Solved: Windows Agent filelog question

pboguszewski · ‎06-18-2014

I am trying to log DHCP data which lives in the C:\Windows\System32\dhcp directory. I keep getting an error:

2014-06-18 12:11:32.064285 0x00000f58 FLogCollector:213 | Invalid path specification was obtained. Channel [filelog|windowsAuditDHCP] will stay dormant until properly configured.

I assume this is a permissions issue because I do not get the error when pointing to a newly created c:\tmp directory.

2014-06-18 12:07:29.607531 0x00000a4c EventCollector:27 | ConfigureAndStart invoked for collector: FLogCollector
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:52 | Configuring FLogCollector
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:54 | FLogCollector configured
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:61 | Starting FLogCollector
2014-06-18 12:07:29.607531 0x00000ef4 WinLogCollector:203| WinLogCollector thread begin

I tried enabling “Allow service to interact with desktop” in the service but did not seem to work. I also attempted logging in as a different user for the service instead of the default of “Local System account” with no luck. Thanks for any feedback / suggestions!

admin · ‎06-25-2014

This is sort of a limitation of the LogInsight agent: being the case it's a 32-bit application, every access to '%windir%\System32\<some_folder> is redirected to '%windir%\SysWOW64\<some_folder>'. We'll be trying to tackle this issue in the future versions.

As a workaround, if you could make the DHCP server put its logs outside of '%windir%\System32', that would fix the issue.

View solution in original post

billrothjr · ‎06-18-2014

I ran into some "brittleness" over the weekend. You have to be precise on the headers and the file paths. Could you post your full file log section?

I was trying to set up logging of some random windows files, and these were the links I finally got working:

[filelog|WinMain1]
directory=C:\Windows
include=*.log

[filelog|ctmp]
directory=C:\Temp
include=*.log

[filelog|WinMain2]
directory=C:\Windows\Logs
include=*.log

[filelog|WinMain3]
directory=C:\ProgramData\VMware\Log Insight Agent\log
include=*.log

Key learnings:

Don't replicate the name after the pipe. It gets all messed up.
* does work, from what I can see.

Hope this helps.

------
Bill Roth, VMware

pboguszewski · ‎06-18-2014

Here is what I have as far as filelog sections go (I copied and pasted the log directory from Windows Explorer and tried typing it to be sure - I am positive the path is correct):

[filelog|winDHCP]

directory=C:\Windows\System32\dhcp

include=Dhcp*.log

[filelog|winLogInsight]

directory=C:\ProgramData\VMware\Log Insight Agent\log

include=*.log

Here is the error log (note - the log insight logging is working as expected, only the DHCP log is having an issue.):

2014-06-18 13:49:38.632526 0x0000087c <trace> Logger:71 | Agent version 2.0.3.1879692

2014-06-18 13:49:38.632526 0x0000087c <trace> WinService:157 | WinService::Main calling daemon->Start(this=005BED20, dataDir=C:\ProgramData\VMware\Log Insight Agent)

2014-06-18 13:49:38.632526 0x0000087c <trace> AgentDaemon:85 | AgentDaemon start requested. Data directory: "C:\ProgramData\VMware\Log Insight Agent"

2014-06-18 13:49:38.632526 0x0000087c <trace> AgentDaemon:89 | Initializing storage...

2014-06-18 13:49:38.632526 0x0000087c <trace> DbConnection:34 | Opening database file C:\ProgramData\VMware\Log Insight Agent\storage\liagent.db

2014-06-18 13:49:38.632526 0x0000087c <trace> DbConnection:46 | Database "C:\ProgramData\VMware\Log Insight Agent\storage\liagent.db" opened successfully

2014-06-18 13:49:38.632526 0x0000087c <trace> DbStorage:217 | Checking database integrity...

2014-06-18 13:49:38.632526 0x0000087c <trace> DbStorage:255 | Database integrity check done.

2014-06-18 13:49:38.632526 0x0000087c <trace> EventQueue:33 | EventQueue::EventQueue stored event id's: min = 0, max = 0

2014-06-18 13:49:38.632526 0x00000ba8 <trace> WinService:254 | WinService::SetServiceStatus START_PENDING, Win32ExitCode = 0

2014-06-18 13:49:38.632526 0x00000f24 <trace> DbStorage:442 | DbStorage maintenance thread started.

2014-06-18 13:49:38.632526 0x0000087c <trace> AgentDaemon:94 | UID from storage is empty, using machine id: E4463050-AF1F-179A-C3EB-1B19935A85EC

2014-06-18 13:49:38.648126 0x0000087c <trace> Config:77 | Configuration read from: C:\ProgramData\VMware\Log Insight Agent\liagent.ini

2014-06-18 13:49:38.648126 0x0000087c <trace> Config:94 | Configuration hash d41d8cd98f00b204e9800998ecf8427e loaded from DB

2014-06-18 13:49:38.648126 0x0000087c <trace> Config:158 | Read config param logging.debug_level = 0

2014-06-18 13:49:38.648126 0x0000087c <trace> Config:158 | Read config param storage.max_disk_buffer = 200

2014-06-18 13:49:38.648126 0x0000087c <trace> DbConnection:115 | Setting SQLite cache_size = 2868224 bytes

2014-06-18 13:49:38.648126 0x0000087c <trace> AgentDaemon:108 | Initializing transport...

