3
responses

Having a reoccurring problem where I get the following error and my output file quits updating for a few minutes then picks back up again. As a side note, I was having a problem with the eventlog because of an entry that was being written that had an object serialized as xml in the message. That is the exclusion in my application log. Since then, the event log has been working flawlessly.

I found a similar post except that in my instance I have already use a more specific filter.

http://nxlog.org/question/531/iis-log-bad-characters-causes-nxlog-crash-...

Log 2015-03-06 13:10:32 INFO nxlog-ce-2.8.1248 started 2015-03-06 13:14:07 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input ''

2015-03-06 13:28:30 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input ''

2015-03-06 13:50:07 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input ''

2015-03-06 14:07:39 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input ''

Line 70 refers to the closing bracket in
<Input default_iis_in>
 Module im_file
 File "D:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log"
    ReadFromLast TRUE
    Exec if $raw_event=~/^#/ drop();                         \
   else                                                \
   {                                                   \
    w3c->parse_csv();                               \
    $EventTime = parsedate($date + " " + $time);    \
   }
</Input>

Full config

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension w3c>
    Module      xm_csv
    Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs(User-Agent), $cs(Referer), $sc-status, $sc-substatus, $sc-win32-status, $sc-bytes, $cs-bytes, $time-taken
    FieldTypes  string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
    Delimiter ' '
    QuoteChar   '"'
    EscapeControl FALSE
    UndefValue  -
</Extension>

<Extension json>
    Module xm_json
</Extension>

<Extension fileop>
    Module      xm_fileop

    <Schedule>
        Every   10 min
        Exec    file_truncate("evt.json");
    </Schedule>

    <Schedule>
        Every   10 min
        Exec    file_truncate("iis-default.json");
    </Schedule>

</Extension>

<Input evt_in>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>   \
                    </Query>\
                </QueryList>
    ReadFromLast TRUE
    Exec        if $SourceName=~/TfsDeployer/ drop();           \
                else                                            \
                {                                               \
                    to_json();                                  \
                }
</Input>

<Input default_iis_in>
 Module im_file
 File "D:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log"
    ReadFromLast TRUE
    Exec if $raw_event=~/^#/ drop();                         \
   else                                                \
   {                                                   \
    w3c->parse_csv();                               \
    $EventTime = parsedate($date + " " + $time);    \
   }
</Input>

<Output evt_out>
    Module om_file
    File "evt.json"
</Output>

<Output default_iis_out>
    Module om_file
    Exec $raw_event = to_json();
    File "iis-default.json"
</Output>

<Route 1>
    Path        evt_in => evt_out
</Route>

<Route 2>
    Path default_iis_in => default_iis_out
</Route>

 

Any help would be appreciated. Thank you.

AskedMarch 6, 2015 - 8:23pm

Comments (1)

  • cwigley's picture

    After watching this a little more closely the error seems to happen when the output file gets truncated. Is there perhaps a better way of managing this file? My only need is for it not to grow indefinitely.

Answer (1)