NetXMS Support Forum

Hi,

I'm trying to set up a log parser rule that would trigger an event if an administrator logs on to a monitored computer, however this rule causes the NetXMS server to crash with segmentation fault.

NetXMS Server versions that I've tried: 4.5.3, 4.5.4

The parser which causes the crash (made it with the GUI then switched to the XML view):
<parser name="Default parser">
   <macros/>
   <rules>
      <rule name="Admin logon">
         <match repeatInterval="0" reset="false">Emelt szintű jogkivonat:\s+Igen(?:.|\n)+Fióknév:\s+(\w+)</match>
         <event>VV_ADMIN_LOGON</event>
         <id>4624</id>
         <agentAction action=""></agentAction>
      </rule>
   </rules>
</parser>Windows event 4624 is created when a user logs in and with this rule I'd like to check if they're an administrator and what is their name. (The monitored desktops run Windows 10 with Hungarian language.)

How could I solve this?

It would be good if you can collect some debug information. If your server is on Linux:

- install netxms-dbg and gdb packages
- stop netxms server:
systemctl stop netxmsd
- launch it under gdb:
gdb --args netxmsd -D 3

then enter run

when it crashes, enter bt and show us the output

----

Meanwhile, you can use another option to monitor windows event logs - by adding log parser policy to a template and applying that template to your nodes. https://www.netxms.org/documentation/adminguide/log-monitoring.html#file-tag
Chances are that this bug will not appear if using this approach (but may be not)

Attached the full bt output. I'll also try the suggested method and get back with the results.

I tried creating a template and added a log parser policy with the following content:
<parser checkInterval="1" name="Admin activity parser">
   <macros/>
   <file>*Security</file>
   <rules>
      <rule name="Login">
         <match repeatCount="0" repeatInterval="3600" reset="false">Emelt szintű jogkivonat:\s+Igen(?:.|\r\n)+Fióknév:\s+(\w+)</match>
         <event>VV_ADMIN_LOGON</event>
         <id>4624</id>
         <push group="1"></push>
         <agentAction action=""></agentAction>
      </rule>
   </rules>
</parser>It didn't crash the server however it also doesn't trigger the event, I tried to:

• reduce the checkInterval from the default 10000 to 1 (what is the unit for this?)
• make the regex match the whole message
• use literal \r\n and \t in the expression

I made sure that the template is applied to the node I'm testing with, and in the windows events view I can see the windows event for the login. Also I'm still running netxmsd from gdb and I can only see entries like this and nothing else when I log into an account on the client:
*D* [agent.conn.10794   ] AgentConnectionEx::onWindowsEvent(): Received event from agent at 10.255.7.114, node ID 1814

I'd guess the unit is ms, but I'll check.

And if your try policy as simple as that:
<parser checkInterval="10000" name="">
  <macros/>
  <file>*Security</file>
  <rules>
      <rule name="">
        <match repeatCount="0" repeatInterval="1">.*</match>
        <event>A</event>
        <metrics class="java.util.ArrayList"/>
        <agentAction action=""></agentAction>
      </rule>
  </rules>
</parser>
will there be any events?

Checklist of things:
- agent should have this in it's config:
SubAgent = logwatch
- template with the policy should be applied to node

I did manage to get events when trying simple regexes that didn't try to match multiple lines of windows log messages.
But I'm a bit confused now about what is the tested string, since the docs only mention single lines, but the windows event is multiple lines and when I simply put (.*) as the match regex, in the event %1 was a multi line string with the full windows event message; which is strange since as far as I know . matches everything except new line; but either way the regex I used had . and explicit \r\n matched multiple times so it should've catched each case, also it worked when I tested it on regexr.com

Finally with the next regex I managed to get it working, so it's only matching admin users' logins:
Virtuális fiók:\t\tNem.*Emelt szintű jogkivonat:\t\tIgen.*Fióknév:\t\t(\w+).*Fiók tartománya:\t\t(?!NT AUTHORITY)