Windows 8.1 and corrupted event log ?

Post a different question
3
answers

I am getting an error message to nxlog.log.
2015-02-17 08:16:23 INFO nxlog-ce-2.8.1248 started
2015-02-17 08:16:35 ERROR Couldn't read next event, corrupted eventlog?; The data is invalid.
And after this error no more events or log messages are generated.
However I can read event log with event viewer and I can see new events.
These are messages in my graylog2:
2015-02-17 08:16:35.000 wintoosa Couldn't read next event, corrupted eventlog? The data is inval
2015-02-17 08:16:23.000 wintoosa nxlog-ce-2.8.1248 started

Seems that nxlog is running but it can't handle events after this error.
How can I fix this ?

My very basic nxlog.conf:

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
#LogLevel DEBUG

<Extension syslog>
Module xm_syslog
</Extension>

<Extension gelf>
Module xm_gelf
</Extension>

<Input internal>
Module im_internal
</Input>

<Input eventlog>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
</Input>

<Output out>
Module om_udp
Host 10.0.0.103
Port 12900
outputType GELF
</Output>

<Route 1>
Path internal, eventlog => out
</Route>

AskedFebruary 17, 2015 - 7:51am

Answers (3)

Seems to be the same issue as this. If you have no issues with Event Viewer, then this might be a bug. Please test the EE trial since it has several bug fixes which might be related.

AnsweredFebruary 17, 2015 - 2:42pm

Comments (7)

  • nautilus's picture

    I tested with EE but I'll get the same error.
    I even cleared all event logs with event viewer yesterday.

    2015-02-18 10:36:25 INFO nxlog-ce-2.8.1248 started
    2015-02-18 10:36:27 ERROR Couldn't read next event, corrupted eventlog?; The data is invalid.
    2015-02-18 10:57:36 WARNING stopping nxlog service
    2015-02-18 10:57:36 WARNING nxlog-ce received a termination request signal, exiting...
    2015-02-18 11:01:53 INFO nxlog-2.8.1337-trial started
    2015-02-18 11:02:35 ERROR Couldn't read next event, corrupted eventlog?; The data is invalid.

    Windows 8.1 is fresh installation without any further application installation (except Windows updates).
    So I am unable to use nxlog with Windows 8.1 at the moment.

    February 18, 2015 - 10:20am
  • adm's picture
    (NXLog)

    A fresh install of English Windows 8.1 Enterprise build 9600 works ok with nxlog-ce-2.8.1248, just tested it in a VM. This issue is also Windows 8.1, so I suspect there may be something with 8.1 but it is likely an issue with some windows 8 eventlog source and is not an NXLog bug.

     

    February 18, 2015 - 2:34pm
  • adm's picture
    (NXLog)

    What you could try is to specify specific sources only:

    <Input in>
    Module      im_msvistalog
    ReadFromLast FALSE
    SavePos     FALSE
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
</Input>

    If it works with these, you can keep on adding more sources until the offending source is found.

    See this mailing list post for some more info.

     

    February 18, 2015 - 3:41pm
  • nautilus's picture

    Here is some content in log file. Loglevel DEBUG.
    When the first event comes after starting nxlog, log shows:

    no events or no future events, event thread sleeping in condwait

    nxlog doesn't recognise new events.