2014-06-18 13:49:38.648126 0x0000087c <trace> Config:192 | Read config param server.proto = cfapi

2014-06-18 13:49:38.648126 0x0000087c <trace> AgentDaemon:170 | Creating cfapi transport

2014-06-18 13:49:38.648126 0x0000087c <trace> Config:192 | Read config param server.hostname = xxxxxxxx

2014-06-18 13:49:38.648126 0x0000087c <trace> Config:158 | Read config param server.port = xxxx

2014-06-18 13:49:38.648126 0x0000087c <trace> Config:158 | Read config param server.reconnect = 30

2014-06-18 13:49:38.648126 0x0000087c <trace> AgentDaemon:113 | Starting collectors...

2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:27 | ConfigureAndStart invoked for collector: WinLogCollector

2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:52 | Configuring WinLogCollector

2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:54 | WinLogCollector configured

2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:61 | Starting WinLogCollector

2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:64 | WinLogCollector started

2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:27 | ConfigureAndStart invoked for collector: FLogCollector

2014-06-18 13:49:38.648126 0x0000087c <trace> EventCollector:52 | Configuring FLogCollector

2014-06-18 13:49:38.648126 0x0000087c <error> FLogCollector:213 | Invalid path specification was obtained. Channel [filelog|winDHCP] will stay dormant until properly configured.

2014-06-18 13:49:38.648126 0x00000c2c <trace> WinLogCollector:203| WinLogCollector thread begin

2014-06-18 13:49:38.648126 0x00000c2c <trace> WinLogSession:203 | Subscribed to channel <Application> with query <*>

2014-06-18 13:49:38.648126 0x00000c2c <trace> WinLogSession:203 | Subscribed to channel <Security> with query <*>

2014-06-18 13:49:38.663726 0x00000c2c <trace> WinLogSession:203 | Subscribed to channel <System> with query <*>

2014-06-18 13:49:38.694927 0x0000087c <trace> EventCollector:54 | FLogCollector configured

2014-06-18 13:49:38.694927 0x0000087c <trace> EventCollector:61 | Starting FLogCollector

2014-06-18 13:49:38.694927 0x0000087c <trace> FLogCollector:242 | Subscribed to channel [winLogInsight].

2014-06-18 13:49:38.694927 0x0000087c <trace> EventCollector:64 | FLogCollector started

2014-06-18 13:49:38.694927 0x0000087c <trace> AgentDaemon:118 | Collectors started. Starting transport...

2014-06-18 13:49:38.694927 0x0000087c <trace> AgentDaemon:124 | AgentDaemon started successfully

2014-06-18 13:49:38.694927 0x0000087c <trace> WinService:254 | WinService::SetServiceStatus RUNNING, Win32ExitCode = 0

2014-06-18 13:49:38.694927 0x000005fc <trace> CFApiTransport:313 | Connecting to server...

2014-06-18 13:49:38.694927 0x00000dec <trace> AgentDaemon:207 | Reconfiguration thread started

2014-06-18 13:49:38.710527 0x000005fc <trace> CFApiTransport:330 | Connection successfully established

sflanders · ‎06-18-2014

Can you open a support request for this one as well? Tigran should respond to this post when he is online, but want to ensure we track this. Let me know the SR #.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

admin · ‎06-25-2014

This is sort of a limitation of the LogInsight agent: being the case it's a 32-bit application, every access to '%windir%\System32\<some_folder> is redirected to '%windir%\SysWOW64\<some_folder>'. We'll be trying to tackle this issue in the future versions.

As a workaround, if you could make the DHCP server put its logs outside of '%windir%\System32', that would fix the issue.

pboguszewski · ‎06-25-2014

Changing the log file location fixed the issue. Thanks for the solution!

sflanders · ‎06-25-2014

Great, can you please mark this question as answered?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

sflanders · ‎07-07-2014

Try C:\Windows\dhcp instead of C:\Windows\System32\dhcp for the directory and restart the agent.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

admin · ‎07-07-2014

There's a better approach, which we're going to document appropriately -- for 32-bit applications there's a special alias referring to 'C:\Windows\System32': 'C:\Windows\Sysnative'. So, whenever you need to collect logs out of 'C:\Windows\System32', feel free to use that alias. In our particular case (with MS DHCP) the correct path in the configuration would be:

directory=C:\Windows\Sysnative\dhcp

Check out the following MSDN page for more information:

File System Redirector (Windows)

HywelBurris · ‎10-11-2016

Looks like this is broken in 3.6, raising an SR

[filelog|win2012_WindowsDNS]

directory=c:\Windows\Sysnative\dns\dns.log

Error in log file

Fialed to initialize channel [filelog.com.microsoft.active-directory.win2012_WindowsDNS] because of improper configuration. Invalid path specification in the 'directory' key.

HywelBurris · ‎10-27-2016

I was wrong, the AD content pack is broken it should be.

[filelog|win2012_WindowsDNS]

directory=c:\Windows\Sysnative\dns\

include=dns.log