Module: check_mk
Branch: master
Commit: db66714eeef0e51f45f25715df56a0f95185e1c3
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=db66714eeef0e5…
Author: Sergey Kipnis <sk(a)mathias-kettner.de>
Date: Tue Dec 4 15:01:27 2018 +0100
[CMK-1382] - prevent agent crash when the error occurs during reading eventlog
6864 FIX Windows Agent crash during access to Event Log
Sometimes Windows Agent may crash when accessing Windows Event Log
because the size of the Log is too big or the Log itself is broken.
Now Windows Agent should skip such logs.
Change-Id: Ie513d5bb409b93bf2155a3d77481de0ec4cb02f1
---
.werks/6864 | 12 ++++++++++++
agents/windows/EventLog.cc | 23 +++++++++++++++++++----
2 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/.werks/6864 b/.werks/6864
new file mode 100644
index 0000000..08ce3ef
--- /dev/null
+++ b/.werks/6864
@@ -0,0 +1,12 @@
+Title: Windows Agent crash during access to Event Log
+Level: 1
+Component: checks
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1543932376
+Class: fix
+
+Sometimes Windows Agent may crash when accessing Windows Event Log
+because the size of the Log is too big or the Log itself is broken.
+Now Windows Agent should skip such logs.
diff --git a/agents/windows/EventLog.cc b/agents/windows/EventLog.cc
index 4726833..23d7ce8 100644
--- a/agents/windows/EventLog.cc
+++ b/agents/windows/EventLog.cc
@@ -175,8 +175,9 @@ wstring MessageResolver::resolve(DWORD eventID, LPCWSTR source,
result += parameters[i];
}
}
- std::replace_if(result.begin(), result.end(),
- [](wchar_t ch) { return ch == '\n' || ch == '\r'; },
' ');
+ std::replace_if(
+ result.begin(), result.end(),
+ [](wchar_t ch) { return ch == '\n' || ch == '\r'; }, '
');
return result;
}
@@ -307,8 +308,22 @@ std::unique_ptr<EventLogRecordBase> EventLog::read() {
if (result == nullptr) {
// no fitting record in our buffer, get the next couple of
// records
- if (!fillBuffer()) {
- // no more events to read, break out of the loop
+ try {
+ if (!fillBuffer()) {
+ // no more events to read, break out of the loop
+ break;
+ }
+ } catch (const std::exception &e) {
+ // win_exception is coming here
+ // generated exception in fillBuffer must be processed in any
+ // case usually we have something like FILE_TOO_LARGE(223)
+ // during reading Event Log and fpor some reason we thorw
+ // exception. Bad? Bad. In Fact, we have SERIOUS problem with
+ // monitored host. Our Log was informed. Probably we need some
+ // additional checks pointing that logs are either bad or
+ // overflown
+ Debug(_logger)
+ << "Error reading event log. Exception is " <<
e.what();
break;
}
}