    2015-02-18 12:41:59 DEBUG no events or no future events, event thread sleeping in condwait
    2015-02-18 12:41:59 DEBUG worker 2 got signal for new job
    2015-02-18 12:41:59 DEBUG worker 2 processing event 0xa518c0
    2015-02-18 12:41:59 DEBUG PROCESS_EVENT: READ (eventlog)
    2015-02-18 12:41:59 DEBUG im_msvistalog checking for new events...
    2015-02-18 12:41:59 DEBUG im_msvistalog read 0 events
    2015-02-18 12:41:59 DEBUG worker 2 waiting for new event
    2015-02-18 12:41:59 DEBUG new event in event_thread [eventlog:READ]
    2015-02-18 12:41:59 DEBUG future event, event thread sleeping 1000000ms in cond_timedwait
    2015-02-18 12:42:00 DEBUG new event in event_thread [eventlog:READ]
    2015-02-18 12:42:00 DEBUG nx_event_to_jobqueue: READ (eventlog)
    2015-02-18 12:42:00 DEBUG event added to jobqueue
    2015-02-18 12:42:00 DEBUG no events or no future events, event thread sleeping in condwait
    2015-02-18 12:42:00 DEBUG worker 1 got signal for new job
    2015-02-18 12:42:00 DEBUG worker 1 processing event 0xa518f8
    2015-02-18 12:42:00 DEBUG PROCESS_EVENT: READ (eventlog)
    2015-02-18 12:42:00 DEBUG im_msvistalog checking for new events...
    2015-02-18 12:42:00 DEBUG before nx_logqueue_push, size: 0
    2015-02-18 12:42:00 DEBUG nx_event_to_jobqueue: DATA_AVAILABLE (out)
    2015-02-18 12:42:00 DEBUG event added to jobqueue
    2015-02-18 12:42:00 ERROR [im_msvistalog.c:779/im_msvistalog_read()] Couldn't read next event, corrupted eventlog?; The data is invalid.
    2015-02-18 12:42:00 DEBUG worker 1 processing event 0x3f7240
    2015-02-18 12:42:00 DEBUG PROCESS_EVENT: DATA_AVAILABLE (out)
    2015-02-18 12:42:00 DEBUG om_udp_write
    2015-02-18 12:42:00 DEBUG out get_next_logdata: got (queuesize: 0)
    2015-02-18 12:42:00 DEBUG nx_event_to_jobqueue: DATA_AVAILABLE (out)
    2015-02-18 12:42:00 DEBUG event added to jobqueue
    2015-02-18 12:42:00 DEBUG nx_event_to_jobqueue: MODULE_RESUME (eventlog)
    2015-02-18 12:42:00 DEBUG event added to jobqueue
    2015-02-18 12:42:00 DEBUG nx_event_to_jobqueue: MODULE_RESUME (internal)
    2015-02-18 12:42:00 DEBUG event added to jobqueue
    2015-02-18 12:42:00 DEBUG om_udp sent 289 bytes
    2015-02-18 12:42:00 DEBUG before nx_logqueue_pop, size: 1
    2015-02-18 12:42:00 DEBUG out get_next_logdata: got NULL (queuesize: 0)
    2015-02-18 12:42:00 DEBUG nx_event_to_jobqueue: MODULE_RESUME (eventlog)
    2015-02-18 12:42:00 DEBUG nx_event_to_jobqueue: MODULE_RESUME (internal)
    2015-02-18 12:42:00 DEBUG worker 1 processing event 0x3f6af0
    2015-02-18 12:42:00 DEBUG PROCESS_EVENT: MODULE_RESUME (internal)
    2015-02-18 12:42:00 DEBUG RESUME: internal
    2015-02-18 12:42:00 DEBUG module internal already running, skipping resume
    2015-02-18 12:42:00 DEBUG worker 1 processing event 0x3f6ab8
    2015-02-18 12:42:00 DEBUG PROCESS_EVENT: MODULE_RESUME (eventlog)
    2015-02-18 12:42:00 DEBUG RESUME: eventlog
    2015-02-18 12:42:00 DEBUG module eventlog already running, skipping resume
    2015-02-18 12:42:00 DEBUG worker 1 processing event 0xa518d0
    2015-02-18 12:42:00 DEBUG PROCESS_EVENT: DATA_AVAILABLE (out)
    2015-02-18 12:42:00 DEBUG om_udp_write
    2015-02-18 12:42:00 DEBUG out get_next_logdata: got NULL (queuesize: 0)
    2015-02-18 12:42:00 DEBUG nx_event_to_jobqueue: MODULE_RESUME (eventlog)
    2015-02-18 12:42:00 DEBUG event added to jobqueue
    2015-02-18 12:42:00 DEBUG nx_event_to_jobqueue: MODULE_RESUME (internal)
    2015-02-18 12:42:00 DEBUG event added to jobqueue
    2015-02-18 12:42:00 DEBUG worker 1 processing event 0x3f6998
    2015-02-18 12:42:00 DEBUG PROCESS_EVENT: MODULE_RESUME (internal)
    2015-02-18 12:42:00 DEBUG RESUME: internal
    2015-02-18 12:42:00 DEBUG module internal already running, skipping resume
    2015-02-18 12:42:00 DEBUG worker 1 processing event 0x3f7240
    2015-02-18 12:42:00 DEBUG PROCESS_EVENT: MODULE_RESUME (eventlog)
    2015-02-18 12:42:00 DEBUG RESUME: eventlog
    2015-02-18 12:42:00 DEBUG module eventlog already running, skipping resume
    2015-02-18 12:42:00 DEBUG worker 1 waiting for new event
    2015-02-18 12:42:00 DEBUG worker 0 got signal for new job
    2015-02-18 12:42:00 DEBUG worker 0 got no event to process
    2015-02-18 12:42:00 DEBUG worker 0 waiting for new event
    2015-02-18 12:42:00 DEBUG worker 2 got signal for new job
    2015-02-18 12:42:00 DEBUG worker 2 got no event to process
    2015-02-18 12:42:00 DEBUG worker 2 waiting for new event
    2015-02-18 12:42:00 DEBUG no events or no future events, event thread sleeping in condwait
    2015-02-18 12:42:00 DEBUG no events or no future events, event thread sleeping in condwait
    2015-02-18 12:42:00 DEBUG no events or no future events, event thread sleeping in condwait
    2015-02-18 12:42:01 DEBUG no events or no future events, event thread sleeping in condwait
    2015-02-18 12:42:01 DEBUG no events or no future events, event thread sleeping in condwait

