NXlog-CE-3.0.2272 and Microsoft-Windows-PrintService

#1 vm_grrl 2 years ago

I've configured NXlog to send printing events from our Windows 2012R2 print server to our Nagios LS instance. **Except **for the following issue, it works well.

The issue is - when a filename contains a "%" sign, I receive a _grokparsefailure in Nagios. That led me to NXLog-CE and how it (and its modules) read/parsed the data from the Microsoft Windows PrintService Event Log. I enabled troubleshooting by means of debug AND outputting the $raw_event to a text file.

Is there a way I can get this document name from the Windows Event Viewer into Nagios via NXlog-CE? This issue looks similar to this thread, which says the problem is with the provider: https://nxlog.co/question/2362/problem-windows-event

DEBUG OUTPUT:

{"EventTime":"2022-02-11 10:38:48","Hostname":"xxx.yyy.zzz","Keywords":4611686018427390016,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":307,"SourceName":"Microsoft-Windows-PrintService","ProviderGuid":"{xxxxxxx}","Version":0,"Task":26,"OpcodeValue":11,"RecordNumber":2136143,"ProcessID":4764,"ThreadID":6728,"Channel":"Microsoft-Windows-PrintService/Operational","Domain":"XXXX","AccountName":"QQQQ","UserID":"SID-aaa-bbb-ccc","AccountType":"User",**"ERROR_EVT_UNRESOLVED":true**,"Category":"Printing a document","Opcode":"Spooler Operation Succeeded","EventReceivedTime":"2022-02-11 10:38:50","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":null}

$raw_event OUTPUT:

2022-02-11 10:38:48 xxx.yyy.zzz INFO 307 XXXX\QQQQ[The description for EventID 307 from source Microsoft-Windows-PrintService cannot be found: **The substitution string for insert index (%1) could not be found**.  ]

CONFIG:

define ROOT C:\Program Files\nxlog
define CERT %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension json>
    Module      xm_json
</Extension>

<Extension syslog>
    Module	xm_syslog
</Extension>

<Input internal>
    Module	im_internal
</Input>
  
<Input eventlog>
   Module im_msvistalog
	<QueryXML>
		<QueryList>
		<Query Id="0">
 				<Select Path="System">*[System[Provider[@Name='Srv'] and (Level=1 or Level=2 or Level=3)]]</Select>
 				<Select Path="Microsoft-Windows-PrintService/Admin">*[System[(Level=1  or Level=2 or Level=3)]]</Select>
 				<Select Path="Microsoft-Windows-PrintService/Operational">*</Select>
 			</Query>
 		</QueryList>
</QueryXML>
</Input>

<Output out>
     Module om_tcp
     Host qqq.yyy.zzz
     Port 1234
	
     Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
     Exec  $raw_event = to_json();
</Output>

<Route 1>
   Path		internal, file1, eventlog => out
</Route>

Permalink