[ZBX-2008] "Windows Eventing 6.0" not supported Created: 2010 Feb 15 Updated: 2017 May 30 Resolved: 2013 Nov 07 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Agent (G) |
Affects Version/s: | 1.9.0 (alpha) |
Fix Version/s: | 2.1.5, 2.2.0, 2.2.1rc1, 2.3.0 |
Type: | Incident report | Priority: | Minor |
Reporter: | Takanori Suzuki | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 7 |
Labels: | eventlog, windows | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
After Windows Vista(WinVista, Win7, Win2008), Zabbix Agent 1.9 (r10124) |
Attachments: | 01.jpg 02.jpg ZBX-7515.patch [MS-EVEN6].pdf build_makefile.zip diff_of_1st_2nd_post.diff eventlog.c graph_reusing_handle.png zabbix-2.0.6-add_eventlog6_key.patch zabbix-r10124-eventlog_add_xpath_function.patch | ||||||||||||
Issue Links: |
|
Description |
Zabbix cannot generate windows eventlog messages from new eventing system log, "Windows Eventing 6.0" log. The detail is following.
How to reproduce: |
Comments |
Comment by Takanori Suzuki [ 2010 Feb 15 ] |
I made a patch. Please see picture "02.jpg". |
Comment by Takanori Suzuki [ 2010 Feb 15 ] |
The patch is for trunk r10124. |
Comment by Takanori Suzuki [ 2010 Feb 15 ] |
I think same problem occurs also in 1.4.x and 1.6.x. |
Comment by Takanori Suzuki [ 2010 Feb 15 ] |
[The detail of the speed about original function and my function in my patch] I measured the original one and my method. Executing new API is heavy, so if zabbix execute a few query and caches multi values, it might be more light weight. Or, if there is another way to get "Windows Eventing 6.0" log with legacy API, it is also good. |
Comment by Takanori Suzuki [ 2010 Mar 07 ] |
Hi. |
Comment by Aleksandrs Saveljevs [ 2010 Jul 05 ] |
Thank you for the patch! We are currently testing it and looking into ways we can integrate it with Zabbix code. |
Comment by Takanori Suzuki [ 2010 Jul 08 ] |
Thank you Saveljevs. The patched code always requires "wevtapi.dll" even if it runs under before Windows Vista. |
Comment by Takanori Suzuki [ 2010 Jul 08 ] |
The "eventlog.c" dosen't require "wevtapi.lib" in linking. |
Comment by Aleksandrs Saveljevs [ 2010 Aug 02 ] |
We would like to thank you for the patch, but at the moment we still cannot integrate it into 1.8, because the new API is very slow. In our test environment, the new API generated approximately 35 rows per second, while loading the CPU by 100% - we cannot put an agent on the users' systems that loads the CPU this much. We will continue investigating the possible options, but if you have any further ideas, please let us know. |
Comment by richlv [ 2011 Jul 14 ] |
|
Comment by Alexey Pustovalov [ 2013 May 10 ] |
Also we can use prefetching instead of getting one by one event: http://msdn.microsoft.com/en-us/library/windows/desktop/aa385650(v=vs.85).aspx |
Comment by Takanori Suzuki [ 2013 Jul 22 ] |
Hi. It adds new key "eventlog6[]", it supports Eventing 6.0 API and it also can get "application and service log" This patch conflicts with current |
Comment by Takanori Suzuki [ 2013 Jul 22 ] |
To be build, it needs to change Makefiles. |
Comment by Igors Homjakovs (Inactive) [ 2013 Jul 22 ] |
Hi, We have started working on this issue and appreciate your active involvement. Mr. Suzuki, thank you very much for the patch. |
Comment by Takanori Suzuki [ 2013 Jul 24 ] |
I updated the patch. |
Comment by Oleksii Zagorskyi [ 2013 Jul 24 ] |
Takanori, it probably would be good to show also diff between patches (since devs are working already, supposedly on the previous patch) to easily get what exactly you've changed. |
Comment by Takanori Suzuki [ 2013 Jul 24 ] |
Thank you Oleksiy. |
Comment by Igors Homjakovs (Inactive) [ 2013 Aug 06 ] |
Takanori, in your patch you mentioned that "EvtGetLogInfo()" doesn't work properly with "EvtLogOldestRecordNumber"? Could you explain what it the problem? I works fine on my PC. |
Comment by Takanori Suzuki [ 2013 Aug 06 ] |
Hi Igors. And I found following info and actually I got wrong number, so I decided to use other way. In that page, "Mitch" suggests to use legacy API, it means "GetOldestEventLogRecord()", but it cannot work with eventlog in "application and service log". |
Comment by Igors Homjakovs (Inactive) [ 2013 Aug 06 ] |
Takanori, thanks a lot for the information. |
Comment by Takanori Suzuki [ 2013 Aug 06 ] |
BTW, my patch includes following not good thing.
