read_from_head does not work

Question

read_from_head does not work

parishs73 opened this issue 5 years ago · 10 comments

I have been trying to set this up on Windows 2016. when this is set, the agent starts and it doesn't send the logs, but it also doesn't 'stamp' the pos file with its log positions. when the agent is restarted it then sends all of the logs from the the start

Any ideas why this is?

Answer 1 · 2020-02-10T12:19:33.000Z

Could you tell which is your using windows EventLog plugin, in_windows_eventlog or in_windows_eventlog 2?

Answer 2 · 2020-02-10T13:04:49.000Z

<source>
  @type windows_eventlog2
  @id Solarwinds_eventlog2
  channels ["SolarWinds.Net","SWI Logs"]
  tag Solarwinds.winevt
  parse_description true
  <storage>
    @type local
    persistent false
    path C:\opt\td-agent\sw.pos2
  </storage>
</source>

Answer 3 · 2020-02-10T13:13:39.000Z

The storage.json file just contains:
{"swi logs":"\r\n","solarwinds.net":"\r\n"}

Answer 4 · 2020-02-10T13:39:06.000Z

persistent false should be no position stored.
To store EventLog positions, we should use persistent as true.

Answer 5 · 2020-02-10T13:57:13.000Z

Set that, deleted the storage.json and it is still not showing positions in it. Does there need to be something actively written to the log within a set time period?

Answer 6 · 2020-02-11T01:19:12.000Z

read_from_head requests long time to consume and write read positions. What the version do you use in_windows_eventlog2?

Answer 7 · 2020-02-11T09:18:22.000Z

the windows-eventlog plugin is 0.4.5, is that what you are meaning?

Answer 8 · 2020-02-12T02:24:31.000Z

read_from_head true and render_as_xml true(default value) will cause CPU usage spike and slow operation.
It takes long time to create valid bookmark stamp.

Answer 9 · 2020-02-12T08:32:50.000Z

I don't have render_as_xml set so it should default to true

Answer 10 · 2020-02-13T01:46:59.000Z

Hmm..., could you try to set render_as_xml as true?
The default value of render_as_xml should be true and this configuration is forcibly to use Ruby XML parser(nokogiri).
If render_as_xml is set up as false, the dependent gem try to map EventLog data to Ruby Hash object directly.
Ruby XML parser implementation, which is using nokogiri, is slower than direct Ruby Hash object mapping.

NOTE: When render_as_xml as false, the dependent winevt_c gem renders Windows EventLog as Ruby Hash object directly. This reduces bottleneck to consume EventLog. Specifying render_as_xml as false should be faster consuming than render_as_xml as true case.