NetXMS Support Forum

Hello,

Any assistance would be greatly appreciated.  I have been running versions 2.0.6 and 2.0.8 for a bit now and have enjoyed having the functionality of using the NetXMS agents on all of my windows machines to parse these security logs. I have decided to experiment with the 2.1-M2 and M3 version for their added functionality of the new <match> options (such as repeat count and intervals) in the parser files .  With versions 2.0.6 or 2.0.8 x64 agents installed on Windows 7 and Server 2012 OSE's, the agents had no problem filtering a flood of security events (dozen or so events) within a very short duration of time (seconds) with a match all rule in place (.*).  With the exact same agent config and securityparser.xml file in place for an x64 2.1-M2 or M3 agent on Windows 7 or server 2012, the agent server will unexpectedly shutdown every time there is a flood of events that meet the filtering rule. 

Any help or information would be greatly appreciated.  Is this a known issue?  It is very repeatable when trying to parse a large number of events within a short period of time. 

Thanks,

-Dan

Hi,

please turn on agent crash dumps by adding to nxagentd.conf:

CreateCrashDumps = yes
DumpDirectory = some_path

and send crash dumps (if any) to [email protected]

Best regards,
Victor

Hello Victor,

I completed some more testing this morning on Version 2.0.8 and 2.1-M1 through 2.1-M3, 32 and 64 bit agents. I was unable to get a dump file from any of the failed results.  I have inserted some text containing the current agent config, parser code, and last few statements of log prior to crash, with debug set at level 9.  This exact same setup works flawlessly on Version 2.0.8 agents.

Is there any possibility that the server side may cause this issue?

Thanks,

-Dan

************** agent config ***********************

#

# NetXMS system agent configuration file

#

#Master Config


MasterServers = x.x.x.x
ConfigIncludeDir = C:\NetXMS\etc\nxagentd.conf.d
LogFile = C:\NetXMS\NetXMS_FileManager\log.txt
FileStore = C:\NetXMS\NetXMS_FileManager

SubAgent = filemgr.nsm
SubAgent = logwatch.nsm
SubAgent = winperf.nsm

DebugLevel = 9

#disable agent actions

EnableActions = yes

CreateCrashDumps = yes
DumpDirectory = C:\

#require authentication

RequireAuthentication = yes

#require encryption

RequireEncryption = yes

#Shared secret for authentication

SharedSecret = xxxxxxxxx

#File Manager Definitions

*filemgr.nsm

[filemgr]

RootFolder = C:\NetXMS\NetXMS_FileManager

#Log File Parser Definitions

*LOGWATCH

Parser = C:\NetXMS\NetXMS_FileManager\SecurityParser.xml


***********************SecurityParser.xml****************************

<parser>
  <file>*Security</file>
  <rules>
    <rule>
      <level>16</level>
      <match>(.*)</match>
      <event params="1">100018</event>
    </rule>
  </rules>
</parser>


********************Last few statements in log prior to service shutting down***************************

[10-Apr-2017 09:00:50.633] [DEBUG] LogWatch: publisher name is Microsoft-Windows-Security-Auditing
[10-Apr-2017 09:00:50.633] [DEBUG] LogWatch: publisher name is Microsoft-Windows-Security-Auditing
[10-Apr-2017 09:00:50.633] [DEBUG] LogWatch: publisher name is Microsoft-Windows-Security-Auditing
[10-Apr-2017 09:00:50.633] [DEBUG] LogWatch: publisher name is Microsoft-Windows-Security-Auditing
[10-Apr-2017 09:00:53.133] [DEBUG] LogWatch: publisher name is Microsoft-Windows-Security-Auditing
[10-Apr-2017 09:00:53.133] [DEBUG] LogWatch: publisher name is Microsoft-Windows-Security-Auditing
[10-Apr-2017 09:00:53.133] [DEBUG] LogWatch: publisher name is Microsoft-Windows-Security-Auditing
[10-Apr-2017 09:00:53.133] [DEBUG] SendTrap(): event_code=100018, event_name=(null), num_args=6, arg[0]="The computer attempted to validate the credentials for an account.

****NetXMS agent service shutdowns when the above trap message is sent and the message is never recieved by the server.  This issue is repeatable on my WinServer 2012
and Win 7 machines on all agent versions 2.1-M1 through M3 on 32 and 64 bit installs.  Notably the 64 bit agents will not
successfully send any traps like the above to server without crashing the service, where the 32 bit agents
will sometimes successfully pass the trap to the server and produce an event.  The same configuration works flawlessy with a 2.0.8 agent.******






Hi

I see also agent crashes with V2.1-M3 on Windows Server 2012 R2 if log parser is used for windows eventlogs. I get "EXCEPTION 0xC0000005 (Access violation) at 0x00541387" in the agent debug log. I have sent the crash dump by mail.
I can reproduce the crash with eventcreate.exe.

Best regards
Dani

Hi,

should be fixed by now. Fix will be included in 2.1-RC1 release.

Best regards,
Victor