[ZBX-9430] EvtNext failed: [0x00000103] No more data is available error for eventlog Created: 2015 Mar 24 Updated: 2017 May 30 Resolved: 2015 Sep 08 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Agent (G) |
Affects Version/s: | 2.2.7 |
Fix Version/s: | 2.2.11rc1, 2.4.7rc1, 3.0.0alpha2 |
Type: | Incident report | Priority: | Blocker |
Reporter: | Kodai Terashima | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Labels: | agent, eventlog, item, windows | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Windows 2008 |
Issue Links: |
|
Description |
EvtNext failed: [0x00000103] No more data is available error happens on eventlog key. Items became not supported status when it received new event log data, then it's fire only first event even if the item received several event. |
Comments |
Comment by Aleksandrs Saveljevs [ 2015 Apr 07 ] |
The issue did not reproduce itself so far. A DebugLevel=4 agent log would be appreciated. |
Comment by Aleksandrs Saveljevs [ 2015 Jul 17 ] |
It should be checked whether the problem can be solved by wiper EvtNext is used by eventlog6 processing, while |
Comment by Andris Zeila [ 2015 Aug 11 ] |
EvtNext() failing with 0x00000103 error is a normal situation, it simply means that there are no more events to read. From MSDN EvtNext documentation:
Zabbix reads the events slightly differently. First the record numbers of the first and the last event to read are acquired, then all events from first id to the last id are read. If event reading fails an error is generated. I assume that during event processing the eventlog was cleaned up. So Zabbix tried to read removed events and throw the above error for each event that was already removed. Instead of throwing an error Zabbix should simply finish event processing loop if evtnext fails with 0x00000103 error. |
Comment by Andris Zeila [ 2015 Aug 12 ] |
From the debug logs it appears that either the number of event log records or the id for first event record calculated by agent is wrong. Because of that agent tries to read more records than available, leading to ERROR_NO_MORE_ITEMS error. The number of event log records is returned by Windows API function while the first event record id is obtained by querieng all event records and reading the id of the first returned event record. Maybe the event log is corrupted? It would be also interesing if the values logged by agent End of zbx_open_eventlog6():SUCCEED FirstID:13439 LastID:48169 numIDs:34730 correspond the values shown by windows event viewer. FirstID - the EventRecordID of the oldest event record |
Comment by Andris Zeila [ 2015 Aug 12 ] |
I created workaround to suppress ERROR_NO_MORE_ITEMS error in svn://svn.zabbix.com/branches/dev/ZBX-9430 development branch, but if we are really dealing with log file corruption - I'm not sure we should add any workarounds. |
Comment by dimir [ 2015 Sep 07 ] |
Please review the changes in r55449. |
Comment by Andris Zeila [ 2015 Sep 08 ] |
Released in:
|