Load Collector Is Not Retrieving Windows Event Files


The load collector is not retrieving Windows events files from a remote collector:

  • The transaction logs <sensage_path>/var/log/collector/transaction-<date>.log do not show transactions for that remote collector.
  • The files in the remote collector are pending to load/stuck in the event queue but are not being pulled.
  • /var/log/messages in the load collector show an untar error on some files in the log queue directory.



Untar error messages from syslogs indicate that a retriever is dying on some files that are corrupted (possibly due to a truncated file transfer) and is starting over and over. So, the solution is to check the filenames in the error logs and remove those files from the retriever spool directory.

  • Check the load collector's /var/log/messagesand identify the corrupt files that are causing the untarring error:
ERROR [C2701]: <Retriever 'loader_name'> Daisy Chain untar of '/opt/app/sensage/latest/data/collector//queue/microsoft_windows_Events_sensageRetriever/spool/<filename>' to <...> failed exit code '512


ERROR [B1400]: <Collector - spawn shepherd> A Retriever or Loader ('loader_name') is no longer functioning properly and has exited with condition 'ERROR [C2701]:
  • Locate those corrupt files in the log queue spool directory /opt/app/sensage/latest/data/collector//queue/microsoft_windows_Events_sensageRetriever/spool/ 
  • Remove the corrupted files from the spool directory.
  • Restart the collector.

The files should be retrieved correctly now.




Please sign in to leave a comment.