I am trying to log DHCP data which lives in the C:\Windows\System32\dhcp directory. I keep getting an error:
2014-06-18 12:11:32.064285 0x00000f58 FLogCollector:213 | Invalid path specification was obtained. Channel [filelog|windowsAuditDHCP] will stay dormant until properly configured.
I assume this is a permissions issue because I do not get the error when pointing to a newly created c:\tmp directory.
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:27 | ConfigureAndStart invoked for collector: FLogCollector
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:52 | Configuring FLogCollector
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:54 | FLogCollector configured
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:61 | Starting FLogCollector
2014-06-18 12:07:29.607531 0x00000ef4 WinLogCollector:203| WinLogCollector thread begin
I tried enabling “Allow service to interact with desktop” in the service but did not seem to work. I also attempted logging in as a different user for the service instead of the default of “Local System account” with no luck. Thanks for any feedback / suggestions!
This is sort of a limitation of the LogInsight agent: being the case it's a 32-bit application, every access to '%windir%\System32\<some_folder> is redirected to '%windir%\SysWOW64\<some_folder>'. We'll be trying to tackle this issue in the future versions.
As a workaround, if you could make the DHCP server put its logs outside of '%windir%\System32', that would fix the issue.
I ran into some "brittleness" over the weekend. You have to be precise on the headers and the file paths. Could you post your full file log section?
I was trying to set up logging of some random windows files, and these were the links I finally got working:
[filelog|WinMain1] directory=C:\Windows include=*.log [filelog|ctmp] directory=C:\Temp include=*.log [filelog|WinMain2] directory=C:\Windows\Logs include=*.log [filelog|WinMain3] directory=C:\ProgramData\VMware\Log Insight Agent\log include=*.log
Key learnings:
Hope this helps.
Here is what I have as far as filelog sections go (I copied and pasted the log directory from Windows Explorer and tried typing it to be sure - I am positive the path is correct):
[filelog|winDHCP]
directory=C:\Windows\System32\dhcp
include=Dhcp*.log
[filelog|winLogInsight]
directory=C:\ProgramData\VMware\Log Insight Agent\log
include=*.log
Here is the error log (note - the log insight logging is working as expected, only the DHCP log is having an issue.):
2014-06-18 13:49:38.632526 0x0000087c <trace> Logger:71 | Agent version 2.0.3.1879692
2014-06-18 13:49:38.632526 0x0000087c <trace> WinService:157 | WinService::Main calling daemon->Start(this=005BED20, dataDir=C:\ProgramData\VMware\Log Insight Agent)
2014-06-18 13:49:38.632526 0x0000087c <trace> AgentDaemon:85 | AgentDaemon start requested. Data directory: "C:\ProgramData\VMware\Log Insight Agent"
2014-06-18 13:49:38.632526 0x0000087c <trace> AgentDaemon:89 | Initializing storage...
2014-06-18 13:49:38.632526 0x0000087c <trace> DbConnection:34 | Opening database file C:\ProgramData\VMware\Log Insight Agent\storage\liagent.db
2014-06-18 13:49:38.632526 0x0000087c <trace> DbConnection:46 | Database "C:\ProgramData\VMware\Log Insight Agent\storage\liagent.db" opened successfully
2014-06-18 13:49:38.632526 0x0000087c <trace> DbStorage:217 | Checking database integrity...
2014-06-18 13:49:38.632526 0x0000087c <trace> DbStorage:255 | Database integrity check done.
2014-06-18 13:49:38.632526 0x0000087c <trace> EventQueue:33 | EventQueue::EventQueue stored event id's: min = 0, max = 0
2014-06-18 13:49:38.632526 0x00000ba8 <trace> WinService:254 | WinService::SetServiceStatus START_PENDING, Win32ExitCode = 0
2014-06-18 13:49:38.632526 0x00000f24 <trace> DbStorage:442 | DbStorage maintenance thread started.
2014-06-18 13:49:38.632526 0x0000087c <trace> AgentDaemon:94 | UID from storage is empty, using machine id: E4463050-AF1F-179A-C3EB-1B19935A85EC
2014-06-18 13:49:38.648126 0x0000087c <trace> Config:77 | Configuration read from: C:\ProgramData\VMware\Log Insight Agent\liagent.ini
2014-06-18 13:49:38.648126 0x0000087c <trace> Config:94 | Configuration hash d41d8cd98f00b204e9800998ecf8427e loaded from DB
2014-06-18 13:49:38.648126 0x0000087c <trace> Config:158 | Read config param logging.debug_level = 0
2014-06-18 13:49:38.648126 0x0000087c <trace> Config:158 | Read config param storage.max_disk_buffer = 200
2014-06-18 13:49:38.648126 0x0000087c <trace> DbConnection:115 | Setting SQLite cache_size = 2868224 bytes
2014-06-18 13:49:38.648126 0x0000087c <trace> AgentDaemon:108 | Initializing transport...
