[ZBXNEXT-934] Support of new eventlog type "Applications and services log" on windows Vista, 2008, 7 Created: 2011 Aug 30  Updated: 2014 Feb 18  Resolved: 2014 Feb 13

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Request Priority: Major
Reporter: Kodai Terashima Assignee: Unassigned
Resolution: Duplicate Votes: 2
Labels: eventlog
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows Vista, 2008, 7

Attachments: PNG File Zabbix_WindowsEventLogs.png    
Issue Links:
Duplicate
duplicates ZBX-2008 "Windows Eventing 6.0" not supported Closed

 Description   

Windows agent doesn't support new type eventlog "Applications and Service Logs" on Windows Vista, 2008, 7

See also "Applications and Services Logs" on Microsoft TechNet
http://technet.microsoft.com/en-us/library/cc722404%28WS.10%29.aspx

 Comments   
Comment by richlv [ 2011 Sep 05 ]

just to clarify, is this different from ZBX-2008 ?

Comment by Kodai Terashima [ 2011 Sep 06 ]

Yes. ZBX-2008 is a problem of eventlog "Windows Log". Windows Log type eventlog is existing before Windows Vista.
This problem is a new type eventlog "Applocations and services log".

Comment by Joel Reed [ 2013 Mar 28 ]

I've run into this issue myself and have some additional information to contribute that hopefully could shed some light on the issue.

These new "Application and Services Logs" within the Windows GUI are displayed in a hierarchy but in reality are stored in a single flat location on the file system, the same location as the traditional Application, System, etc. Most of these newer event logs have unusual file names. The names themselves contain a '/' character which is encoded within the file name to '%4'. So within the GUI you see an event log named, "Microsoft-Windows-TaskScheduler/Operational", but on the file system its actual name is "Microsoft-Windows-TaskScheduler%4Operational".

I can successfully pull all traditional Event Logs, even the handful of "Application and Services Logs" that don't contain a "/"(%4) in the name just fine. I think its this naming convention that is not getting handled incorrectly somewhere. Even if I use '%4' within the key value it gets encoded "properly" by the server/agent by the time it gets to the server. Below are the important bits from my debug logging at the agent side when the check is added and when it is executed and returns a failure. Attached as well is a screen cap of the file system location for Event Logs so you can see how the naming appears.

I made these attempts using the Zabbix Win agent version 2.0.3 (and Zabbix Server 2.0.0). I've been unable to test with anything higher but I don't see in any of the release notes that the EventLog functionality has undergone any changes. I'll try and tested with later revisions and post again if I see any changes.

2140:20130328:112015.469 End of send_buffer():SUCCEED
2140:20130328:112015.469 refresh_active_checks('zabbixserv.acme.com',10051)
2140:20130328:112015.469 Sending [

{ "request":"active checks", "host":"WINSERV-HOST"}

]
2140:20130328:112015.469 Before read
2140:20130328:112015.469 Got [{
"response":"success",
"data":[

{ "key":"eventlog[Application,,Error]", "delay":300, "lastlogsize":1994, "mtime":0}

,

{ "key":"eventlog[Microsoft-Windows-TaskScheduler\/Operational,,Error]", "delay":300, "lastlogsize":0, "mtime":0}

,

{ "key":"eventlog[System,,Error]", "delay":300, "lastlogsize":11318, "mtime":0}

]}]
2140:20130328:112015.469 In parse_list_of_checks()
2140:20130328:112015.469 In disable_all_metrics()
2140:20130328:112015.469 In add_check() key:'eventlog[Application,,Error]' refresh:300 lastlogsize:1994 mtime:0
2140:20130328:112015.469 End of add_check()
2140:20130328:112015.469 In add_check() key:'eventlog[Microsoft-Windows-TaskScheduler/Operational,,Error]' refresh:300 lastlogsize:0 mtime:0
2140:20130328:112015.469 End of add_check()
2140:20130328:112015.469 In add_check() key:'eventlog[System,,Error]' refresh:300 lastlogsize:11318 mtime:0
2140:20130328:112015.469 End of add_check()
2140:20130328:112015.469 Sleeping for 1 second(s)

