Let's Talk
Let's Talk

NXlog-CE-3.0.2272 and Microsoft-Windows-PrintService

Tags: printing | unresolved | URL
#1 vm_grrl
I've configured NXlog to send printing events from our Windows 2012R2 print server to our Nagios LS instance. **Except **for the following issue, it works well. The issue is - when a filename contains a "%" sign, I receive a _grokparsefailure in Nagios. That led me to NXLog-CE and how it (and its modules) read/parsed the data from the Microsoft Windows PrintService Event Log. I enabled troubleshooting by means of debug AND outputting the $raw_event to a text file. Is there a way I can get this document name from the Windows Event Viewer into Nagios via NXlog-CE? This issue looks similar to this thread, which says the problem is with the provider: [https://nxlog.co/question/2362/problem-windows-event](https://nxlog.co/question/2362/problem-windows-event) DEBUG OUTPUT: {"EventTime":"2022-02-11 10:38:48","Hostname":"xxx.yyy.zzz","Keywords":4611686018427390016,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":307,"SourceName":"Microsoft-Windows-PrintService","ProviderGuid":"{xxxxxxx}","Version":0,"Task":26,"OpcodeValue":11,"RecordNumber":2136143,"ProcessID":4764,"ThreadID":6728,"Channel":"Microsoft-Windows-PrintService/Operational","Domain":"XXXX","AccountName":"QQQQ","UserID":"SID-aaa-bbb-ccc","AccountType":"User",**"ERROR_EVT_UNRESOLVED":true**,"Category":"Printing a document","Opcode":"Spooler Operation Succeeded","EventReceivedTime":"2022-02-11 10:38:50","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":null} $raw_event OUTPUT: 2022-02-11 10:38:48 xxx.yyy.zzz INFO 307 XXXX\QQQQ[The description for EventID 307 from source Microsoft-Windows-PrintService cannot be found: **The substitution string for insert index (%1) could not be found**. ] CONFIG: define ROOT C:\Program Files\nxlog define CERT %ROOT%\cert Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_json Module xm_syslog Module im_internal Module im_msvistalog *[System[Provider[@Name='Srv'] and (Level=1 or Level=2 or Level=3)]] *[System[(Level=1 or Level=2 or Level=3)]] * Module om_tcp Host qqq.yyy.zzz Port 1234 Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message"); Exec $raw_event = to_json(); Path internal, file1, eventlog => out
Permalink
Login to post