2014-06-18 13:49:38.648126 0x0000087c <trace> Config:192 | Read config param server.proto = cfapi
2014-06-18 13:49:38.648126 0x0000087c <trace> AgentDaemon:170 | Creating cfapi transport
2014-06-18 13:49:38.648126 0x0000087c <trace> Config:192 | Read config param server.hostname = xxxxxxxx
2014-06-18 13:49:38.648126 0x0000087c <trace> Config:158 | Read config param server.port = xxxx
2014-06-18 13:49:38.648126 0x0000087c <trace> Config:158 | Read config param server.reconnect = 30
2014-06-18 13:49:38.648126 0x0000087c <trace> AgentDaemon:113 | Starting collectors...
2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:27 | ConfigureAndStart invoked for collector: WinLogCollector
2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:52 | Configuring WinLogCollector
2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:54 | WinLogCollector configured
2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:61 | Starting WinLogCollector
2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:64 | WinLogCollector started
2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:27 | ConfigureAndStart invoked for collector: FLogCollector
2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:52 | Configuring FLogCollector
2014-06-18 13:49:38.648126 0x0000087c <error> FLogCollector:213 | Invalid path specification was obtained. Channel [filelog|winDHCP] will stay dormant until properly configured.
2014-06-18 13:49:38.648126 0x00000c2c <trace> WinLogCollector:203| WinLogCollector thread begin
2014-06-18 13:49:38.648126 0x00000c2c <trace> WinLogSession:203 | Subscribed to channel <Application> with query <*>
2014-06-18 13:49:38.648126 0x00000c2c <trace> WinLogSession:203 | Subscribed to channel <Security> with query <*>
2014-06-18 13:49:38.663726 0x00000c2c <trace> WinLogSession:203 | Subscribed to channel <System> with query <*>
2014-06-18 13:49:38.694927 0x0000087c <trace> EventCollector:54 | FLogCollector configured
2014-06-18 13:49:38.694927 0x0000087c <trace> EventCollector:61 | Starting FLogCollector
2014-06-18 13:49:38.694927 0x0000087c <trace> FLogCollector:242 | Subscribed to channel [winLogInsight].
2014-06-18 13:49:38.694927 0x0000087c <trace> EventCollector:64 | FLogCollector started
2014-06-18 13:49:38.694927 0x0000087c <trace> AgentDaemon:118 | Collectors started. Starting transport...
2014-06-18 13:49:38.694927 0x0000087c <trace> AgentDaemon:124 | AgentDaemon started successfully
2014-06-18 13:49:38.694927 0x0000087c <trace> WinService:254 | WinService::SetServiceStatus RUNNING, Win32ExitCode = 0
2014-06-18 13:49:38.694927 0x000005fc <trace> CFApiTransport:313 | Connecting to server...
2014-06-18 13:49:38.694927 0x00000dec <trace> AgentDaemon:207 | Reconfiguration thread started
2014-06-18 13:49:38.710527 0x000005fc <trace> CFApiTransport:330 | Connection successfully established
Can you open a support request for this one as well? Tigran should respond to this post when he is online, but want to ensure we track this. Let me know the SR #.
This is sort of a limitation of the LogInsight agent: being the case it's a 32-bit application, every access to '%windir%\System32\<some_folder> is redirected to '%windir%\SysWOW64\<some_folder>'. We'll be trying to tackle this issue in the future versions.
As a workaround, if you could make the DHCP server put its logs outside of '%windir%\System32', that would fix the issue.
Changing the log file location fixed the issue. Thanks for the solution!
Great, can you please mark this question as answered?
Try C:\Windows\dhcp instead of C:\Windows\System32\dhcp for the directory and restart the agent.
There's a better approach, which we're going to document appropriately -- for 32-bit applications there's a special alias referring to 'C:\Windows\System32': 'C:\Windows\Sysnative'. So, whenever you need to collect logs out of 'C:\Windows\System32', feel free to use that alias. In our particular case (with MS DHCP) the correct path in the configuration would be:
directory=C:\Windows\Sysnative\dhcp
Check out the following MSDN page for more information:
Looks like this is broken in 3.6, raising an SR
[filelog|win2012_WindowsDNS]
directory=c:\Windows\Sysnative\dns\dns.log
Error in log file
Fialed to initialize channel [filelog.com.microsoft.active-directory.win2012_WindowsDNS] because of improper configuration. Invalid path specification in the 'directory' key.
I was wrong, the AD content pack is broken it should be.
[filelog|win2012_WindowsDNS]
directory=c:\Windows\Sysnative\dns\
include=dns.log