Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

read_from_head does not work #39

Open
parishs73 opened this issue Feb 10, 2020 · 10 comments
Open

read_from_head does not work #39

parishs73 opened this issue Feb 10, 2020 · 10 comments
Labels
in_windows_eventlog2(new) For new in_windows_eventlog2 plugin issue

Comments

@parishs73
Copy link

I have been trying to set this up on Windows 2016. when this is set, the agent starts and it doesn't send the logs, but it also doesn't 'stamp' the pos file with its log positions. when the agent is restarted it then sends all of the logs from the the start

Any ideas why this is?
@cosmo0920
Copy link
Contributor

cosmo0920 commented Feb 10, 2020
edited
Loading

Could you tell which is your using windows EventLog plugin, in_windows_eventlog or in_windows_eventlog 2?

@parishs73
Copy link
Author

parishs73 commented Feb 10, 2020
edited by cosmo0920
Loading 

<source>
  @type windows_eventlog2
  @id Solarwinds_eventlog2
  channels ["SolarWinds.Net","SWI Logs"]
  tag Solarwinds.winevt
  parse_description true
  <storage>
    @type local
    persistent false
    path C:\opt\td-agent\sw.pos2
  </storage>
</source>

@parishs73
Copy link
Author

The storage.json file just contains:
{"swi logs":"\r\n","solarwinds.net":"\r\n"}

@cosmo0920
Copy link
Contributor

persistent false should be no position stored.
To store EventLog positions, we should use persistent as true.

@parishs73
Copy link
Author

Set that, deleted the storage.json and it is still not showing positions in it. Does there need to be something actively written to the log within a set time period?

@cosmo0920
Copy link
Contributor

read_from_head requests long time to consume and write read positions. What the version do you use in_windows_eventlog2?

@parishs73
Copy link
Author

the windows-eventlog plugin is 0.4.5, is that what you are meaning?

@cosmo0920
Copy link
Contributor

cosmo0920 commented Feb 12, 2020
edited
Loading

read_from_head true and render_as_xml true(default value) will cause CPU usage spike and slow operation.
It takes long time to create valid bookmark stamp.

@parishs73
Copy link
Author

parishs73 commented Feb 12, 2020
edited
Loading

I don't have render_as_xml set so it should default to true

@cosmo0920
Copy link
Contributor

Hmm..., could you try to set render_as_xml as true?
The default value of render_as_xml should be true and this configuration is forcibly to use Ruby XML parser(nokogiri).
If render_as_xml is set up as false, the dependent gem try to map EventLog data to Ruby Hash object directly.
Ruby XML parser implementation, which is using nokogiri, is slower than direct Ruby Hash object mapping.

NOTE: When render_as_xml as false, the dependent winevt_c gem renders Windows EventLog as Ruby Hash object directly. This reduces bottleneck to consume EventLog. Specifying render_as_xml as false should be faster consuming than render_as_xml as true case.

@cosmo0920 cosmo0920 added the in_windows_eventlog2(new) For new in_windows_eventlog2 plugin issue label Jun 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in_windows_eventlog2(new) For new in_windows_eventlog2 plugin issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cosmo0920 @parishs73