Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  2. ZBX-2008

"Windows Eventing 6.0" not supported


    • Icon: Incident report Incident report
    • Resolution: Fixed
    • Icon: Minor Minor
    • 2.1.5, 2.2.0, 2.2.1rc1, 2.3.0
    • 1.9.0 (alpha)
    • Agent (G)
    • After Windows Vista(WinVista, Win7, Win2008), Zabbix Agent 1.9 (r10124)

      Zabbix cannot generate windows eventlog messages from new eventing system log, "Windows Eventing 6.0" log.
      "Windows Eventing 6.0" is added after Windows Vista.
      Though many legacy eventing system log still exist in after Windows Vista, some eventlog are "Windows Eventing 6.0" log.
      We have to use XPath query with new eventlog API to get these new eventlog messages.

      The detail is following.

        1. Before Windows Vista ## (NT, 2000, XP, 2003)
          We can get message table file path by searching value "EventMessageFile" under "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog**" using RegQueryValueEx().
          Then, we can generate eventlog message from FormatMessage() with message table file.
          Zabbix works in this way. (see "src/zabbix_agent/eventlog.c")
          All eventlog registry entry have "EventMessageFile", so Zabbix works well in before Windows Vista
        1. After Windows Vista ## (Vista, 7, 2008)
          After Windows Vista, there are some eventlog which don't have "EventMessageFile" in registry.
          For example, in Windows Vista and 7, "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\WMPNetworkSvc" don't have "EventMessageFile". (picture "01.jpg")
          So, Zabbix cannot get message table file path and cannot generate eventlog message.
          These are "Windows Eventing 6.0" version eventlog added after Windows Vista, which don't have "EventMessageFile".
          The eventlog API were also changed.
          We have to use XPath query to get eventlog messages.
          (reference: http://msdn.microsoft.com/en-us/magazine/cc163431.aspx)

      How to reproduce:
      The easiest way is starting and stopping "Windows Media Player Network Sharing Service" from windows service manager in Windows Vista or 7.
      It uses "Windows Eventing 6.0".
      Please see picture "02.jpg".
      "original zabbix" failed to get eventlog message.
      The failed Source name is "WMPNetworkSvc".

        1. [MS-EVEN6].pdf
          2.89 MB
          Alexey Pustovalov
        2. 01.jpg
          60 kB
          Takanori Suzuki
        3. 02.jpg
          102 kB
          Takanori Suzuki
        4. diff_of_1st_2nd_post.diff
          3 kB
          Takanori Suzuki
        5. eventlog.c
          16 kB
          Takanori Suzuki
        6. graph_reusing_handle.png
          41 kB
          Takanori Suzuki
        7. zabbix-2.0.6-add_eventlog6_key.patch
          36 kB
          Takanori Suzuki
        8. zabbix-r10124-eventlog_add_xpath_function.patch
          8 kB
          Takanori Suzuki
        9. ZBX-7515.patch
          1 kB
          Takanori Suzuki

            Unassigned Unassigned
            tsuzuki Takanori Suzuki
            7 Vote for this issue
            11 Start watching this issue