From Windows Eventing 6.0, it adds new levels "critical", "log always" and "verbose". So, I mapped "error" and "critical" to "error". + switch(VAR_LEVEL(renderedContent)) + { + case WINEVENT_LEVEL_LOG_ALWAYS: + case WINEVENT_LEVEL_INFO: + case WINEVENT_LEVEL_VERBOSE: + *out_severity = EVENTLOG_INFORMATION_TYPE; + break; + case WINEVENT_LEVEL_CRITICAL: + case WINEVENT_LEVEL_ERROR: + *out_severity = EVENTLOG_ERROR_TYPE; + break; + case WINEVENT_LEVEL_WARNING: + *out_severity = EVENTLOG_WARNING_TYPE; + break; + default: + *out_severity = EVENTLOG_INFORMATION_TYPE; + break; + } But if Zabbix can add more secerity, it's better. |
Comment by Igors Homjakovs (Inactive) [ 2013 Aug 06 ] |
Takanori, I have already taken care of the severity levels. They were made in a accordance to Windows Eventing. |
Comment by Takanori Suzuki [ 2013 Aug 06 ] |
I see, it's nice |
Comment by Igors Homjakovs (Inactive) [ 2013 Aug 06 ] |
I'm doing some minor modification now. You will see it in a day or two |
Comment by Takanori Suzuki [ 2013 Aug 08 ] |
Thanks Igors. |
Comment by Igors Homjakovs (Inactive) [ 2013 Aug 08 ] |
Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-2008 |
Comment by Igors Homjakovs (Inactive) [ 2013 Aug 08 ] |
(1) [F] CRITICAL and VERBOSE severity levels have to be added in PHP. iivs Severities added in frontend. |
Comment by Igors Homjakovs (Inactive) [ 2013 Aug 08 ] |
Takanori, thanks for the comment. Please have a look at the code. Your comments are highly welcomed. |
Comment by Andris Zeila [ 2013 Sep 20 ] |
(2) [S] Successfully tested, please review my changes in r38692 igorsh I accept your changes. CLOSED |
Comment by Igors Homjakovs (Inactive) [ 2013 Sep 20 ] |
(3) [A] Some additional modifications were done. Please review my changes in r38696 wiper reviewed, tested and CLOSED |
Comment by richlv [ 2013 Sep 24 ] |
(4) docs : igorsh Updated whatsnew: and RESOLVED |
Comment by Eduards Samersovs (Inactive) [ 2013 Oct 08 ] |
Frontend tested! |
Comment by Igors Homjakovs (Inactive) [ 2013 Oct 09 ] |
Fixed in version 2.1.7(trunk) r39160 |
Comment by Alexander Vladishev [ 2013 Oct 09 ] |
(5) [G] The new code is incorrectly formatted. igorsh RESOLVED in r39171 and r39216 |
Comment by Takanori Suzuki [ 2013 Oct 15 ] |
Hi Igors.
|
Comment by Igors Homjakovs (Inactive) [ 2013 Oct 16 ] |
Hi Takanori, Thank you for your comments. I'm looking into your suggestions now and will get back to you as soon as possible. |
Comment by Igors Homjakovs (Inactive) [ 2013 Oct 17 ] |
Takanori, In my previous performance tests the performance overhead of getting eventlog handle each time was not significant. |
Comment by Takanori Suzuki [ 2013 Oct 17 ] |
Igors, In my case, if I didn't reuse the handle, it makes CPU exhausted and becomes slow like following.
