Fixes are available
APAR status
Closed as program error.
Error description
When monitoring Windows Event Logs, the event log is re-read from the beginning, resulting in old events being sent. This occurs on Windows 2003 or 2008 systems with the following settings in the configuration file: - WINEVENTLOGS=<named event logs> - NumEventsToCatchUp=-2 - UseNewEventLogAPI=n (must be set on Windows 2008 systems) Note: NumEventsToCatchUp=-2 is not supported for Windows Event Logs, but may be set for a LogSources or RegexLogSources file. Environment: Product/VRM:Log File Agent V6.3 Interim Fix 0001 and later Operating System/VRM: Microsoft Windows 2003 and 2008 Problem Determination: On the LO agent system, enable a minimum of the following trace KBB_RAS1: ERROR (UNIT:WinLogQuery ALL) The agent RAS1 log <hostname>_lo_[instance]_kloagent_<timestamp>-<nn>.log shows trace points similar to the following: - - - ... ...:winlogqueryclass.cpp,2521,"WinLogQueryClass:: EventStartInit") WARNING: numEventsToCatchUp is -2 but there aren't that many events. Starting with oldest instead ... - - - RECREATE INSTRUCTIONS: On a Windows 2008 system configured with UseNewEventAPI=n, or a Windows 2003 systems: 1. In the .conf file, specify - WINEVENTLOGS=<named event logs> - NumEventsToCatchUp=-2 On Windows 2008, also specify - UseNewEventLogAPI=n 2. Start the kloagent. 3. Allow some events to flow/be monitored. 4. Recycle the kloagent.
Local fix
LOCAL FIX: Possible Work-arounds: 1. On Windows 2008 systems, set UseNewEventLogAPI=y 2. Set NumEventsToCatchUP=-1 3. If necessary, split the monitoring in one instance into two instances, one for logs monitored via LogSources with NumEventsToCatchUP=-2 set and one for Windows Event Logs (WINEVENTLOGS) with NumEventsToCatchUP=-1 set.
Problem summary
When the Log File agent is restarted and is monitoring Windows Event Logs with NumEventsToCatchUp=-2, the event log is re-read from the beginning resulting in old events being sent. The code did not handle the NumEventsToCatchUp negative flag values properly and it resulted in a large positive number. The agent then tried to back up that large number of records which often caused the agent to start at the beginning of the Windows Event Log. This occurs on Windows 2003 or 2008 systems with the following settings in the configuration file: - WINEVENTLOGS=<named event logs> - NumEventsToCatchUp=-2 - UseNewEventLogAPI=N (must be set for the issue to occur on Windows 2008 systems). Note: This issue was not seen with NumEventsToCatchUp=-1.
Problem conclusion
Added checks that NumEventsToCatchUp was greater than zero when calculating the event to restart from. The fix for this APAR is included in the following maintenance vehicle: | fix pack | 6.3.0-TIV-ITM_LFA-FP0001 | Note: The Log File Agent fix is available at http://www.ibm.com/support/docview.wss?uid=swg24042317
Temporary fix
Comments
APAR Information
APAR number
IV82875
Reported component name
ITM LOG FILE AG
Reported component ID
5724C04LF
Reported release
630
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-03-22
Closed date
2016-05-31
Last modified date
2016-05-31
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
ITM LOG FILE AG
Fixed component ID
5724C04LF
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
08 March 2023