SQL server error log collect problem

Tags:

#1 Graziano.Tartari

I'm trying to collect Sql Server error log using the second conf found here: https://nxlog.co/documentation/nxlog-user-guide/mssql.html

<Input mssql_errorlog> Module im_file File 'C:\Program Files\Microsoft SQL Server' +
'MSSQL14.MSSQLSERVER\MSSQL\Log\ERRORLOG' <Exec> # Convert character encoding $raw_event = convert($raw_event, 'UTF-16LE', 'UTF-8'); # Discard empty lines if $raw_event == '' drop(); # Attempt to match regular expression else if $raw_event =~ /(?x)^(?<EventTime>\d+-\d+-\d+\ \d+:\d+:\d+.\d+) \ (?<Source>\S+)\s+(?<Message>.+)$/s { # Convert $EventTime field to datetime type $EventTime = parsedate($EventTime); # Save $EventTime and $Source; may be needed for next event set_var('last_EventTime', $EventTime); set_var('last_Source', $Source); } # If regular expression does not match, this is a multi-line event else { # Use the entire line for the $Message field $Message = $raw_event; # Check if fields were save from the previous event if defined(get_var('last_EventTime')) { # Use $EventTime and $Source from previous event $EventTime = get_var('last_EventTime'); $Source = get_var('last_Source'); } else # Use received timestamp for $EventTime; $Source is unknown $EventTime = $EventReceivedTime; } </Exec> </Input>

I receive the follow error:

ERROR if-else failed at line 71, character 9 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; if-else failed at line 71, character 9 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; assignment failed at line 57, character 47 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 57, character 46 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid

It seems parsedate cannot evaluate $EventTime...

Please, help me.

Graziano.

#2 Graziano.Tartari
#1 Graziano.Tartari
I'm trying to collect Sql Server error log using the second conf found here: https://nxlog.co/documentation/nxlog-user-guide/mssql.html <Input mssql_errorlog> Module im_file File 'C:\Program Files\Microsoft SQL Server' + 'MSSQL14.MSSQLSERVER\MSSQL\Log\ERRORLOG' <Exec> # Convert character encoding $raw_event = convert($raw_event, 'UTF-16LE', 'UTF-8'); # Discard empty lines if $raw_event == '' drop(); # Attempt to match regular expression else if $raw_event =~ /(?x)^(?<EventTime>\d+-\d+-\d+\ \d+:\d+:\d+.\d+) \ (?<Source>\S+)\s+(?<Message>.+)$/s { # Convert $EventTime field to datetime type $EventTime = parsedate($EventTime); # Save $EventTime and $Source; may be needed for next event set_var('last_EventTime', $EventTime); set_var('last_Source', $Source); } # If regular expression does not match, this is a multi-line event else { # Use the entire line for the $Message field $Message = $raw_event; # Check if fields were save from the previous event if defined(get_var('last_EventTime')) { # Use $EventTime and $Source from previous event $EventTime = get_var('last_EventTime'); $Source = get_var('last_Source'); } else # Use received timestamp for $EventTime; $Source is unknown $EventTime = $EventReceivedTime; } </Exec> </Input> I receive the follow error: ERROR if-else failed at line 71, character 9 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; if-else failed at line 71, character 9 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; assignment failed at line 57, character 47 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 57, character 46 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid It seems parsedate cannot evaluate $EventTime... Please, help me. Graziano.

It seems that convert function broke the raw message... Without it the input works like a charm.

Regards, Graziano.