Report a bug of winlogbeat-5.0.0-alpha1-windows-32


#1

@andrewkroh
Hi andrew,
I ran winlogbeat-5.0.0-alpha1-windows-32 on windows server 2003 R2 SP2 32bit and encountered some error,
need your verification. thanks.


#2

@andrewkroh
C:\ProgramData\winlogbeat\Logs\winlogbeat shows:

2016-04-16T13:42:13+08:00 INFO GeoIP disabled: No paths were set under shipper.geoip.paths
2016-04-16T13:42:13+08:00 INFO Max Retries set to: 3
2016-04-16T13:42:13+08:00 INFO Activated logstash as output plugin.
2016-04-16T13:42:13+08:00 INFO Publisher name: CNKUSEFMAP05
2016-04-16T13:42:13+08:00 INFO Flush Interval set to: 1s
2016-04-16T13:42:13+08:00 INFO Max Bulk Size set to: 2048
2016-04-16T13:42:13+08:00 INFO Init Beat: winlogbeat; Version: 5.0.0-nightly2bfc1c4
2016-04-16T13:42:13+08:00 INFO State will be read from and persisted to C:\ProgramData\winlogbeat.winlogbeat.yml
2016-04-16T13:42:13+08:00 INFO winlogbeat sucessfully setup. Start running.
2016-04-16T13:42:13+08:00 INFO EventLogging[Application] contains 10501 records. Record number range [318738, 329238]. Starting at 325361 (ignoringFirst=true)
2016-04-16T13:42:13+08:00 INFO EventLogging[System] contains 88678 records. Record number range [111738, 200415]. Starting at 127631 (ignoringFirst=true)
2016-04-16T13:42:13+08:00 INFO EventLogging[Security] contains 61307 records. Record number range [379144167, 379205473]. Starting at 379144167 (ignoringFirst=false)
2016-04-16T13:42:13+08:00 INFO EventLog[Application] Successfully published 0 events

but also I find a workaround:that is to clean all the eventlog(applications,security,system),then it works to start winlogbeat~:grinning:

is that overmany logs exceed the Max Bulk Size of winlogbeat? (just my guess based above log,need your analysis).


(Andrew Kroh) #3

Thanks for reporting it. I think the issue is that it was trying to read an event log record with a larger than usual message size. And this exposes an issue with the buffer sizing. It is not related to max bulk size.

I will write up a test case to confirm my suspicion next week and get back to you.


#4

I also have this issue (It's why I tried to filter by eventID).
Here are the last couple DBG lines of -e -d "*" and the panic lines. I hope it helps.

DBG  messageFilesCache[ForwardedEvents] size=8
DBG  WinEventLog[ForwardedEvents] Closing handle
panic: runtime error: slice bounds out of range

goroutine 41 [running]:
panic(0x9cca80, 0xc082002030)
        /usr/local/go/src/runtime/panic.go:464 +0x3f4
github.com/elastic/beats/winlogbeat/sys/wineventlog.RenderEventNoMessage(0x1000053, 0xc08228c000, 0x4000, 0x4000, 0x0, 0x0, 0x0, 0x0)
        /go/src/github.com/elastic/beats/winlogbeat/sys/wineventlog/wineventlog_windows.go:203 +0x269
github.com/elastic/beats/winlogbeat/sys/wineventlog.RenderEvent(0x1000053, 0xc000000000, 0xc08228c000, 0x4000, 0x4000, 0xc0822b73c8, 0x0, 0x0, 0x0, 0x0)
        /go/src/github.com/elastic/beats/winlogbeat/sys/wineventlog/wineventlog_windows.go:184 +0x2ee
github.com/elastic/beats/winlogbeat/eventlog.(*winEventLog).Read(0xc08225dc20, 0x0, 0x0, 0x0, 0x0, 0x0)
        /go/src/github.com/elastic/beats/winlogbeat/eventlog/wineventlog.go:134 +0x731
github.com/elastic/beats/winlogbeat/beater.(*Winlogbeat).processEventLog(0xc08200ce60, 0xc08228a200, 0x28abe8, 0xc08225dc20, 0xc082208620, 0xf, 0x3e94aa, 0xeceb046b9, 0xe3124a0a0, 0xda11c0)
        /go/src/github.com/elastic/beats/winlogbeat/beater/winlogbeat.go:214 +0x407
created by github.com/elastic/beats/winlogbeat/beater.(*Winlogbeat).Run
        /go/src/github.com/elastic/beats/winlogbeat/beater/winlogbeat.go:151 +0x383

(Andrew Kroh) #5

@tuankun I opened a pull request to address the bug you found. https://github.com/elastic/beats/pull/1498

@Alreanaes Thanks for reporting the issue. It looks like it's probably a similar bug, but in code for the newer Windows event log API. I'll work on a test case to reproduce it and keep you updated here. UPDATE: I opened PR for this issue too: https://github.com/elastic/beats/pull/1499


(system) #6

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.