ERROR memory pool allocation error; Not enough space

View thread

dlang

currently running 2.10.2150 on windows with a config that reads a debug DNS log (on c:), parses the logs, drops 99% of the logs, and writes the remainder out with file_write()

we are seeing this memory pool allocation error and looking for info about if it's a known issue, something that we should be changing the config to deal with, or what's happening.

our current config is something very close to (filenames may vary):

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert #define CONFDIR %ROOT%\conf define CONFDIR "C:\Program Files (x86)\nxlog\conf define LOGDIR %ROOT%\data #define LOGFILE %LOGDIR%\nxlog.log define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% #LogLevel DEBUG define OUTFILE H:\dnsadvlogs\dns-filtered.log

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Extension _json> Module xm_json </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

<Extension _fileop> Module xm_fileop

# Check the log file size every hour and rotate if larger than 5 MB
&lt;Schedule&gt;
    Every 1 hour
    &lt;Exec&gt;
        if (file_exists('%LOGFILE%') and file_size('%LOGFILE%') &gt;= 5M)
            file_cycle('%LOGFILE%', 8);
    &lt;/Exec&gt;
&lt;/Schedule&gt;

# Rotate log file every week on Sunday at midnight
&lt;Schedule&gt;
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
&lt;/Schedule&gt;

</Extension>

<Extension _fileop2> Module xm_fileop

# Rotate log file every week on Sunday at midnight
&lt;Schedule&gt;
    Every 5 min
    Exec    if file_exists('%OUTFILE') file_cycle('%OUTFILE%', 8);
&lt;/Schedule&gt;

</Extension>

<Extension win_dns_parser> Module xm_multiline # look for a date at the start of the line HeaderLine /^\d+/\d+/\d+/ #filter blank and header lines from the input Exec if $raw_event =~ /^\s*$/ drop(); Exec if $raw_event =~ /^DNS Server log file creation/ drop(); Exec if $raw_event =~ /^Log file wrap at / drop(); Exec if $raw_event =~ /^Message logging key/ drop(); Exec if $raw_event =~ /^\sField # Information Values/ drop(); Exec if $raw_event =~ /^\s------- ----------- ------/ drop(); Exec if $raw_event =~ /^\s1 Date/ drop(); Exec if $raw_event =~ /^\s2 Time/ drop(); Exec if $raw_event =~ /^\s3 Thread ID$/ drop(); Exec if $raw_event =~ /^\s4 Context$/ drop(); Exec if $raw_event =~ /^\s5 Internal packet identifier$/ drop(); Exec if $raw_event =~ /^\s6 UDP/TCP indicator$/ drop(); Exec if $raw_event =~ /^\s7 Send/Receive indicator$/ drop(); Exec if $raw_event =~ /^\s8 Remote IP$/ drop(); Exec if $raw_event =~ /^\s9 Xid (hex)$/ drop(); Exec if $raw_event =~ /^\s10 Query/Response R = Response$/ drop(); Exec if $raw_event =~ /^\sblank = Query$/ drop(); Exec if $raw_event =~ /^\s11 Opcode Q = Standard Query$/ drop(); Exec if $raw_event =~ /^\sN = Notify$/ drop(); Exec if $raw_event =~ /^\sU = Update$/ drop(); Exec if $raw_event =~ /^\s*? = Unknown$/ drop(); Exec if $raw_event =~ /^\s12 [ Flags (hex)$/ drop(); Exec if $raw_event =~ /^\s13 Flags (char codes) A = Authoritative Answer$/ drop(); Exec if $raw_event =~ /^\sT = Truncated Response$/ drop(); Exec if $raw_event =~ /^\sD = Recursion Desired$/ drop(); Exec if $raw_event =~ /^\sR = Recursion Available$/ drop(); Exec if $raw_event =~ /^\s14 ResponseCode ]$/ drop(); Exec if $raw_event =~ /^\s15 Question Type$/ drop(); Exec if $raw_event =~ /^\s16 Question Name/ drop(); </Extension>

<Input win_dns> Module im_file #File "H:\dnsadvlogs\dns.log" File "H:\dnsadvlogs\dns.log" # for testing we want to re-read from the start of the file each time SavePos False ReadFromLast True InputType win_dns_parser <Exec> $Message = $raw_event; $Message = replace($Message, "\r", ""); </Exec> </Input>

<Output win_dns_trimmed> Module om_file

File "H:\dnsadvlogs\dns-trimmed.log"

