2
answers

We are using nxlog to collect eventlog information. Some entries can be large, in fact some message are split over several entries as a workaround for the maximum eventlog entry size. However, these large entries seem to hang nxlog so that it stops processing new entries. Typical error messages are:

---------------------------------------

2014-10-27 17:10:32 ERROR EvtNext failed with error 1734: The array bounds are invalid.  
2014-10-27 17:10:33 ERROR EvtUpdateBookmark failed: The handle is invalid.

----------------------------------------

Why is this? Is there any workaround?

 

AskedNovember 4, 2014 - 11:18am

Answers (2)

Error 1734 is an RPC error and this is local eventlog so the error message does not tell much (it might be braindead already and thus a buggy error code).

If you can provide a POC test case which can be used to reproduce this by using eventcreate or some other tool to inject the offending eventlog entry,  then please open a ticket in the Support ticketing system.

Thanks

AnsweredNovember 4, 2014 - 10:36pm

The issue has been identified meanwhile. If you'd volunteer to test the bug fix to confirm it's the same issue that'd be great.

AnsweredApril 1, 2015 - 12:32pm

Comments (2)

  • CypherBit's picture

    I'm also getting this same error using 2.9.1504. Please assit me since no data is going to our SIEM.

    May 28, 2016 - 2:19pm
  • Ivan Akcheurov's picture

    Please could you provide a link to the ticket in the issue tracking system?

    July 5, 2016 - 10:40am