Details

    • Type: Incident report
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.9.0 (alpha)
    • Fix Version/s: 2.1.5, 2.2.0, 2.2.1rc1, 2.3.0
    • Component/s: Agent (G)
    • Labels:
    • Environment:
      After Windows Vista(WinVista, Win7, Win2008), Zabbix Agent 1.9 (r10124)

      Description

      Zabbix cannot generate windows eventlog messages from new eventing system log, "Windows Eventing 6.0" log.
      "Windows Eventing 6.0" is added after Windows Vista.
      Though many legacy eventing system log still exist in after Windows Vista, some eventlog are "Windows Eventing 6.0" log.
      We have to use XPath query with new eventlog API to get these new eventlog messages.

      The detail is following.

        1. Before Windows Vista ## (NT, 2000, XP, 2003)
          We can get message table file path by searching value "EventMessageFile" under "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog**" using RegQueryValueEx().
          Then, we can generate eventlog message from FormatMessage() with message table file.
          Zabbix works in this way. (see "src/zabbix_agent/eventlog.c")
          All eventlog registry entry have "EventMessageFile", so Zabbix works well in before Windows Vista
        1. After Windows Vista ## (Vista, 7, 2008)
          After Windows Vista, there are some eventlog which don't have "EventMessageFile" in registry.
          For example, in Windows Vista and 7, "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\WMPNetworkSvc" don't have "EventMessageFile". (picture "01.jpg")
          So, Zabbix cannot get message table file path and cannot generate eventlog message.
          These are "Windows Eventing 6.0" version eventlog added after Windows Vista, which don't have "EventMessageFile".
          The eventlog API were also changed.
          We have to use XPath query to get eventlog messages.
          (reference: http://msdn.microsoft.com/en-us/magazine/cc163431.aspx)

      How to reproduce:
      The easiest way is starting and stopping "Windows Media Player Network Sharing Service" from windows service manager in Windows Vista or 7.
      It uses "Windows Eventing 6.0".
      Please see picture "02.jpg".
      "original zabbix" failed to get eventlog message.
      The failed Source name is "WMPNetworkSvc".

        Attachments

        1. [MS-EVEN6].pdf
          2.89 MB
        2. 01.jpg
          01.jpg
          60 kB
        3. 02.jpg
          02.jpg
          102 kB
        4. build_makefile.zip
          3 kB
        5. diff_of_1st_2nd_post.diff
          3 kB
        6. eventlog.c
          16 kB
        7. graph_reusing_handle.png
          graph_reusing_handle.png
          41 kB
        8. zabbix-2.0.6-add_eventlog6_key.patch
          36 kB
        9. zabbix-r10124-eventlog_add_xpath_function.patch
          8 kB
        10. ZBX-7515.patch
          1 kB

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                tsuzuki Takanori Suzuki
              • Votes:
                7 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: