NXLog v5 hangs after EvtRender() failed; ERROR
Tags:
#1
Roman_Andreev
Hello, after upgrading to nxlog v5, we ran into the problem while nxlog hangs. Last message in log in 95% cases is:
2021-02-24 15:12:46 ERROR [im_msvistalog|winlog] Couldn't retrieve eventlog fields from xml, EvtRender() failed; The data area passed to a system call is too small.
We are searching for logs that triggers that condition with log_info($raw_event); and discovered:
4104 from PowerShell/Operational
800 from PowerShell
And some of other logs with huge values in <EventData>...</EventData> field
If disable 4104 and 800 EventID's from windows subscription, NXLog works much longer without hangs, but problem still exist. And we need this EventID's.
Can you please fix this or provide any workaround to disable auto parsing <EventData> for specific EventIDs (im_msvistalog module) ?
#1
Roman_Andreev
Hello, after upgrading to nxlog v5, we ran into the problem while nxlog hangs.
Last message in log in 95% cases is:
2021-02-24 15:12:46 ERROR [im_msvistalog|winlog] Couldn't retrieve eventlog fields from xml, EvtRender() failed; The data area passed to a system call is too small.
We are searching for logs that triggers that condition with log_info($raw_event); and discovered:
4104 from PowerShell/Operational
800 from PowerShell
And some of other logs with huge values in <EventData>...</EventData> field
If disable 4104 and 800 EventID's from windows subscription, NXLog works much longer without hangs, but problem still exist.
And we need this EventID's.
Can you please fix this or provide any workaround to disable auto parsing <EventData> for specific EventIDs (im_msvistalog module) ?
Hi,
Could you share more details? Your OS version, config file, nxlog.log?
Thanks,
Rafal
