[ZBX-9430] EvtNext failed: [0x00000103] No more data is available error for eventlog Created: 2015 Mar 24  Updated: 2017 May 30  Resolved: 2015 Sep 08

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: 2.2.7
Fix Version/s: 2.2.11rc1, 2.4.7rc1, 3.0.0alpha2

Type: Incident report Priority: Blocker
Reporter: Kodai Terashima Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: agent, eventlog, item, windows
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows 2008

Issue Links:
Duplicate

 Description   

EvtNext failed: [0x00000103] No more data is available error happens on eventlog key.

Items became not supported status when it received new event log data, then it's fire only first event even if the item received several event.

 Comments   
Comment by Aleksandrs Saveljevs [ 2015 Apr 07 ]

The issue did not reproduce itself so far. A DebugLevel=4 agent log would be appreciated.

Comment by Aleksandrs Saveljevs [ 2015 Jul 17 ]

It should be checked whether the problem can be solved by ZBX-9716.

wiper EvtNext is used by eventlog6 processing, while ZBX-9716 fixes bugs in old eventlog processing.

Comment by Andris Zeila [ 2015 Aug 11 ]

EvtNext() failing with 0x00000103 error is a normal situation, it simply means that there are no more events to read.

From MSDN EvtNext documentation:

Call this function in a loop until the function returns FALSE and the error code is ERROR_NO_MORE_ITEMS.

Zabbix reads the events slightly differently. First the record numbers of the first and the last event to read are acquired, then all events from first id to the last id are read. If event reading fails an error is generated. I assume that during event processing the eventlog was cleaned up. So Zabbix tried to read removed events and throw the above error for each event that was already removed.

Instead of throwing an error Zabbix should simply finish event processing loop if evtnext fails with 0x00000103 error.

Comment by Andris Zeila [ 2015 Aug 12 ]

From the debug logs it appears that either the number of event log records or the id for first event record calculated by agent is wrong. Because of that agent tries to read more records than available, leading to ERROR_NO_MORE_ITEMS error.

The number of event log records is returned by Windows API function while the first event record id is obtained by querieng all event records and reading the id of the first returned event record. Maybe the event log is corrupted?

It would be also interesing if the values logged by agent

End of zbx_open_eventlog6():SUCCEED FirstID:13439 LastID:48169 numIDs:34730

correspond the values shown by windows event viewer.

FirstID - the EventRecordID of the oldest event record
LastID - the EventRecordID of the newest event record + 1
numIDs - the total number of records.

Comment by Andris Zeila [ 2015 Aug 12 ]

I created workaround to suppress ERROR_NO_MORE_ITEMS error in svn://svn.zabbix.com/branches/dev/ZBX-9430 development branch, but if we are really dealing with log file corruption - I'm not sure we should add any workarounds.

Comment by dimir [ 2015 Sep 07 ]

Please review the changes in r55449.

Comment by Andris Zeila [ 2015 Sep 08 ]

Released in:

  • pre-2.2.11rc1 r55458
  • pre-2.4.7rc1 r55459
  • pre-3.0.0alpha2 r55461
Generated at Wed Apr 24 18:43:30 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.