Fixes are available
Tivoli Log File Agent, Version 6.3.0 Fix Pack 01 (6.3.0-TIV-ITM_LFA-FP0001)
Tivoli Log File Agent, Version 6.3.0 Interim Fix 04 6.3.0-TIV-ITM_LFA-IF0004
Tivoli Log File Agent, Version 6.3.0 Fix Pack 02 (6.3.0-TIV-ITM_LFA-FP0002)
Tivoli Log File Agent, Version 6.3.0 Interim Fix 05 6.3.0-TIV-ITM_LFA-IF0005
APAR status
Closed as program error.
Error description
The event msg field or slot might contain a value of "None, when a Windows event log message contains a %n where n is a number in the event description field. If the %n is not substituted, the Microsoft EvtFormatMessage API returns ERROR_EVT_UNRESOLVED_VALUE_INSERT (15029) which the agent treats as an error. As a result of the error, the agent discards the event description and substitutes "None" for the empty message. Problem Determination: On the LO agent system, enable a minimum of the following trace KBB_RAS1= ERROR (UNIT:WinLogQuery ALL) The agent RAS1 log <hostname>_lo_[instance]_kloagent_<timestamp>-<nn>.log shows the "15029" error: <timestamp>:winlogqueryclass.cpp,932,"renderEvent") Rendering message for event <timestamp>:winlogqueryclass.cpp,594,"renderEventString") Entry <timestamp>:winlogqueryclass.cpp,629,"renderEventString") Retrieved metadata for provider MYEVENTSOURCE from hashmap <timestamp>:winlogqueryclass.cpp,676,"renderEventString") EvtFormatMessage failed, error = 15029, evt handle = 0x00000002 <timestamp>:winlogqueryclass.cpp,705,"renderEventString") Exit: 0x0 RECREATE INSTRUCTIONS: To reproduce the problem: 1. Set up the .conf file as below: WINEVENTLOGS=Application UseNewEventLogAPI=y UnmatchLog=C:/TEMP/abc.txt 2. Set up the .fmt file as below: REGEX ApplicationLog2 ^([A-Z][a-z]{2} [0-9]{1,2} [0-9]{1,2}:[0-9]{2}:[0-9]{2} [0-9]{4}) ([0-9]) (\S+) (\S+) (\S+) (\S+) ([0-9]+) (.*) timestamp $1 CustomSlot1 evtcategory $2 CustomSlot2 severity $3 CustomSlot3 login $4 CustomSlot4 evtsrc $5 CustomSlot5 evtkeyword $6 CustomSlot6 eventid $7 CustomSlot7 msg $8 END 3. To trigger a Windows event that contains %n C:\Users\Administrator>eventcreate /ID 198 /L APPLICATION /T ERROR /SO MYEVENTSOURCE /D "PowerShell Test new test 0x%9. "
Local fix
If the message is manually generated, remove the %n in the description field. Otherwise, there is no work-around.
Problem summary
The event msg field or slot contains a value of "None", when a Windows event log message contains a %n where n is a number in the event description field. If the %n is not substituted, the Microsoft EvtFormatMessage API returns ERROR_EVT_UNRESOLVED_VALUE_INSERT (15029) which the agent treats as an error. As a result of the error, the agent discards the event description and substitutes "None" for the msg slot. This occurs on Windows operating systems only with Log File Agent version 6.3.0 Interim Fix 0003 (6.3.0-TIV-ITM_LFA-IF0003) and earlier releases.
Problem conclusion
Do not handle ERROR_EVT_UNRESOLVED_VALUE_INSERT as an error. The fix for this APAR is included in the following maintenance vehicle: | interim fix | 6.3.0-TIV-ITM_LFA-IF0004 available at http://www.ibm.com/support/docview.wss?uid=swg24039388
Temporary fix
Comments
APAR Information
APAR number
IV67708
Reported component name
ITM LOG FILE AG
Reported component ID
5724C04LF
Reported release
630
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-12-09
Closed date
2015-02-26
Last modified date
2015-02-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
ITM LOG FILE AG
Fixed component ID
5724C04LF
Applicable component levels
R630 PSY
UP
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630"}]
Document Information
Modified date:
30 December 2022