2140:20130328:112119.516 In send_buffer() host:'zabbixserv.acme.com' port:10051 values:0/100
2140:20130328:112119.516 End of send_buffer():SUCCEED
2140:20130328:112119.516 In process_active_checks('zabbixserv.acme.com',10051)
2140:20130328:112119.516 In process_eventlog() source:'Application' lastlogsize:4606
2140:20130328:112119.516 In zbx_open_eventlog()
2140:20130328:112119.516 zbx_open_eventlog() pNumRecords:4606 pLatestRecord:1
2140:20130328:112119.516 End of zbx_open_eventlog():SUCCEED
2140:20130328:112119.516 End of process_eventlog():SUCCEED
2140:20130328:112119.516 In process_eventlog() source:'System' lastlogsize:11354
2140:20130328:112119.516 In zbx_open_eventlog()
2140:20130328:112119.516 zbx_open_eventlog() pNumRecords:11354 pLatestRecord:1
2140:20130328:112119.516 End of zbx_open_eventlog():SUCCEED
2140:20130328:112119.516 End of process_eventlog():SUCCEED
2140:20130328:112119.516 In process_eventlog() source:'Microsoft-Windows-TaskScheduler/Operational' lastlogsize:0
2140:20130328:112119.516 In zbx_open_eventlog()
2140:20130328:112119.516 End of zbx_open_eventlog():FAIL
2140:20130328:112119.516 cannot open eventlog 'Microsoft-Windows-TaskScheduler/Operational': [0x000000B7] Cannot create a file when that file already exists.
2140:20130328:112119.516 End of process_eventlog():FAIL
2140:20130328:112119.516 Active check [eventlog[Microsoft-Windows-TaskScheduler/Operational,,Error]] is not supported. Disabled.
2140:20130328:112119.516 In process_value() key:'PHX-ENGMGT01:eventlog[Microsoft-Windows-TaskScheduler/Operational,,Error]' value:'ZBX_NOTSUPPORTED'
2140:20130328:112119.516 In send_buffer() host:'zabbixserv.acme.com' port:10051 values:0/100
2140:20130328:112119.516 End of send_buffer():SUCCEED
2140:20130328:112119.516 buffer: new element 0
2140:20130328:112119.516 End of process_value():SUCCEED
2140:20130328:112119.516 End of process_active_checks()
2140:20130328:112119.516 In get_min_nextcheck()
2140:20130328:112119.516 Sleeping for 1 second(s)

Comment by Joel Reed [ 2013 Mar 28 ]

File system displays the actual Event Log file names. Newer logs contain the '%4' character that possibly prevents eventlog[] active key from working.

Comment by Takanori Suzuki [ 2013 Aug 07 ]

With my patch posted in ZBX-2008, Zabbix becomes to read also "Applications and services log".
The patch is "zabbix-2.0.6-add_eventlog6_key.patch" in ZBX-2008.
Just in case.

Comment by Robert Riskin [ 2013 Sep 10 ]

Hello, i'm just confirming that I am having this problem on Zabbix 2.0.6. I can monitor System, Security, and Application logs but anything within that winevt/Logs folder with %4 or '/' I cannot monitor. I'm particularly interested in the Firewall log. Is there a way to get the patched executable from ZBX-2008 for testing to see if this solves the problem?

Comment by richlv [ 2014 Feb 12 ]

igor, ZBX-2008 might solve this - if so, let's close this issue as dupe

Comment by Igors Homjakovs (Inactive) [ 2014 Feb 13 ]

ZBX-2008 fixed this issue and now "Windows Logs" and "Applications and Services Logs" are supported.

Comment by Robert Riskin [ 2014 Feb 18 ]

Hello, I have upgraded my host to 2.2.2 and upgraded the agent I am trying to monitor to 2.2.1 and I am still getting a not supported in my agent logs:

13192:20140218:115240.786 cannot open eventlog 'Microsoft-Windows-TaskScheduler/Optional':[0x00003A9F] The specified channel could not be found. Check channel configuration.
13192:20140218:115240.789 cannot open eventlog 'Microsoft-Windows-TaskScheduler/Optional'
13192:20140218:115240.791 active check "eventlog["Microsoft-Windows-TaskScheduler/Optional"]" is not supported

Can you please tell me if you can successfully monitor this and also what is the appropriate convention for monitoring the Applications and services logs?

Generated at Sat Apr 27 06:53:40 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.