NXLog search
Let's talk Start free
Let's talk Start free

Issue when collecting Windows Security logs - errorcode: 87

Tags: security windows server 2003 errorcode: 87
#1 iksef

Hello community, I have to collect Security logs from a Windows Server 2003. Sometimes, I have the following errors :

 

2017-11-22 09:03:52 INFO nxlog-ce-2.9.1504 started

2017-11-22 09:03:52 INFO connecting to siem.nutrition.lan:1514

2017-11-22 09:03:52 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 1 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

2017-11-22 09:03:54 INFO Successfully reopened Security EventLog

2017-11-22 09:03:54 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 2 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

2017-11-22 09:03:57 INFO Successfully reopened Security EventLog

2017-11-22 09:03:57 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 4 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

2017-11-22 09:04:02 INFO Successfully reopened Security EventLog

2017-11-22 09:04:02 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 8 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

2017-11-22 09:04:11 INFO Successfully reopened Security EventLog

2017-11-22 09:04:11 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 16 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

 

Here is my config file : 

 

 
define ROOT C:\Program Files\nxlog
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
############################
# EXTENSION 
############################
 
# Enable json extension
<Extension json>
    Module xm_json
</Extension>
 
# Enable syslog extension
<Extension syslog>
    Module xm_syslog
</Extension>
 
# Enable conversion module
<Extension charconv>
    Module xm_charconv
    AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2
</Extension>
 
 
############################
# INPUT 
############################
 
# Nxlog internal logs
<Input internal>
    Module im_internal
    Exec to_json();
</Input>
 
# Windows Event Log for 2003 server
<Input eventlog2003>
  # Module for Windows 2003 server
    Module im_mseventlog
Sources Security
    Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
    Exec convert_fields("AUTO", "utf-8");
    Exec $Message = to_json(); to_syslog_bsd();
</Input>
 
 
############################
# OUTPUT 
############################
 
 
<Output siem>
    Module         om_tcp
    Host    collector.company.com
    Port    1514
</Output>
 
<Route 1>
    Path     eventlog2003, internal => siem
</Route>
 
I can solve the issue by restarting nxlog agent but this is not a definitive solution... Anybody has the same issue ? 
Permalink
#2 b0ti Nxlog ✓
#1 iksef
Hello community, I have to collect Security logs from a Windows Server 2003. Sometimes, I have the following errors :   2017-11-22 09:03:52 INFO nxlog-ce-2.9.1504 started 2017-11-22 09:03:52 INFO connecting to siem.nutrition.lan:1514 2017-11-22 09:03:52 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 1 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs. 2017-11-22 09:03:54 INFO Successfully reopened Security EventLog 2017-11-22 09:03:54 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 2 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs. 2017-11-22 09:03:57 INFO Successfully reopened Security EventLog 2017-11-22 09:03:57 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 4 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs. 2017-11-22 09:04:02 INFO Successfully reopened Security EventLog 2017-11-22 09:04:02 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 8 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs. 2017-11-22 09:04:11 INFO Successfully reopened Security EventLog 2017-11-22 09:04:11 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 16 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.   Here is my config file :      define ROOT C:\Program Files\nxlog   Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log   ############################ # EXTENSION  ############################   # Enable json extension <Extension json>     Module xm_json </Extension>   # Enable syslog extension <Extension syslog>     Module xm_syslog </Extension>   # Enable conversion module <Extension charconv>     Module xm_charconv     AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2 </Extension>     ############################ # INPUT  ############################   # Nxlog internal logs <Input internal>     Module im_internal     Exec to_json(); </Input>   # Windows Event Log for 2003 server <Input eventlog2003>   # Module for Windows 2003 server     Module im_mseventlog Sources Security     Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;     Exec convert_fields("AUTO", "utf-8");     Exec $Message = to_json(); to_syslog_bsd(); </Input>     ############################ # OUTPUT  ############################     <Output siem>     Module         om_tcp     Host    collector.company.com     Port    1514 </Output>   <Route 1>     Path     eventlog2003, internal => siem </Route>   I can solve the issue by restarting nxlog agent but this is not a definitive solution... Anybody has the same issue ? 

This is caused by a bug in Windows 2003. Windows 2003 is no longer supported by Microsoft. We can still provide commercial support for NXLog even for platforms past their EOL date but there must be a good reason.
Login to see more