Merge Loader Process Not Working on Windows Load Collector


  • After the user added new merge loaders for WinRM logs, the merge loaders for the Windows sources stopped working/ were running very slow.
  • The error.log on the Load Collector shows an error like this:

<Loader 'l_windows_merge'> A Collector had a problem with the config.xml file. More than one node has the same or mismatched information. [Found 0 nodes matching xpath='/Collector/Loaders/Loader[@name='l_winrm_load_security']']



As hinted by the error message above, the cause for this is that every Merge loader needs a reference to the loader that will load the data to the SLS table, and the collector is not finding it in the  config.xml  configuration file.

  • Correct the configuration by removing any newly added merge loader definitions for WinRM such as:
<Merge enabled="1" loader="l_winrm_load_security" maxMB="75000" age="80 min" sort="1" sortOptions="--stable -k1,2 -S 5G -T /opt/data/sensage/tmp/winrm_security/">
<Postprocess match="^winrmsec.*">cat</Postprocess>
<Merge enabled="1" loader="l_winrm_load_system" maxMB="75000" age="80 min" sort="1" sortOptions="--stable -k1,2 -S 5G -T /opt/data/sensage/tmp/winrm_system/">
<Postprocess match="^winrmsys.*">cat</Postprocess>

As the WinRM logs have the same format as the ones retrieved via SMB, we can process them on the same merge loader and loader. This is achieved by changing the 'match' parameter regular expression to accept both win2008sec and winrmsec type logs:

<Merge enabled="1" loader="l_windows2008_load_security" maxMB="75000" age="80 min" sort="1" sortOptions="--stable -k1,2 -S 5G -T /opt/data/sensage/tmp/windows2008_security/">
<Postprocess match="^win.*sec.*">cat</Postprocess>
<Merge enabled="1" loader="l_windows2008_load_system" maxMB="75000" age="80 min" sort="1" sortOptions="--stable -k1,2 -S 5G -T /opt/data/sensage/tmp/windows2008_system/">
<Postprocess match="^win.*sys.*">cat</Postprocess>



  • Change the date of the files in the log queue directory of the merge loader /opt/data/sensage/data/collector/queue/... to trigger immediate processing of all the files: e.g. touch -d "Jul 12 2021" *​. Confirm that all the logs, the regular Windows2008 ones pulled by SMB, and the new WinRM logs are loaded successfully.
  • Monitor the merged file to see if it loaded successfully to the SLS. Check in the Analyzer report using the server name that was retrieved via WinRM that the logs are present.

The load collector is ready to receive logs from both WinRM and SMB.



Please sign in to leave a comment.