NetXMS Support Forum

Hi,

I have the following  parser (NetXMS 1.1.4):

<parser trace="7">
  <file>*Application</file>
  <rules>
    <rule>
      <level>31</level>
      <id>100</id>
      <match>(.*)</match>
      <event params="1">100010</event>
    </rule>
  </rules>
</parser>

I've turned tracing on (after I found https://www.netxms.org/forum/configuration/configuration-for-monitor-windows-syslog/
) however I get no triggering at all. Anything wrong with my file? Is there anything else I can do to find out whats going on?

Thanks,

Dan

Hi!

File looks correct. Did you get something in log file? Also, do you have event with ID 100 in application log?

Best regards,
Victor

Hi Victor,

No, there is nothing to be found in the log file related to the Windows Event (while the log get data from other DCI's on the same Agent).
Yes I have event 100, I wrote a utility that can generate events so I can test NetXMS without having to wait for a real event to occur.

Any other plan of action?

Dan

Hi Victor,

Good news: I forgot (stupid me) to add *LOGWATCH on the line preceding the parser = ... line in nxagentd.conf
Once added, the log shows entries related to the logwatch.
Maybe you would like to consider adding a warning if "SubAgent = logwatch.nsm" is used but no *LOGWATCH and at least one parser=  is set in to nxagentd.conf so folks like me will spend less time searching for stupid omissions 

Bad news: I receive the following error in the log:
[Date] LogWatch: Call to EvtFormatMessage failed: The specified resource language ID cannot be found in the image file.
Software is running on Windows 2008 64 bit English. If I'm not mistaken, someone else had the same error. Is there a solution?

Dan

Victor,

Did you have the chance to look into this issue?

Regards,

Dan

Hi!

I spent some time on it, but was unable to find any useful information. If I build agent version with excessive debug output, could you test it?

Best regards,
Victor

Victor,

I'll be glad to test it.

Regards,

Dan

Hi Victor,

I've noticed 1.1.6 is out, does it address the above mentioned problem?

Regards,
Dan

Hello!

Sorry for delay with that. I do some additional testing, but was unable to reproduce this issue, even by installing event sources without english resources. Agent either give different error or renders text as it should. I have made small changes in log watch subagent, and add logging of message file name after EvtFormatMessage failure, so at least it will be possible to see what application causing this issue. Patched agent version can be downloaded here: https://www.netxms.org/download/dev/nxagent-1.1.6.2-x64.exe.

Best regards,
Victor

Hi Victor

The test that resulted with the error was done on the same server where NetXMS runs on.
I upgraded it to 1.1.6., after which the error is still there – this is expected.
May I install the debug Agent on top of the server? Can I revert should something go wrong?

BTW, I did another test with the Agent on a different server (Win 2008 64x, v. 1.1.5 and 1.1.6) without any problems. Go figure...

Regards,
Dan

Hi!

You can install test agent on same machine, using the following procedure:

1. Stop netxms agent service
2. Remove agent service by running nxagentd.exe -R
3. Install test agent into separate directory. This is most important! You will have to copy nxagentd.conf.

To recover after test agent uninstall, do the following:

1. Ensure that uninstall has removed agent service
2. Install agent service by running nxagentd -I -c <full_path_to_nxagentd.conf>

Best regards,
Victor

Hi,

Followed your instruction, with 1.1.6.2 everything works smoothly:

[16-Nov-2011 09:05:58] LogWatch: publisher name is test
[16-Nov-2011 09:05:58] Match event: source="test" id=100 level=1 text="testing"
[16-Nov-2011 09:05:58] checking rule 1 ""
[16-Nov-2011 09:05:58]   rule has no context
[16-Nov-2011 09:05:58]   matching against regexp (.*)
[16-Nov-2011 09:05:58]   matched
[16-Nov-2011 09:05:58] SendTrap(): event_code=100010, num_args=1, arg[0]="testing" arg[1]="(null)" arg[2]="(null)"
[16-Nov-2011 09:05:58] rule 1 "" matched

I then reverted to the 1.1.6 agent, now I receive the error again:

[16-Nov-2011 09:16:28] LogWatch: publisher name is test
[16-Nov-2011 09:16:28] LogWatch: Call to EvtFormatMessage failed: The specified resource language ID cannot be found in the image file.

I went on and installed the original 1.1.6 agent in a separate directory.
This returns the above error as well

So it seems something in 1.1.6.2 solves the problem, hopefully you know what this is.

Regards,

Dan

Hi!

I have changed system default locale in call to EvtOpenPublisherMetadata to LANG_NEUTRAL. It's very good to know that this was a solution.

Best regards,
Victor

Hi,

Glad this had been solved.

I have a related question to syslog events. I can pass params of matching regex defined in the parser <match>...</match> section.
I'd like to pass the event ID as an additional parameter so I can test on it in the Event Processing Policy, Is there a way to do this?

Regards,

Dan