[ZBX-8595] eventlog[] collected wrong messages Created: 2014 Aug 07  Updated: 2017 May 30  Resolved: 2014 Sep 05

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: 1.8.20, 2.0.12, 2.2.5, 2.3.3
Fix Version/s: 1.8.22rc1, 2.0.14rc1, 2.2.7rc1, 2.4.1rc1, 2.5.0

Type: Incident report Priority: Major
Reporter: Yoshinori Komuro Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: eventlog
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows


Attachments: JPEG File eventlog.jpg     File for_2.0.12.patch     File for_2.2.5.patch     JPEG File history.jpg    

 Description   

When message is not found from EventMessageFile, eventlog[] get from system messages;

----------------------------------------------------------
FormatMessage(FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_ALLOCATE_BUFFER |
    FORMAT_MESSAGE_ARGUMENT_ARRAY | FORMAT_MESSAGE_FROM_SYSTEM |
    FORMAT_MESSAGE_MAX_WIDTH_MASK,/* do not generate new line breaks */
    hLib,/* the messagetable DLL handle */
    pELR->EventID,/* message ID */
    MAKELANGID(LANG_NEUTRAL,SUBLANG_ENGLISH_US),	/* language ID */
    (LPTSTR)&msgBuf,/* address of pointer to buffer for message */
    0,
    (va_list *)aInsertStrs))/* array of insert strings for the message */
----------------------------------------------------------

I think that this [FORMAT_MESSAGE_FROM_SYSTEM] option is unnecessary.



 Comments   
Comment by dimir [ 2014 Sep 04 ]

Could you please specify Windows version?

Comment by dimir [ 2014 Sep 04 ]

It seems that removing FORMAT_MESSAGE_FROM_SYSTEM is right.

First, what happens when we use FORMAT_MESSAGE_FROM_SYSTEM with FORMAT_MESSAGE_FROM_HMODULE? The function FormatMessage tries first to fetch the message from EventMessageFile (FORMAT_MESSAGE_FROM_HMODULE) and if not found - look in system message-table resources (FORMAT_MESSAGE_FROM_SYSTEM). More details: http://msdn.microsoft.com/en-us/library/windows/desktop/ms679351.aspx

Secondly, FORMAT_MESSAGE_FROM_SYSTEM should always be used along with FORMAT_MESSAGE_IGNORE_INSERTS: http://blogs.msdn.com/b/oldnewthing/archive/2007/11/28/6564257.aspx

I could not find any information whether an event may be sort of a system error that has associated message in system message-table resources. So, it looks like removing that flag is the right thing to do.

We will make some more tests and if that will prove the solution we will fix it in versions starting from 1.8 .

Comment by dimir [ 2014 Sep 05 ]

Changed the behavior of the agent to not search event message for system message-table resources.

Tested Windows 2008 eventlog handling (half a year collection of events) with and without fix, no regressions found.

Also added FORMAT_MESSAGE_IGNORE_INSERTS flag to FormatMessage calls where inserts were not available. This affects performance collector, no regressions found when generating error messages.

Fixed in development branch for 1.8: svn://svn.zabbix.com/branches/dev/ZBX-8595.

Comment by Andris Zeila [ 2014 Sep 09 ]

Successfully tested

Comment by dimir [ 2014 Sep 24 ]

Fixed in pre-1.8.22 r49280, pre-2.0.14 r49298, pre-2.2.7 r49302, pre-2.4.1 r49306, pre-2.5.0 r49308.

Generated at Thu Mar 28 15:11:30 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.