File      &quot;H:\dnsadvlogs\dns-trimmed.log&quot;
&lt;Exec&gt;
    # manipulate the log entry here, not in input so that we can do other things with the raw input as well
    $Message =~ /^(?&lt;timestamp&gt;\d+\/\d+\/\d+ \d+\:\d+\:\d+\s+\S+)\s+(?&lt;pid&gt;\d+)\s+(?&lt;win_dns_type&gt;[^ ]*)\s+(?&lt;win_dns_packetID&gt;[^ ]*)\s+(?&lt;win_dns_protocol&gt;[^ ]*)\s+(?&lt;win_dns_direction&gt;[^ ]*)\s+(?&lt;win_dns_IP&gt;[^ ]*)\s+(?&lt;win_dns_hexID&gt;[^ ]*) (?&lt;win_dns_qr&gt;.) (?P&lt;win_dns_opcode&gt;.) \[(?&lt;win_dns_flags_hex&gt;\S+) (?&lt;win_dns_flags&gt;.*) (?&lt;win_dns_resultcode&gt;\S+)\]\s+(?&lt;win_dns_recordType&gt;\S+)\s+(?&lt;win_dns_query&gt;\S*).*ANSWER SECTION:.(?&lt;answer&gt;.+)\s+AUTHORITY SECTION:/s; 
    $timestamp=$1;
    $pid=$2;
    $win_dns_type=$3;
    $win_dns_packetID=$4;
    $win_dns_protocol=$5;
    $win_dns_direction=$6;
    $win_dns_IP=$7;
    $win_dns_hexID=$8;
    $win_dns_qr=$9;
    $win_dns_opcode=$10;
    $win_dns_flags_hex=$11;
    $win_dns_flags=$12;
    $win_dns_resultcode=$13;
    $win_dns_recordType=$14;
    $win_dns_query=$15;
    $answer=$16;
    # drop messages if they are not replies (since the replies contain the query info)
    if $win_dns_qr == &quot; &quot; drop();
    # drop logs that have no answer info
    #if $answer =~ /^\s+empty\s+$/ drop();
    # drop logs that don't parse (if we don't have a requestion IP address, the log is worthless to UBA)
    if not defined $win_dns_IP drop();
    # drop logs from dnsmasq caching servers.
    #if $win_dns_IP IN (&quot;10.16.169.32&quot;,&quot;10.49.58.4&quot;,&quot;10.49.58.3&quot;,&quot;10.16.6.22&quot;,&quot;199.47.139.239&quot;,&quot;199.47.139.238&quot;,&quot;199.47.139.182&quot;) drop();
    # for the first pass, just filter the logs, don't change the format
    # this greatly simplifies the Splunk changes needed as the log parsing doesn't need to change
    $orig = replace($raw_event, &quot;\r&quot;, &quot;\r\n&quot;) + &quot;\r\n&quot;;
    file_write(&quot;%OUTFILE%&quot;,$orig); drop();
    delete($orig); delete($Message);
    delete($EventReceivedTime); delete($SourceModuleName); delete($SourceModuleType); delete($pid);
    delete($win_dns_type); delete($win_dns_packetID); delete($win_dns_protocol); delete($win_dns_direction);
    delete($win_dns_hexID); delete($win_dns_qr); delete($win_dns_opcode); delete($win_dns_flags_hex);
    delete($win_dns_flags);
    $answer = replace($answer,&quot;(3)&quot;,&quot;.&quot;);
    $answer = replace($answer,&quot;(6)&quot;,&quot;.&quot;);
    $answer = replace($answer,&quot;(9)&quot;,&quot;&quot;);
    $answer = replace($answer,&quot;(0)&quot;,&quot;&quot;);
    $answer =~ s/\[\S\S\S\S\]//g;
    $win_dns_query = replace($win_dns_query,&quot;(3)&quot;,&quot;.&quot;);
    $win_dns_query = replace($win_dns_query,&quot;(6)&quot;,&quot;.&quot;);
    $win_dns_query = replace($win_dns_query,&quot;(9)&quot;,&quot;&quot;);
    $win_dns_query =~ s/\(0\)UDP//;
    $win_dns_query =~ s/\(0\)TCP//;
    $win_dns_query =~ s/\[\S\S\S\S\]//g;
    rename_field(&quot;win_dns_query&quot;,&quot;q&quot;);
    rename_field(&quot;win_dns_resultcode&quot;,&quot;rc&quot;);
    rename_field(&quot;win_dns_IP&quot;,&quot;ip&quot;);
    rename_field(&quot;win_dns_recordType&quot;,&quot;type&quot;);
    if $rc == &quot;NXDOMAIN&quot; delete($answer);
    to_json();
&lt;/Exec&gt;

</Output> <Route win_dns_route> Path win_dns => win_dns_trimmed </Route>