Problem with Windows Event
Tags:
#1
Pasi
Hello,
nxlog CE v2.9.1504, Windows Server 2008 Enterprise
relevant part of config file:
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
Exec if ($Severity == 'INFO') drop();
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="System">*</Select>
<Select Path="Security">*</Select>
<Select Path="Application">*</Select>
<!-- EventID 2137 - Shrepoint Health Analyzer - ignore -->
<Suppress Path="Application">*[System[(EventID=2137)]]</Suppress>
<!-- EventID 2138 - Shrepoint Health Analyzer - ignore -->
<Suppress Path="Application">*[System[(EventID=2138)]]</Suppress>
<Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
</Input>
One event (EventID 1309 from Application channel) always returns an empty message field (message:null) as you can see in debug output.
{"EventTime":"2017-03-21 09:54:13","Hostname":"HOST.DOMAIN.TLD","Keywords":36028797018963968,
"EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1309,"SourceName":"ASP.NET 2.0.50727.0",
"Task":3,"RecordNumber":1013344,"ProcessID":0,"ThreadID":0,"Channel":"Application","ERROR_EVT_UNRESOLVED":true,
"Category":"Web Event","EventReceivedTime":"2017-03-21 09:54:13","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog",
"message":null}
How can I get more informations, why those events has a null message field?
What means "ERROR_EVT_UNRESOLVED":true?
Thank you.
#1
Pasi
Hello,
nxlog CE v2.9.1504, Windows Server 2008 Enterprise
relevant part of config file:
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
Exec if ($Severity == 'INFO') drop();
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="System">*</Select>
<Select Path="Security">*</Select>
<Select Path="Application">*</Select>
<!-- EventID 2137 - Shrepoint Health Analyzer - ignore -->
<Suppress Path="Application">*[System[(EventID=2137)]]</Suppress>
<!-- EventID 2138 - Shrepoint Health Analyzer - ignore -->
<Suppress Path="Application">*[System[(EventID=2138)]]</Suppress>
<Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
</Input>
One event (EventID 1309 from Application channel) always returns an empty message field (message:null) as you can see in debug output.
{"EventTime":"2017-03-21 09:54:13","Hostname":"HOST.DOMAIN.TLD","Keywords":36028797018963968,
"EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1309,"SourceName":"ASP.NET 2.0.50727.0",
"Task":3,"RecordNumber":1013344,"ProcessID":0,"ThreadID":0,"Channel":"Application","ERROR_EVT_UNRESOLVED":true,
"Category":"Web Event","EventReceivedTime":"2017-03-21 09:54:13","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog",
"message":null}
How can I get more informations, why those events has a null message field?
What means "ERROR_EVT_UNRESOLVED":true?
Thank you.
Each application needs to provide (thus called provider) resource data on how the event data can be mapped back to human readable form. If there is an issue with this transation the eventlog API will give ERROR_EVT_UNRESOLVED.
Have you checked this in event viewer?
