Closed GoogleCodeExporter closed 8 years ago
If you search for "4722" class:windows, do you get hits on these logs? How
about class:none?
Original comment by mchol...@gmail.com
on 13 May 2013 at 6:39
I am not sure what's happening, but in the past 20 minutes I have managed to
capture two new 4722 events. (I've been generating them on our domain
controller periodically). However, a third event that I generated 10 minutes
ago was not picked up (but is still in the syslog).
"4722" class:windows brings up the two events I've been able to see. "4722"
class:none brings up no events.
It seems that something after syslog is dropping logs when it shouldn't be. I'm
currently using real time logging with a batch_limit of 10 (I get barely 20
logs/second max, ever). Should I upload my sphinx and elsa_node configs for you?
Original comment by i...@pingas.org
on 13 May 2013 at 6:45
This sounds like a possible realtime bug, but I can't be sure. Can you
determine which events get written to the test file but don't get written to
ELSA?
Original comment by mchol...@gmail.com
on 14 May 2013 at 2:58
Hmm... I'm not sure what happened now. I left the office for the day and came
back to try and compare the contents of my debug file against what elsa had
logged, and now I find that all 5 of my events with eventid:4722 show up in a
query. After looking at other events, I can't find any that aren't showing up
in elsa now.
Is there any sort of chance that logs would be delayed showing up in queries
for an hour or two? Or perhaps a whole day?
This whole problem seems really hard to pin down.
Original comment by i...@pingas.org
on 15 May 2013 at 2:53
I can't imagine how that would happen in realtime mode, but realtime mode
isn't really tested right now (I plan on making it the primary mode of
operation in the next few months). The only thing I can think of is that
even your batch setting of 10 wasn't enough, but that doesn't really make
sense either. In realtime, the logs should be available immediately after
the batch limit is hit as it's a direct INSERT into the Sphinx and MySQL
databases.
On Wed, May 15, 2013 at 9:53 AM, <
enterprise-log-search-and-archive@googlecode.com> wrote:
Original comment by mchol...@gmail.com
on 15 May 2013 at 3:06
How strange...
If there's any log files you'd like, I will upload them. Otherwise, I guess you
should mark this as closed for now.
Original comment by i...@pingas.org
on 15 May 2013 at 3:07
Ok, will close for now. Please reopen if you find events go missing
indefinitely.
Original comment by mchol...@gmail.com
on 15 May 2013 at 3:09
Original issue reported on code.google.com by
i...@pingas.org
on 13 May 2013 at 5:55Attachments: