[ZBX-6933] Windows agent does not expand variables in eventlog message Created: 2013 Aug 27  Updated: 2017 May 30  Resolved: 2014 Feb 27

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: None
Affects Version/s: 2.0.8, 2.1.2
Fix Version/s: 2.0.12rc1, 2.2.3rc1, 2.3.0

Type: Incident report Priority: Major
Reporter: Kodai Terashima Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: agent, eventlog
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows

Attachments: PNG File reason-for-no-value.png     PNG File variables-not-expanded.png    
Issue Links:
Duplicate

 Description   

Windows agent does not expand variables like "%%258112" in eventlog message. This case no error message "The description for Event ID (...) in Source (...) cannot be found."

For example:

On Event Viewer : Diagnostics failure of 10: 'IO Power On' (Ftn=0xf040 Info=0x0,0x0)
On Zabbix frontend: Diagnostics failure of 10: '%%258112' (Ftn=0xf040 Info=0x0,0x0)

Exported Event XML from event viewer:

Log Name: System
Source: srabid
Level: Error
Description:
Diagnostics failure of 10: 'IO Power On' (Ftn=0xf040 Info=0x0,0x0).
Event XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="srabid" />
<Level>2</Level>
<Task>0</Task>
<Channel>System</Channel>
<Security />
</System>
<EventData>
<Data>
</Data>
<Data>10</Data>
<Data>%%258112</Data>
<Data>0xf040</Data>
<Data>0x0</Data>
<Data>0x0</Data>
</EventData>
</Event>

 Comments   
Comment by Oleksii Zagorskyi [ 2013 Aug 27 ]

I recall some discussions around the topic, but not sure where exactly, maybe on forum.

Comment by Andris Zeila [ 2014 Jan 09 ]

Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-6933

Comment by Aleksandrs Saveljevs [ 2014 Feb 25 ]

(1) When there are no values to show in place of variables, the agent seems to show the reason why they cannot be shown. Windows event viewer seems to handle them differently:

The above image is for the first "Security" record at "2014.Feb.25 15:26:23".

Note "User's account value has expired" instead of "<value not set>." and "The redirector is in use and cannot be unloaded." instead of "Never".

Also note that the value for "Logon Hours" is different: "The printer driver is unknown." instead of "All".

Another example is the second "Security" record at "2014.Feb.25 15:26:04":

Note that variables below "User Account Control:" heading are not expanded.

wiper RESOLVED in r41418. It can be tested on win2k System log (there are dhcp errors with parameter).

asaveljevs Looks good, but please see r43064 before merging. CLOSED.

wiper Thanks, reviewed.

Comment by Andris Zeila [ 2014 Feb 27 ]

Released in:
pre-2.0.12rc1 r43067
pre-2.2.3rc1 r43070
pre-2.3.0 r43071

Generated at Sat Apr 20 01:32:30 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.