  2. ZBX-12312

Zabbix agent does not send events from "Forwarded Events" event log


    • Type: Documentation task
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.9
    • Fix Version/s: 4.0 (plan)
    • Component/s: Agent (G)
      Windows server > 2008
      Team A
      Sprint 11, Sprint 12, Sprint 13, Sprint 14, Sprint 15, Sprint 16, Sprint 17, Sprint 18, Sprint 19, Sprint 20
      It’s possible for a Windows server to forward its events to a “subscribing” server. In this scenario the collector server can become a central repository for Windows logs from other servers in the network. Zabbix agent can be installed on the collector and can be used to monitor received logs from other servers.

      The issue is that Zabbix agent does not send events from the "Forwarded Events" event log from collector. It does not generate any errors also.


      • Zabbix agent has 2 items:
      • It sends events from the Security log, but does not send for ForwardedEvents
      • It does not generate an error for ForwardedEvents also
      • Tried to change user from System to administrator - didn't help

      Debug has no clue about the root cause:

        6328:20170625:203913.873 got [{"response":"success","data":[{"key":"eventlog[ForwardedEvents,,,,4625,,]","delay":1,"lastlogsize":0,"mtime":0},{"key":"eventlog[Security,,,,4625,,]","delay":1,"lastlogsize":47652,"mtime":0}]}]
        6328:20170625:203923.490 In process_active_checks() server:'<some IP>' port:10051
        6328:20170625:203923.502 In initialize_eventlog6() source:'ForwardedEvents' previous lastlogsize:0
        6328:20170625:203923.502 In zbx_open_eventlog6()
        6328:20170625:203923.502 End of zbx_open_eventlog6():SUCCEED FirstID:5544 LastID:12572 numIDs:7028
        6328:20170625:203923.502 In zbx_get_handle_eventlog6(), previous lastlogsize:0
        6328:20170625:203923.502 End of zbx_get_handle_eventlog6():SUCCEED
        6328:20170625:203923.519 End of initialize_eventlog6():SUCCEED
        6328:20170625:203923.519 In process_eventlog6() source: 'ForwardedEvents' previous lastlogsize: 0, FirstID: 5544, LastID: 12572
        6328:20170625:203923.519 In zbx_get_eventlog_message6() EventRecordID:5544
        6328:20170625:203923.614 End of zbx_get_eventlog_message6():SUCCEED
        6328:20170625:203923.627 End of process_eventlog6():SUCCEED
        6328:20170625:203923.627 In finalize_eventlog6()
        6328:20170625:203923.627 End of finalize_eventlog6():SUCCEED
        6328:20170625:203923.627 In need_meta_update() key:eventlog[ForwardedEvents,,,,4625,,]
        6328:20170625:203923.645 End of need_meta_update():FAIL
        6328:20170625:203924.738 In process_active_checks() server:'<some IP>' port:10051
        6328:20170625:203924.738 In initialize_eventlog6() source:'ForwardedEvents' previous lastlogsize:0
        6328:20170625:203924.738 In zbx_open_eventlog6()
        6328:20170625:203924.755 End of zbx_open_eventlog6():SUCCEED FirstID:5544 LastID:12584 numIDs:7040
        6328:20170625:203924.755 In zbx_get_handle_eventlog6(), previous lastlogsize:0
        6328:20170625:203924.755 End of zbx_get_handle_eventlog6():SUCCEED
        6328:20170625:203924.770 End of initialize_eventlog6():SUCCEED
        6328:20170625:203924.770 In process_eventlog6() source: 'ForwardedEvents' previous lastlogsize: 0, FirstID: 5544, LastID: 12584
        6328:20170625:203924.770 In zbx_get_eventlog_message6() EventRecordID:5544
        6328:20170625:203924.865 End of zbx_get_eventlog_message6():SUCCEED
        6328:20170625:203924.865 End of process_eventlog6():SUCCEED
        6328:20170625:203924.879 In finalize_eventlog6()
        6328:20170625:203924.879 End of finalize_eventlog6():SUCCEED
        6328:20170625:203924.879 In need_meta_update() key:eventlog[ForwardedEvents,,,,4625,,]
        6328:20170625:203924.879 End of need_meta_update():FAIL

      Note, log size is ~30MB (not "lastlogsize:0"). Agent can see that the log has new events but does not send them (e.g. LastID: 12572 --> LastID: 12584).




            • Assignee:
              wiper Andris Zeila
              oleg.ivanivskyi Oleg Ivanivskyi
