6
responses

Hello,

nxlog CE v2.9.1504, Windows Server 2008 Enterprise

relevant part of config file:

<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog
    Exec if ($Severity == 'INFO') drop();
<QueryXML>
    <QueryList>
        <Query Id="0">
            <Select Path="System">*</Select>
            <Select Path="Security">*</Select>
            <Select Path="Application">*</Select>
<!-- EventID 2137 - Shrepoint Health Analyzer - ignore -->
            <Suppress Path="Application">*[System[(EventID=2137)]]</Suppress>
<!-- EventID 2138 - Shrepoint Health Analyzer - ignore -->
            <Suppress Path="Application">*[System[(EventID=2138)]]</Suppress>
            <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>
        </Query>
    </QueryList>
</QueryXML>
# Uncomment im_mseventlog for Windows XP/2000/2003
#   Module im_mseventlog
</Input>

One event (EventID 1309 from Application channel) always returns an empty message field (message:null)  as you can see in debug output.

{"EventTime":"2017-03-21 09:54:13","Hostname":"HOST.DOMAIN.TLD","Keywords":36028797018963968,
"EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1309,"SourceName":"ASP.NET 2.0.50727.0",
"Task":3,"RecordNumber":1013344,"ProcessID":0,"ThreadID":0,"Channel":"Application","ERROR_EVT_UNRESOLVED":true,
"Category":"Web Event","EventReceivedTime":"2017-03-21 09:54:13","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog",
"message":null}

How can I get more informations, why those events has a null message field?
What means "ERROR_EVT_UNRESOLVED":true?

Thank you.

AskedMarch 21, 2017 - 5:39pm

Answer (1)

Each application needs to provide (thus called provider) resource data on how the event data can be mapped back to human readable form. If there is an issue with this transation the eventlog API will give ERROR_EVT_UNRESOLVED.

Have you checked this in event viewer?

 

Comments (5)

  • Pasi's picture

    Thank you for your reply.

    I'm not sure if i know how to check this in event viewer.
    I ran this command on server: (btw in linked Microsoft article, there is a mistake in command name - wevtuitl instead of wevtutil :)

    wevtutil gp "ASP.NET 2.0.50727.0"

    and I got an error:

    name: ASP.NET 2.0.50727.0
    guid: 00000000-0000-0000-0000-000000000000
    helpLink: http://go.microsoft.com/fwlink/events.asp?CoName=Microsoft%20Corporation&ProdName=Microsoft%c2%ae%20.NET%20Framework&ProdVer=2.0.50727.4252&FileName=aspnet_rc.dll&FileVer=2.0.50727.4252
    messageFileName: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_rc.dll
    message:
    channels:
      channel:
        name: Application
        id: 9
        flags: 1
        message:
    levels:
    opcodes:
    Failed to get tasks property. The specified resource language ID cannot be found in the image file.

    but,

    today morning an event with same ID (EventID 1309) was received with filled "message" field. So I compared them (both was saved as a text files from Event Viewer).

    Event with empty message field (message:null) has as text file 3301 bytes, message with filled field has as text file 1621 bytes.
    Probably there is a problem with bigger EventData fields.

    Is there any limitation?

    Thank you.

  • b0ti's picture
    (NXLog)

    > Is there any limitation?

    There shouldn't be any issues at this size. There were some problems in the past above 32k but I believe that is no longer the case.

  • Pasi's picture

    You are right.

    I tried import (via eventcreate comand) saved event in .txt fromat (3301 bytes) with success, even if in debug logfile ERROR_EVT_UNRESOLVED appeared again.

    And one more note. Messages which was not received from Eventlog contains a lot of '%' chars as a part of URL string in EventData field.

    Thank you.

  • b0ti's picture
    (NXLog)

    Windows Eventlog uses %X to denote insertion strings (% followed by a number). I assume the ASP application inserts such data directly into windows eventlog without properly escaping it. This is what causes the error.

  • cameronwp's picture

    I realize this is over a year old but I am hoping you can tell me what the workaround/fix is when there are uncommented or unescaped % symbols in the message coming from the event logs. You mentioned what was causing the error in your message but not what to do about it. Thanks!