WinRM" id=10149 level=2 text="El
servicio WinRM no estß escuchando solicitudes de adminstraci¾n remota de Window
s (WS-Management).
[17-May-2013 23:14:03.667] checking rule 1 ""
[17-May-2013 23:14:03.667]   rule has no context
[17-May-2013 23:14:03.667]   matching against regexp (.*)
[17-May-2013 23:14:03.667]   matched
[17-May-2013 23:14:03.667] SendTrap(): event_code=100008, event_name=(null), num
_args=1, arg[0]="El servicio WinRM no estß escuchando solicitudes de adminstraci
¾n remota de Windows (WS-Management).
[17-May-2013 23:14:03.667] rule 1 "" matched
[17-May-2013 23:14:03.667] processing stopped at rule 1 ""; result = true
[17-May-2013 23:14:08.683] LogWatch: Message file "C:\WINDOWS\system32\inetsrv\i
isrstas.exe" loaded
[17-May-2013 23:14:08.683] Match event: source="IISCTLS" id=6 level=4 text="La r
einicializaci¾n de IIS detect¾ un error al detener los servicios, solicitada por
HPCDSES\administrador. Los datos registrados son el c¾digo de estado. Dado que
la opci¾n para forzar estß activada, la reinicializaci¾n de IIS terminarß ahora
los procesos de servicios. Esta operaci¾n puede provocar que SCM informe de erro
res sobre la finalizaci¾n de los servicios. "
[17-May-2013 23:14:08.683] checking rule 1 ""
[17-May-2013 23:14:08.683]   rule has no context
[17-May-2013 23:14:08.683]   matching against regexp (.*)
[17-May-2013 23:14:08.683]   matched
[17-May-2013 23:14:08.683] SendTrap(): event_code=100008, event_name=(null), num
_args=1, arg[0]="La reinicializaci¾n de IIS detect¾ un error al detener los serv
icios, solicitada por HPCDSES\administrador. Los datos registrados son el c¾digo
de estado. Dado que la opci¾n para forzar estß activada, la reinicializaci¾n de
IIS terminarß ahora los procesos de servicios. Esta operaci¾n puede provocar qu
e SCM informe de errores sobre la finalizaci¾n de los servicios. " arg[1]="(null
)" arg[2]="(null)"
[17-May-2013 23:14:08.683] rule 1 "" matched
[17-May-2013 23:14:08.683] processing stopped at rule 1 ""; result = true
[17-May-2013 23:14:08.683] Match event: source="IISCTLS" id=4 level=4 text="Reci
bido comando de cierre de IIS del usuario HPCDSES\administrador. El dato registr
ado es el c¾digo de estado. "
[17-May-2013 23:14:08.683] checking rule 1 ""
[17-May-2013 23:14:08.683]   rule has no context
[17-May-2013 23:14:08.683]   matching against regexp (.*)
[17-May-2013 23:14:08.683]   matched
[17-May-2013 23:14:08.683] SendTrap(): event_code=100008, event_name=(null), num
_args=1, arg[0]="Recibido comando de cierre de IIS del usuario HPCDSES\administr
ador. El dato registrado es el c¾digo de estado. " arg[1]="(null)" arg[2]="(null
)"
[17-May-2013 23:14:08.683] rule 1 "" matched
[17-May-2013 23:14:08.683] processing stopped at rule 1 ""; result = true
[17-May-2013 23:14:08.683] Match event: source="IISCTLS" id=2 level=4 text="Reci
bido comando de detenci¾n de IIS del usuario HPCDSES\administrador. El dato regi
strado es el c¾digo de estado. "
[17-May-2013 23:14:08.683] checking rule 1 ""
[17-May-2013 23:14:08.683]   rule has no context
[17-May-2013 23:14:08.683]   matching against regexp (.*)
[17-May-2013 23:14:08.683]   matched
[17-May-2013 23:14:08.683] SendTrap(): event_code=100008, event_name=(null), num
_args=1, arg[0]="Recibido comando de detenci¾n de IIS del usuario HPCDSES\admini
strador. El dato registrado es el c¾digo de estado. " arg[1]="(null)" arg[2]="(n
ull)"
[17-May-2013 23:14:08.683] rule 1 "" matched
[17-May-2013 23:14:08.683] processing stopped at rule 1 ""; result = true
[17-May-2013 23:14:08.683] Match event: source="WinRM" id=10148 level=4 text="El
servicio WinRM estß escuchando solicitudes de adminstraci¾n remota de Windows (
WS-Management).
[17-May-2013 23:14:08.683] checking rule 1 ""
[17-May-2013 23:14:08.683]   rule has no context
[17-May-2013 23:14:08.683]   matching against regexp (.*)
[17-May-2013 23:14:08.683]   matched
[17-May-2013 23:14:08.683] SendTrap(): event_code=100008, event_name=(null), num
_args=1, arg[0]="El servicio WinRM estß escuchando solicitudes de adminstraci¾n
remota de Windows (WS-Management).
[17-May-2013 23:14:08.683] rule 1 "" matched
[17-May-2013 23:14:08.683] processing stopped at rule 1 ""; result = true
[17-May-2013 23:14:08.683] Match event: source="IISCTLS" id=1 level=4 text="Reci
bido comando de inicio de IIS del usuario HPCDSES\administrador. El dato registr
ado es el c¾digo de estado. "
[17-May-2013 23:14:08.683] checking rule 1 ""
[17-May-2013 23:14:08.683]   rule has no context
[17-May-2013 23:14:08.683]   matching against regexp (.*)
[17-May-2013 23:14:08.683]   matched
[17-May-2013 23:14:08.683] SendTrap(): event_code=100008, event_name=(null), num
_args=1, arg[0]="Recibido comando de inicio de IIS del usuario HPCDSES\administr
ador. El dato registrado es el c¾digo de estado. " arg[1]="(null)" arg[2]="(null
)"
[17-May-2013 23:14:08.683] rule 1 "" matched
[17-May-2013 23:14:08.683] processing stopped at rule 1 ""; result = true

