6
responses

Hi, I'm using the latest version community edition of nxlog to send data from Server 2016. The server started going crazy (CPU/Messages per second) and the eventlog has this.

Warning 8/26/2018 8:21 EvntAgnt 3006 None Error reading log event record. Handle specified is 1313800280. Return code from ReadEventLog is 87.
Warning 8/26/2018 8:21 EvntAgnt 3006 None Error reading log event record. Handle specified is 1313800280. Return code from ReadEventLog is 87.

we were getting 31,000 of these events per second. Microsoft had this to say...

https://support.microsoft.com/en-us/help/177199/bug-readeventlog-fails-with-error-87

So, is there a different way to configure the nxlog so this won't occur? We just rebooted for now but I'm sure stopping/starting the service would have fixed it but they didn't know.

AskedAugust 27, 2018 - 7:23pm

Answer (1)

You should be using im_msvistalog , not im_mseventlog.

Comments (5)

  • b0ti's picture
    (NXLog)

    im_mseventlog had the same issue in the past. Digging deeper based the error message it seems that the this is emitted by EvntAgnt - SNMP Event Log Extension Agent and the error is caused by EvntAgnt using the old/buggy Eventlog API.

    Note that EvntAgnt that is flooding you with these errors is not our software...

  • William Scanlon's picture

    This is also occurring for me on Windows 2012 R2 Vm using nxlog enterprise 2.1 x86 and im_msvistalog. Is this something that is addressed in a later release of the enterprise service? Note, this does not occur with the Splunk Forwarder on the same image.
    Per https://support.microsoft.com/en-us/help/177199/bug-readeventlog-fails-with-error-87
    "Resolution
    The calling application should not use the EVENTLOG_SEEK_READ flag with ReadEventLog if the size of the event log file is not determined. Instead, use the EVENTLOG_SEQUENTIAL_READ flag and use repeated calls to ReadEventLog to implement code to scan to the record of interest."

  • b0ti's picture
    (NXLog)

    Per https://support.microsoft.com/en-us/help/177199/bug-readeventlog-fails-with-error-87

    This is the old Eventlog API used by im_mseventlog applicable only for obsoleted windows 2003. im_msvistalog does not use this API.