if-else failed, not enough fields

Tags:

#1 cwigley 9 years ago

I found a similar post except that in my instance I have already use a more specific filter.

http://nxlog.org/question/531/iis-log-bad-characters-causes-nxlog-crash-causing-random-event-dump

Log 2015-03-06 13:10:32 INFO nxlog-ce-2.8.1248 started 2015-03-06 13:14:07 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input ''

2015-03-06 13:28:30 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input ''

2015-03-06 13:50:07 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input ''

2015-03-06 14:07:39 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input ''

Line 70 refers to the closing bracket in
<Input default_iis_in>
Module im_file
File "D:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log"
    ReadFromLast TRUE
    Exec if $raw_event=~/^#/ drop();                         \
   else                                                \
   {                                                   \
    w3c->parse_csv();                               \
    $EventTime = parsedate($date + " " + $time);    \
   }
</Input>

Full config

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension w3c>
    Module      xm_csv
    Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs(User-Agent), $cs(Referer), $sc-status, $sc-substatus, $sc-win32-status, $sc-bytes, $cs-bytes, $time-taken
    FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
    Delimiter ' '
    QuoteChar   '"'
    EscapeControl FALSE
    UndefValue -
</Extension>

<Extension json>
Module xm_json
</Extension>

<Extension fileop>
Module xm_fileop

    <Schedule>
        Every   10 min
        Exec    file_truncate("evt.json");
    </Schedule>

    <Schedule>
        Every   10 min
        Exec    file_truncate("iis-default.json");
    </Schedule>

</Extension>

<Input evt_in>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>   \
                    </Query>\
                </QueryList>
    ReadFromLast TRUE
    Exec        if $SourceName=~/TfsDeployer/ drop();           \
                else                                            \
                {                                               \
                    to_json();                                  \
                }
</Input>

<Input default_iis_in>
Module im_file
File "D:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log"
    ReadFromLast TRUE
    Exec if $raw_event=~/^#/ drop();                         \
   else                                                \
   {                                                   \
    w3c->parse_csv();                               \
    $EventTime = parsedate($date + " " + $time);    \
   }
</Input>

<Output evt_out>
Module om_file
File "evt.json"
</Output>

<Output default_iis_out>
    Module om_file
    Exec $raw_event = to_json();
    File "iis-default.json"
</Output>

<Route 2>
Path default_iis_in => default_iis_out
</Route>

Any help would be appreciated. Thank you.

Permalink

#2 cwigley 9 years ago

#1 cwigley

Having a reoccurring problem where I get the following error and my output file quits updating for a few minutes then picks back up again. As a side note, I was having a problem with the eventlog because of an entry that was being written that had an object serialized as xml in the message. That is the exclusion in my application log. Since then, the event log has been working flawlessly. I found a similar post except that in my instance I have already use a more specific filter. http://nxlog.org/question/531/iis-log-bad-characters-causes-nxlog-crash-causing-random-event-dump Log 2015-03-06 13:10:32 INFO nxlog-ce-2.8.1248 started 2015-03-06 13:14:07 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input '' 2015-03-06 13:28:30 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input '' 2015-03-06 13:50:07 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input '' 2015-03-06 14:07:39 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input '' Line 70 refers to the closing bracket in <Input default_iis_in> Module im_file File "D:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log" ReadFromLast TRUE Exec if $raw_event=~/^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ } </Input> Full config ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension w3c> Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs(User-Agent), $cs(Referer), $sc-status, $sc-substatus, $sc-win32-status, $sc-bytes, $cs-bytes, $time-taken FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Extension json> Module xm_json </Extension> <Extension fileop> Module xm_fileop <Schedule> Every 10 min Exec file_truncate("evt.json"); </Schedule> <Schedule> Every 10 min Exec file_truncate("iis-default.json"); </Schedule> </Extension> <Input evt_in> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select> \ </Query>\ </QueryList> ReadFromLast TRUE Exec if $SourceName=~/TfsDeployer/ drop(); \ else \ { \ to_json(); \ } </Input> <Input default_iis_in> Module im_file File "D:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log" ReadFromLast TRUE Exec if $raw_event=~/^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ } </Input> <Output evt_out> Module om_file File "evt.json" </Output> <Output default_iis_out> Module om_file Exec $raw_event = to_json(); File "iis-default.json" </Output> <Route 1> Path evt_in => evt_out </Route> <Route 2> Path default_iis_in => default_iis_out </Route> Any help would be appreciated. Thank you.

After watching this a little more closely the error seems to happen when the output file gets truncated. Is there perhaps a better way of managing this file? My only need is for it not to grow indefinitely.