I just started to use the windows EventLog parsing and have some questions:
1.
I would like to have a quite generic parser which parses for all errors in system eventlog (all sources and all IDs). I managed that. Than I would like to give the event-source and the event-id as parameters to NetXMS. But I only see the possibility to extract parameters out of the eventlog-description field (with regexp). In this field there are source and ID not available. I tried [<id>(.*)</id>], but that's not supported. Is there another possibility for such parsing? I can't make a rule for each possible source and each ID.
2.
I would like to parse for 'the previous shutdown was unexpected' events (source=EventLog, id=6008). But it's not possible. I suppose the agent starts parsing the eventlog when he starts up. But this EventLog-event is earlier (between system boot and start of NetXMS agent). Is there a possibility that the agent can also parse the events between system start and agent start?
3.
Is there a good website with ideas for EventLog-events which should be monitored? In some commercial network monitoring products are a lot of predefined EventLog events. Maybe someone knows a good source.
4.
What's the best solution to deliver the parser xml files to a lot of nodes?
thanks
Dani
no one with Windows EventLog parsing experience?
Quote from: Dani@M3T on April 09, 2014, 01:36:53 PM
no one with Windows EventLog parsing experience?
Hi, I am interested in answers also :)
Victor, maybe you could help
Hi!
I won't be able to help you much. #1, #2, and #4 need changes in agent (#4 also in server). #1 is implemented in 1.2.14 (event source, id, and severity passed as three additional parameters for event generated). #2 should be relatively easy to implement, I'll add this as feature request for 1.2.15. For #4 we plan to introduce new policy type to distribute parser configurations across nodes in a same way as you can distribute configuration files, but I cannot promise exact release when it will be implemented.
Best regards,
Victor
Hi Victor
Thanks for your information and your work. I agree with all points.
thanks
Dani
is #2 already implemented? My newest test says NO. (I didn't saw the feature request in the bug tracker)
any plans for #4? To deliver the parser files by agent policy is in my opinion the most elegant way.
Yes, seems that it was forgotten. I've created issue in bug tracker (https://www.radensolutions.com/chiliproject/issues/641). As for #4, it will be in 2.0 branch, probably close to year end.
Best regards,
Victor
thanks for the update, ok for me.
Hi,
#2 is implemented in 1.2.17. This is turned off by default to maintain compatibility with previous versions. Setting parameter ProcessOfflineEvents in LogWatch section to yes or true will enable this feature. When on, agent will save timestamp of last processed event and on start will process all events since last processed.
Best regards,
Victor
Hi Victor
I come back to #2 and #4:
#2: I tested again with V2.0.-M3 but it is not working for me. Can you please check again?
#4: For which version is this planned?
Thanks, Dani
Hi,
can you please show me your agent config and content of registry entries under HKEY_USERS\.DEFAULT\Software\NetXMS\LogParserLibrary (assuming you run agent under Local System account - otherwise check same registry path under appropriate user)?
Best regards,
Victor
agent config (put together from server agent configuration and agent policy):
MasterServers = netxms.domain.com
ListenPort = 4700
RequireAuthentication = yes
RequireEncryption = yes
EnabledCiphers = 1
SharedSecret = longkey
EnableWatchdog = yes
LogFile = {syslog}
LogFile = ${ProgramFiles}\NetXMS\nxagentd.log
DebugLevel = 0
ConfigIncludeDir = ${ProgramFiles}\NetXMS\etc\nxagentd.conf.d
FileStore = ${ProgramFiles}\NetXMS\var
SubAgent = ecs.nsm
SubAgent = portcheck.nsm
SubAgent = ping.nsm
SubAgent = winperf.nsm
SubAgent = wmi.nsm
SubAgent = logwatch.nsm
SubAgent = filemgr.nsm
[filemgr]
RootFolder = ${SystemDrive}\
[logwatch]
ProcessOfflineEvents = yes
Parser = ${ProgramFiles}\NetXMS\var\eventlog-system-parser.xml
Parser = ${ProgramFiles}\NetXMS\var\eventlog-application-parser.xml
Registry Key HKEY_USERS\.DEFAULT\Software\NetXMS\LogParserLibrary:
LogWatch.Application REG_DWORD 0x552b7a44
LogWatch.System REG_DWORD 0x552b7a78
Have you found anything in my config and the registry?
Hi Victor.
Have you found anything in my config and the registry?
thanks
Dani
Hi,
it looks perfectly fine. I re-run tests on my system, and agent picks up everything as expected. Let's try to upgrade this system to 2.0-M4 (just to make sure I'm checking latest codebase) , and if it will not help I'll create special build with additional debug.
Best regards,
Victor
Ok, I will try V2.0-M4 first. When will it be available?
It's just made available for download.
Best regards,
Victor
I have updated to V2.0-M4, but I see the same issue as before.
I tested like this:
parser xml:
<parser name="SystemLog">
<file>*System</file>
<rules>
<rule>
<match>(.*)</match>
<level>1</level>
<event params="1">100845</event>
</rule>
</rules>
</parser>
I turned off hardly a Win7-x64 virtual machine and started again. But I don't get an event '100845' in NetXMS for the windows error 6008 (last shutdown was unexpected) in the system eventlog.
Other windows events while the node is normal working are parsed ok and generate NetXMS events.
Can you please set debug level to at least 2, reset system again, and check agent's log for message like
LogWatch: reading old events between ... and ...
and possibly also like this:
LogWatch: EvtQuery failed (...)
and post those lines and timestamp of "unexpected shutdown" event.
Best regards,
Victor
Hi Victor
Here the agent log with debuglevel=2. There was no "LogWatch: EvtQuery failed (...)".
There were these events for example before the NetXMS agent started:
Event-ID 41, Source=Kernel-Power, severity=critical, 04.05.2015 18:19:34
Event-ID 6008, Source=EventLog, severity=error, 04.05.2015 18:19:36
thanks
Dani
Hi Victor
Have you found anything about this?
thanks
Dani
Have you found anything in the debug log file?
Hello Victor,
is it possible to add the user name of the Windows event log entry to the event parameters?
I monitor a terminal server farm for application crashes which works really nice, but I like to know in the event which user session is affected.
Greetings
Ben
Are there any news about the offline processing feature? In V2.0-RC2 it's still not working for us.
It works on all my (very limited) set of Windows systems (test it on Win XP, Win 7, and Win 10). Do you have it working on at least one system?
Best regards,
Victor
Hi Victor
Very strange. I have tested with a Win7, a Win8.1 and a Win2012R2 node. All with the same negative result.
How did you tested?
My test was like this:
Logwatch section of the agent config:
[logwatch]
ProcessOfflineEvents = yes
Parser = ${ProgramFiles}\NetXMS\var\eventlog-system-parser.xml
Parser = ${ProgramFiles}\NetXMS\var\eventlog-application-parser.xml
Parser (file: eventlog-system-parser.xml):
<parser name="SystemLog">
<file>*System</file>
<rules>
<rule>
<match>(.*)</match>
<level>1</level>
<event params="1">100845</event>
</rule>
</rules>
</parser>
Than I hard-switched of the node. After that I checked the NetXMS events of this node. But I can't find any event for the expected Windows Event (Eventlog: System, Event-ID: 6008, Source: Eventlog, Text: Last shutdown was unexpected).
While normal operation I get a NetXMS event for every error in Windows Eventlog. I only have problems with offline events.
thanks
Dani