_jsonparsefailure windows eventlog

[alexviso]

Kind time of the day,

I recently use nagios, tell me please.
In the dashboard I see many messages coming from a server running Windows



How can I overcome this?

nxlog.conf on Windows server configured by default.

[mcapra]

Can you share the nxlog configuration from the Windows machine?

Can you also share a system profile from the Nagios Log Server machine? From the Nagios Log Server GUI, you can gather a profile via Administration -> System Status -> Download System Profile.

Having the latest Logstash log may also be helpful. If you can share it, it's located in /var/log/logstash/logstash.log.

[alexviso]

Hello

Below config from Windows host. It's default.

Code: Select all

## See the nxlog reference manual at 
## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
 
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
#    Module xm_fileop
#</Extension>
 
<Extension json>
    Module      xm_json
</Extension>
 
<Extension syslog>
    Module xm_syslog
</Extension>
 
<Input internal>
    Module im_internal
</Input>
 
# Watch your own files
<Input file1>
    Module   im_file
    File     '%ROOT%\data\nxlog.log'
    SavePos  TRUE
    Exec     $Message = $raw_event;
</Input>
 
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog
# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
</Input>

<Output out>
    Module om_tcp
    Host zalogg-srv.zim-service.ru
    Port 3515
	
    Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
    Exec  $raw_event = to_json();
	
	# Uncomment for debug output
	# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>
 
<Route 1>
    Path internal, file1, eventlog => out
</Route>

In Logstash log file i see many messages "Recieved an event that has a diffrent character encoding than you configured"

In /usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf

Code: Select all

tcp {
type => 'eventlog'
port => 3515
codec => json {
charset => 'CP1252'
}
}

What encoding should I use to make the eventlog come in correctly?

PS
Today the my head does not work =(
Thank you very much for helping me.

[mcapra]

What encoding should I use to make the eventlog come in correctly?

Logstash should use whatever the current codepage is on your Windows machine. For example, my Server 2012 machine is using 437:

2017_05_02_14_04_32_192.168.67.99_Remote_Desktop_Connection.png

I would definitely update the Logstash input rule to match the code page of the machine (especially if the machine is non-english for the language). For example, since my machine is using 437:

Code: Select all

tcp {
type => 'eventlog'
port => 3515
codec => json {
charset => 'CP437'
}
}

[alexviso]

Hello.

Code page on Windows host - CP866

When i change eventlog input rule in nagios Web-GUI and apply, it had no effect.

Looking in the nxlog reference manual, I found how to convert the eventlog to syslog encapsulated json, now some messages coming without error _jsonparsefailure. However, the message itself is unreadable.
The other part of the message is still _jsonparsefailure



In the picture above, a red square is circled the same. The online encoder prompts what is used in the original message Windows1251, and is readable for UTF-8 with the post-filter x-esc-entities

There were immediately two questions.

Why are different encodings used in one message? Although this may be a question for Windows.

and

Is it possible to receive eventlog messages without json encapsulation?

PS
in /var/log/logstash.log many "Recieved an event that has a diffrent character encoding than you configured"

[mcapra]

Why are different encodings used in one message? Although this may be a question for Windows.

It's hard to say. We didn't write nxlog and my knowledge of how it handles encoding is limited. I've dealt with French systems before, and setting the proper code page in the Logstash input rule typically works around the issue. Unsure if that's also applicable to other languages.

Is it possible to receive eventlog messages without json encapsulation?

Yup, you can do that in the nxlog configuration. Our default nxlog configurations we provide in the Nagios Log Server GUI include this line in the output rule:

Code: Select all

Exec  $raw_event = to_json();

You can remove that line to remove the json conversion in your output rule.