[ZBX-5646] Critical level in Windows 2008 eventlog processed incorrectly as Information level Created: 2010 Jun 23  Updated: 2017 May 30  Resolved: 2013 Nov 08

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: None
Fix Version/s: None

Type: Incident report Priority: Major
Reporter: Ruud Boersma Assignee: Unassigned
Resolution: Duplicate Votes: 5
Labels: eventlog, logmonitoring, windows
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows 2008 and 2008r2


Attachments: PNG File 1.critical_event_not_support.png    
Issue Links:
Duplicate
is duplicated by ZBX-2008 "Windows Eventing 6.0" not supported Closed

 Description   

Microsoft introduced the "critical" log level in the event viewer in windows.
At the moment the windows agent only has the following levels (copied from active.c):

case EVENTLOG_SUCCESS:
case EVENTLOG_INFORMATION_TYPE:
severity = 1;
zbx_snprintf(str_severity, sizeof(str_severity), INFORMATION_TYPE);
break;
case EVENTLOG_WARNING_TYPE:
severity = 2;
zbx_snprintf(str_severity, sizeof(str_severity), WARNING_TYPE);
break;
case EVENTLOG_ERROR_TYPE:
severity = 4;
zbx_snprintf(str_severity, sizeof(str_severity), ERROR_TYPE);
break;
case EVENTLOG_AUDIT_FAILURE:
severity = 7;
zbx_snprintf(str_severity, sizeof(str_severity), AUDIT_FAILURE);
break;
case EVENTLOG_AUDIT_SUCCESS:
severity = 8;
zbx_snprintf(str_severity, sizeof(str_severity), AUDIT_SUCCESS);
break;

Critical events are very important events to monitor to prevent disaster.



 Comments   
Comment by Oleksii Zagorskyi [ 2010 Aug 07 ]

simply additional screenshot.

From agent debuglog - zabbix agent returns "severity":1 for critical events.

Comment by Oleksii Zagorskyi [ 2010 Aug 07 ]

when making this request, please see here ZBXNEXT-470

Comment by Oleksii Zagorskyi [ 2012 Dec 10 ]

This issue is not fixed long time because the Critical level used only in "Windows Eventing 6.0" log.

And there are problems with this new format.
More details available in ZBX-2008

Comment by Andrei Gushchin (Inactive) [ 2013 Feb 13 ]

I tested beta-binares. I suppose we have same problem.
Critical log from windows, interpetated zabbix how infomation severinity.
some logs:

1664:20130213:133847.796 In process_value() key:'zwin08:eventlog[System]' value:'Система перезагрузилась, не завершив полностью работу. Эта ошибка может быть результатом того, что система перестала отвечать, произошел критический сбой, или неожиданно отключилось питание.'
 1664:20130213:133852.468 JSON before sending [{
	"request":"agent data",
	"data":[
		{
			"host":"zwin08",
			"key":"eventlog[System]",
			"value":"Система перезагрузилась, не завершив полностью работу. Эта ошибка может быть результатом того, что система перестала отвечать, произошел критический сбой, или неожиданно отключилось питание.",
			"lastlogsize":2342,
			"timestamp":1360741047,
			"source":"Microsoft-Windows-Kernel-Power",
			"severity":1,
			"eventid":41,
			"clock":1360741127},
		{
Comment by Alexey Pustovalov [ 2013 Jul 31 ]

information about event levels (severities): http://msdn.microsoft.com/en-us/library/aa382793%28v=VS.85%29.aspx

Comment by Alexey Pustovalov [ 2013 Jul 31 ]
function get_item_logtype_description($logtype) {
        switch ($logtype) {
                case ITEM_LOGTYPE_INFORMATION:
                        return _('Information');
                case ITEM_LOGTYPE_WARNING:
                        return _('Warning');
                case ITEM_LOGTYPE_ERROR:
                        return _('Error');
                case ITEM_LOGTYPE_FAILURE_AUDIT:
                        return _('Failure Audit');
                case ITEM_LOGTYPE_SUCCESS_AUDIT:
                        return _('Success Audit');
                default:
                        return _('Unknown');
        }
}
Comment by Alexander Vladishev [ 2013 Nov 08 ]

It's a duplicate of ZBX-2008. I'm closing the issue.

Generated at Fri Mar 29 11:59:19 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.