NSClient++ Crashing when doing EventLog checking

[dwhite@…]

I have NSClient 0.3.5 x64 Running on Windows 2008 Standard Server 64bit.

I received the following crash:

Log Name:      Application
Source:        Application Error
Date:          9/30/2008 11:45:44 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      WASSQL01.safedatainc.com
Description:
Faulting application NSClient++.exe, version 0.0.0.0, time stamp 0x48da9ee0, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791adec, exception code 0xc0000005, fault offset 0x000000000002a82f, process id 0x3158, application start time 0x01c9232c4537d251.

This began happening when I started doing EventLog? checking. Previously I was just checking for running services, cpu and disk load.

These are my check commands:

check_eventlog_sys=inject CheckEventLog filter=new file=System MaxWarn=1 MaxCrit=7 filter=in filter+generated=<2d filter+eventType==error filter=all syntax=%source%(%type%)%message% truncate=1024 descriptions[[BR]]
check_eventlog_app=inject CheckEventLog filter=new file=Application MaxWarn=1 MaxCrit=7 filter=in filter+generated=<2d filter+eventType==error filter=all syntax=%source%(%type%)%message% truncate=1024 descriptions[[BR]]
check_eventlog_sec=inject CheckEventLog filter=new file=Security MaxWarn=1 MaxCrit=7 filter=in filter+generated=<2d filter+eventType==error filter=all syntax=%source%(%type%)%message% truncate=1024 descriptions

• My buffer_size is 512000
  
• NRPE Timeout is 75 seconds
  
• NRPE Socket timeout is 55 seconds.
  

It crashes after a few minutes of running. After a restart it behaves (successfully processes all commands) and then crashes again.

Darren

[ken_chief_engineer@…]

After upgrading from the 0.2.7 to 0.3.4, I was having issues with my CheckEventLog commands too. This is with the 32 bit version, not 64 bit, but it might help you out.

At first it was the error:/\CheckEventLog.cpp:705 EventlogBuffer? is too small (set the value of buffer_size)

I saw on the blog that for .0.3.4 you could add the buffer_size command under a [EventLog?] heading. I just kept increasing the number until all my eventlog checks stopped generating the buffer error (512000 is what I found worked as at 384000 I still had about 10-20% of the checks erroring).

Once I got rid of the buffer too small errors, I was getting NRPEListener.cpp errors. One was:

NRPEListener.cpp:302: NRPESocketException: To much data cant create return packet (truncate data)

The other I don't remember, but something about the data being sent, but part of it got truncated.

Thinking that I finally got the buffer issue resolved and now I was just sending too much data to the NRPE client code, I adjusted down the size I was truncating data to. I adjusted my truncate=1024 value to truncate=990 for all the CheckEventLog commands and all the errors went away and appears to be working fine. I did not try any values higher than that, but you could probably bump it up a little.

Without the source code to verify, I suspect that 1024 is the NRPE size limit of the whole results string, and with using the truncate=1024 setting in CheckEventLog, you get up to 1024 bytes of "details" plus other stuff like state code, state name, etc which then pushes you past the 1024 limit for the entire results string. Just my thoery.

[mickem]

Could you try disabling the name lookups?

[Eventlog]
lookup_names=0

I shall investigate further but it would be nice to know the name lookup is not breaking stuff.
Does it "crash" before you start changing the buffer size?

Michael Medin

[mickem]

closing due to inactivity, if you have this issue please provide more information and reopen.