And asaveljevs, he was working for this issue at first, also said "In our test environment, the new API generated approximately 35 rows per second, while loading the CPU by 100%" In this time, I tested with second patch, which reusing the handle. And more eventlog makes Eventing 6.0 API slower. |
Comment by Igors Homjakovs (Inactive) [ 2013 Oct 24 ] |
(6) [IG] Implement automatic loading of wevtapi.dll and its functions' definitions using "/DELAYLOAD" igorsh RESOLVED in r39556 wiper CLOSED |
Comment by Igors Homjakovs (Inactive) [ 2013 Oct 25 ] |
(7) (G) Audit Success/Failure severity is not displayed in Security log igorsh RESOLVED in r39585 wiper CLOSED |
Comment by Igors Homjakovs (Inactive) [ 2013 Oct 29 ] |
(8) [G] Add reuse of handle to improve performance igorsh RESOLVED in r40000 wiper CLOSED |
Comment by Takanori Suzuki [ 2013 Oct 31 ] |
Igors, I did performance test again in better environment. [non-reusing handle] CPU usage: average:97.17% please also see "graph_reusing_handle.png" Read Eventlog performance: system: 22281row, 2190sec, 10row/sec application: 4302row, 194sec, 22row/sec security: 35269row, 3632sec, 9row/sec [reusing handle] CPU usage: average:9.18% please also see "graph_reusing_handle.png" Read Eventlog performance: system: 22272row, 241sec, 92row/sec application: 4302row, 42sec, 102row/sec security: 35267row, 380sec, 92row/sec Please mind this result is using my patch which is different from yours. |
Comment by Igors Homjakovs (Inactive) [ 2013 Nov 06 ] |
Takanori, Thank you sharing your performance results. |
Comment by Andris Zeila [ 2013 Nov 07 ] |
(9) [G] Please review coding style fixes in r40060, r40081 igorsh i reviewed your changes. Thank you. RESOLVED |
Comment by Andris Zeila [ 2013 Nov 07 ] |
(10) [G] possible crash when failing to format event message In eventlog.c:669-678 if (EvtVarTypeNull != VAR_EVENT_TYPE(renderedContent)) { char *data; data = zbx_unicode_to_utf8(VAR_EVENT_DATA(renderedContent)); *out_message = zbx_strdcatf(*out_message, "The following information was included" " with the event: %s", data); zbx_free(data); } Where VAR_EVENT_DATA(p) is defined as (p[7].StringArr[0]) This code is based on assumption that renderedContent[7] always is string array, but in my tests it was string, leading to random crashes. We must either add explicit checks for rederedContent[7] type or drop this code part (I'm not sure how useful this additional data might be). igorsh RESOLVED in r40108 wiper CLOSED |
Comment by Andris Zeila [ 2013 Nov 07 ] |
(11) [G] Logging message format and serverity must be reviewed. Some of the logging messages does not follow Zabbix style, for example zabbix_log(LOG_LEVEL_WARNING, "In Eventlog '%s': Expected EventRecordID(" ZBX_FS_UI64 ")" " is not equal to the real EventRecordID(" ZBX_FS_UI64 ")." " Overwriting expected EventRecordID by the real EventRecordID", tmp_str, *which, VAR_RECORD_NUMBER(renderedContent)); Also the severity of log messages should be lowered to DEBUG if the function still can return success. igorsh RESOLVED in r40110-r40111 wiper CLOSED |
Comment by Andris Zeila [ 2013 Nov 08 ] |
Successfully tested |
Comment by Alexander Vladishev [ 2013 Nov 12 ] |
Available in pre-2.2.1 r40193 and pre-2.3.0 (trunk) r40194. |
Comment by richlv [ 2014 Jan 13 ] |
could this have resulted in wiper Yes. Currently my only guess is that delayed loading of wevtapi.dll did not work on x64 system. |
Comment by Takanori Suzuki [ 2014 Jan 14 ] |
Should I post this to |
Comment by Igors Homjakovs (Inactive) [ 2014 Jan 14 ] |
Takanori, thank you for your patch. This issue will be resolved shortly. |
Comment by Robert Riskin [ 2014 Feb 18 ] |
Hello, I have upgraded my host to 2.2.2 and upgraded the agent I am trying to monitor to 2.2.1 and I am still getting a not supported in my agent logs: 13192:20140218:115240.786 cannot open eventlog 'Microsoft-Windows-TaskScheduler/Optional':[0x00003A9F] The specified channel could not be found. Check channel configuration. Can you please tell me if you can successfully monitor this and also what is the appropriate convention for monitoring the Applications and services logs? |
Comment by Igors Homjakovs (Inactive) [ 2014 Feb 19 ] |
Robert, Are you sure you want to monitor Microsoft-Windows-TaskScheduler/Optional, but not Microsoft-Windows-TaskScheduler/Operational? If so, please confirm that this log is present in C:\Windows\System32\winevt\Logs |
Comment by Robert Riskin [ 2014 Feb 19 ] |
Please ignore my above comment, it works flawlessly!! Thank you Igors and the rest of the dev team that fixed this!!!! -Robert |