    February 18, 2015 - 11:59am
  • adm's picture
    (NXLog)

    The events that the the debug log refers to are internal nxlog events, not events in the EventLog.

    February 18, 2015 - 2:27pm
  • Shai Perednik's picture

    no error by changing to the older module.

    <Input eventlog>
      # Uncomment for Windows Vista/2008 or later 
      #Module im_msvistalog
      
      # Uncomment for Windows 2000 or later
       Module im_mseventlog
    </Input>

    However, I've only recieved 1 log event so far.  so we'll see

    February 22, 2015 - 3:15am
  • adm's picture
    (NXLog)

    With the im_mseventlog module on Windows Vista and later it is only possible to collect a subset of the events.

    March 3, 2015 - 9:51am

I had this issue, your input config needs <QueryList> lines adding, see my example below:

# Monitor Windows event logs
<Input eventlog>
  # Uncomment for Windows Vista/2008 or later
  Module im_msvistalog

Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
            <Select Path="Setup">*</Select>\
                    </Query>\
                </QueryList>
 
  # Uncomment for Windows 2000 or later
  # Module im_mseventlog
</Input>

AnsweredFebruary 23, 2015 - 10:59am

Comments (1)

  • mulail's picture

    does this configuration gets specific windows events ?

    do we have to provide the paths ?

    April 20, 2016 - 6:26am

Update:

This is a bug in Windows. See this question.

A workaround will be added. Until that's available you should explicitly specify the QueryXML in the conf.

AnsweredMay 10, 2016 - 10:58am

Comments (2)

  • jhenderson's picture

    Do you know when the workaround will be added for this?  I do a lot of log research and as a result need to pickup all log sources.  I'd prefer not having to manually specific all the possible sources as the list is long and different on workstations and servers.

    June 20, 2016 - 11:13pm
  • adm's picture
    (NXLog)

    The NXLog EE already has that in nxlog-3.0.1698.msi. Note that the workaround makes it stop at the 255th source when constructing the QueryXML and this will result in some sources getting omitted.

    June 21, 2016 - 9:20am