NetXMS Support Forum

Hi,

I have upgraded our systems with the NetXMS Agent version 0.2.31. So far no issues, BUT:
Monitoring Windws Event Log's on Windows 2008 64bit systems stoped working.
Note: in earlier releases we where only able to install the 32bit version on 64bit systems. (64bit agent gave us errors during install)
With version 0.2.31 this seems to be fixed, but the errors are indicating that ther may be something wrong with the 64bit agent distribution.
Wondering if anybody else had/has this issue?

I added the trace="1" to the parser section and started the agend in debug mode (with the -D flag) and that's the result in the debug log:

[03-Dec-2009 15:19:19] Debug: LogWatch: registered parser for file *System, trace level set to 1
[03-Dec-2009 15:19:19] Debug: LogWatch: Start watching event log "System" (using EvtSubscribe)
[03-Dec-2009 15:19:19] Debug: LogWatch: publisher name is NetXMS Win32 Agent
[03-Dec-2009 15:19:19] Debug: LogWatch: publisher name is NetXMS Win32 Agent
[03-Dec-2009 15:19:19] Debug: LogWatch: publisher name is NetXMS Win32 Agent
[03-Dec-2009 15:19:19] Debug: LogWatch: publisher name is NetXMS Win32 Agent
[03-Dec-2009 15:19:19] Debug: LogWatch: publisher name is NetXMS Win32 Agent
[03-Dec-2009 15:19:19] Debug: LogWatch: publisher name is NetXMS Win32 Agent
[03-Dec-2009 15:19:19] Debug: LogWatch: publisher name is NetXMS Win32 Agent
[03-Dec-2009 15:19:19] Debug: LogWatch: publisher name is NetXMS Win32 Agent
[03-Dec-2009 15:19:19] Debug: LogWatch: publisher name is NetXMS Win32 Agent
[03-Dec-2009 15:19:19] Debug: LogWatch: publisher name is NetXMS Win32 Agent
[03-Dec-2009 15:19:19] Debug: LogWatch: publisher name is NetXMS Win32 Agent
[03-Dec-2009 15:19:19] Debug: LogWatch: publisher name is NetXMS Win32 Agent
[03-Dec-2009 15:19:19] Debug: LogWatch: publisher name is NetXMS Win32 Agent

After some more analysis and testing I did notice following (seems to be a bug):

As long as I set the windows event log severity to 1 (== ERROR) in the logwathc parser xml-file; eventlog WARNING messages get reportet but not the ERROR'S.

When I change the severity to 2 (== WARNING); WARNING's AND ERRORS get reported.

It seems that the logwatch parser has a problem identifying/filtering the eventlog severity on Windows 2008 servers.

@Victor: Any ideas / chance to fix?

Thanks a lot and kind regards

Hi!

Could you please post your parser configuration file? It may be just one rule which is not working.

Best regards,
Victor

Hi Victor!

Actually it's a very simple one... only one rule:

<parser>
   <file>*System</file>
   <rules>
      <rule>
         <level>1</level>
         <match>(.*)</match>
         <event params="1">100008</event>
      </rule>
   </rules>
</parser>

Hi!

It seems that I have fixed the problem. Attached is logwatch.nsm for Windows x64. Could you please try it?

Best regards,
Victor

Dear Victor

Works perfect now!
What should I say..... your support and response time was BRILLIANT once AGAIN!
Many, many thanks for that!
Have a great week and kind regards

After Upgrading to the latest available release (1.1.0-rc11) Logwatch stoped working on some systems.
When I trace I get the following errors in the debug log:

LogWatch: publisher name is NetXMS Win32 Agent
LogWatch: Call to EvtFormatMessage failed: The specified resource language ID cannot be found in the image file.

Any ideas why?

Kind Regards

Nikos

Do you use English version of Windows or localized one?

Best regards,
Victor

Hi Victor

It's a english version. I checked with the other systems where logwatch is working, and the only thing which was different, that for non-unicode regional settings the one which gives us problems the location was set to german-switzerland. I changed this to english, but no success.

Hi Victor,

any news/ideas on this issue?

Kind Regards

Hi!

Unfortunately no. I cannot reproduce this problem nor find any useful information about this error. Interesting thing is that from the trace ("LogWatch: publisher name is NetXMS Win32 Agent") we can see that agent fails on formatting it's own messages. Is it always the case? If yes, could you try to reinstall agent's service on problematic machine with the following commands:

nxagentd.exe -R
nxagentd.exe -I -c <full+path_to_config_file>

Best regards,
Victor

Hi Victor!

I did the following:

C:\NetXMS\bin>nxagentd.exe -R
Win32 Agent service deleted successfully
Event source "NetXMS Win32 Agent" uninstalled successfully

C:\NetXMS\bin>nxagentd.exe -I -c "C:\NetXMS\etc\nxagentd.conf"
Service "NetXMSAgentdW32" created successfully
Event source "NetXMS Win32 Agent" installed successfully

Unfortunately it is still not working. I did try it as well with the 0.2.31 Version and the "fixed" logwatch.nsm go created once, but strangly it is as well not working. :-(