Victor Kirhenshtein

#3
May 19, 2013, 01:28:19 PM
Hi!

From the log I can see that agent successfully find new record in log and tries to send it to server:

[17-May-2013 23:14:08.683]   matched
[17-May-2013 23:14:08.683] SendTrap(): event_code=100008, event_name=(null), num
_args=1, arg[0]="Recibido comando de inicio de IIS del usuario HPCDSES\administr
ador. El dato registrado es el c¾digo de estado. " arg[1]="(null)" arg[2]="(null
)"

What I didn't see in the log is communications with the server. Please check that server can communicate with agent. You can run configuration poll and see if agent is detected. If not, check network connectivity and firewalls between server and agent.

Best regards,
Victor

vmgracia

#4
May 20, 2013, 08:15:14 PM
the communication with the client seem to be ok

[20.05.2013 19:14:08] **** Poll request sent to server ****
[20.05.2013 19:14:08] Poll request accepted
[20.05.2013 19:14:08] Starting status poll for node Amaro
[20.05.2013 19:14:08] Checking SNMP agent connectivity
[20.05.2013 19:14:08] Checking NetXMS agent connectivity
[20.05.2013 19:14:08]    Starting status poll on interface Lan
[20.05.2013 19:14:08]       Current interface status is NORMAL
[20.05.2013 19:14:08]       Retrieving interface status from NetXMS agent
[20.05.2013 19:14:08]       Interface status retrieved from NetXMS agent
[20.05.2013 19:14:08]       Interface is NORMAL for 9 polls (1 poll required for status change)
[20.05.2013 19:14:08]       Interface status after poll is NORMAL
[20.05.2013 19:14:08]    Finished status poll on interface Lan
[20.05.2013 19:14:08] Node is connected
[20.05.2013 19:14:08] Finished status poll for node Amaro
[20.05.2013 19:14:08] Node status after poll is NORMAL
[20.05.2013 19:14:08] **** Poll completed successfully ****
Print
Go Up Pages1
User actions