New Relic log has a random EventID and does not match what's in the windows event log

Testing the NewRelic-Infra agent for windows event log forwarding.
NewRelic-Infra version: version=1.12.5

Issue: NewRelic query/logs shows EventId is a random number i.e. is not same as was forwarded from windows event application log.

Why is the EventId different than in the windows event?

For example;

EventId on NewRelic Logs/Query: 3221242535
EventID on Windows event log: 17063

@hemant.baveja

The Infrastructure Agent uses fluent-bit to send these logs and it looks like the fluent-bit winlog plugin (which we use to capture these Event logs) is actually picking up the Instance ID as opposed to the simplified Event ID that you see in the event viewer. From this Microsoft document :

The InstanceId property uniquely identifies an event entry for a configured event source. The InstanceId for an event log entry represents the full 32-bit resource identifier for the event in the message resource file for the event source. The EventID property equals the InstanceId with the top two bits masked off. Two event log entries from the same source can have matching EventID values, but have different InstanceId values due to differences in the top two bits of the resource identifier.

1 Like

I have just encounted this as well.
Some eventids seem to match between Windows and New Relic e.g. 4624.
Whilst others do not.

Is this a bug that will be fixed as unless eventid matching is consistent then filtering isn’t reliable.

Incidentally could this be why I don’t seem to be able to filter on eventid 7036 (stop/start a service) by specifiying it in the infrastructure agents winlog config file as below:

logs:

Winlog log ingestion with eventId filters.

  • name: windows-system
    winlog:
    channel: System
    collect-eventids:
    - 7036
    exclude-eventids:

I’m get no 7036 events even though I have stopped and started services and can see the events in the Windows System log.
Gathering all the Windows System logs I can find the stop/start service events buy they look to have the Instance ID not the Windows Event ID.

So i have the filtering working by using the Instance ID e.g. Instance ID reported in New Relic 1073748860 matches the Windows event ID 7036.
So changing the host config file to:

  • name: windows-system
    winlog:
    channel: System
    collect-eventids:
    • 1073748860
      exclude-eventids:

Reports all “7036” service stop/start events as logged in the Window System event log to New Relic.

I’d still like to see this behaviour changed so the Event ID is consistent across Windows and New Relic to remove this extra potential confusion.

@o.winterbone

I’ve been in contact with our engineers and they are going to look into this issue further and hopefully implement a fix when they are able to. I don’t have a specific timeline for when it will be fixed however. Be sure to keep an eye on future releases of the Infrastructure agent:

1 Like