NSClient++ 64 0.3.5.1 crashes by CheckEventLog by use of flag "descriptions"

[theofu]

NSClient++ 64 0.3.5.1 crashes by CheckEventLog by use of flag "descriptions" and syntax=...
When we use CheckEventLog without "descriptions" but with syntax it's ok, but getting the descriptions and syntax= at the same time crashes.

I'll try with 0.3.4.

[anonymous]

could you get me the exact command line you use?

MickeM

[anonymous]

The following does not crash for me:

CheckEventLog file=Application filter+generated=>2d descriptions syntax=...

[theofu]

Replying to theofu:

NSClient++ 64 0.3.5.1 crashes by CheckEventLog by use of flag "descriptions" and syntax=...
When we use CheckEventLog without "descriptions" but with syntax it's ok, but getting the descriptions and syntax= at the same time crashes.

I'll try with 0.3.4.

With 0.3.4 is the same problem.
It's a Microsoft Window Server 2003 R2 Standard x64 Edition Service Pack 2

[theofu]

This is a code for example called from Nagios that crashes :

check_nrpe -H <ipadr> -c CheckEventLog -a file=system syntax=%message% truncate=1000 MaxWarn=1 MaxCrit=1 filter=all filter=in filter+eventType==error filter+generated=\<7d descriptions

Without "descriptions" in the end, no crash.

I put for the buffer :

[EventLog?]
buffer_size=520000

It's same with descriptions : crash, without : no crash.

[anonymous]

could you try enabling the debug syslog thingyand run in /test and see if you can see if there are any errors?

ie:
nsc.ini

[EventLog]
debug=1

and then run:

nsclient++ /test

MickeM

[anonymous]

It makes :

NSCLient++.cpp(910) Injecting: CheckEventLog: file=system, syntax=%message%, truncate=1000, MaxWarn=1, MaxCrit=1, filter=all, filter=in, filter+eventType==error, filter+generated=<7d, descriptions

C:\NSClient>_

No result with debugging.

[steavor]

I'm using NSClient++ version 0.3.5.1 2008-09-24 on our 64bit machines and are currently trying to narrow down the events that are causing NSCP to crash. I wasn't really sure whether tickt #238 or this one was the right one to post this (#238 seems to describe pretty much the same bug), but here we go:

First of all, this is the definition of the check in NSC.ini, section [NRPE Handlers]

check_eventlog=inject CheckEventLog filter=new filter=in file=application file=system MaxWarn=$ARG3$ MaxCrit=$ARG4$ filter+generated=<$ARG2$ filter+eventType==$ARG1$ unique descriptions "syntax=%severity% %id%: %source%: %message% (%count%)"

And this is how the Nagios check commands are defined:

define command {
  command_name  check_eventlog
  command_line  $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_eventlog -a $ARG1$   $ARG2$ $ARG3$ $ARG4$
}

So this check command

check_eventlog!"warning"!"15m"!"1"!"5"

will show any warnings logged in the Application log and the System log during the last 15 minutes. Replacing "warning" with "error" means that we get to see all errors logged during the last 15 minutes, and that's how it's set up here: 2 separate checks, one checking for errors, the other one checking for warnings.
When Nagios executes the check, this is how it would be logged in the NSCP log:

2009-03-11 15:17:47: debug:.\NSClient++.cpp:910: Injecting: check_eventlog: error, 15m, 1, 1
2009-03-11 15:17:47: debug:.\NSClient++.cpp:910: Injecting: CheckEventLog: filter=new, filter=in, file=application, file=system, MaxWarn=1, MaxCrit=1, filter+generated=<15m, filter+eventType==error, unique, descriptions, syntax=%severity% %id%: %source%: %message% (%count%)
2009-03-11 15:17:47: debug:.\CheckEventLog.cpp:730: Result: success 0: NagiosEventLog Test: failed to load: C:\Program Files (x86)\NSClient++\NagEvLogAgent\msgdll.dll( reson: 193 (3), eventlog: 3 > critical

Now on to what I was able to verify / find out:
1) The crash is triggered when nscp tries to process certain error descriptions - removing the "descriptions" flag from the check command definition will prevent NSCP from crashing.

2) These are the Events that have caused the crashes, descriptions are in German since the clients in question are running on German German Windows Server 2003R2 hosts:

EventType: Warning
EventID: 208
EventSource: SQLSERVERAGENT
EventCategory: Job Engine
Description: 
SQL Server Scheduled Job 'Indexoptimierung.Täglich' (0xB96F3269C7A84A42B6DB0266BB3327C7) - Status: Fehler - Invoked on: 2009-02-26 18:00:00 - Message: Auftragsfehler  Der Auftrag wurde von Zeitplan 25 (Indexoptimierung.Subplan_1) aufgerufen. Zuletzt wurde Schritt 1 (Täglich) ausgeführt.

EventType: Error
EventID: 12011
EventSource: MSExchangeTransport
EventCategory: TransportService
Description: 
Microsoft Exchange konnte den Dienstprinzipalnamen "SMTP" nicht registrieren: Die angegebene Domäne ist nicht vorhanden, oder es konnte keine Verbindung hergestellt werden.

EventType: Error
EventID: 12014
EventSource: MSExchangeTransport
EventCategory: TransportService
Description: 
Microsoft Exchange konnte ein Zertifikat nicht finden, das den Domänennamen "www.domain.tld" im persönlichen Informationsspeicher auf dem lokalen Computer enthält. Daher kann die STARTTLS-SMTP-Aktionsart für den Connector "Extern" mit einem FQDN-Parameter von "www.domain.tld" nicht  unterstützt werden. Überprüfen Sie die Connectorkonfiguration sowie die installierten Zertifikate, damit sichergestellt wird, dass ein Zertifikat mit einem Domänennamen für jeden Connector-FQDN vorhanden ist. Wenn das Zertifikat vorhanden ist, führen Sie "Enable-ExchangeCertificate -Services SMTP" aus, damit sichergestellt ist, dass der Microsoft Exchange-Transportdienst auf den Zertifikatschlüssel zugreifen kann.

As soon as any of these entries appears in the event log and Nagios runs the appropriate check, a CRITICAL status is returned, output: "(Return code of 141 is out of bounds)". All subsequent checks are failing with "Connection refused by host" since NSCP isn't running anymore.

All these crashes produced the same event log entry:

Faulting application ntdll.dll, version 5.2.3790.3959, fault address 0x0000000000025162.

3) disabling the name lookups (as suggested in #238) doesn't help, truncating doesn't help either.

[bjorn.ericsson@…]

I have the same problem with NSClient++-0.3.6-RC7-x64
and windows 2008

[theofu]

I make the test on a Windows Server 2003 64 Bits with the 0.3.6-RC8 version 64bits : crash with the message :

Faulting application ntdll.dll, version 5.2.3790.3959, fault address 0x0000000000025172.

When I use de 32 bits version in debug mode : The error is signaled but NSCLient++ don't crash. It only show the error.

I hope you find why the "descriptions" flag create this error on 64bits server (only when there is a result, when the answer is no result, no crash).

[mickem]

A new nightly build out in a bit will I hope fix this issue, please try it out and let me know if it works out (the nightly has IIRC some debug output in the ProcCheck? so might not wanna thing twice before you roll it out).

MickeM

[mickem]

Closing as it is presumably fixed...