Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows Events receiver is starting to collect logs from beginning after restarting the machine #35232

Closed
saikalyan-bhagavathula opened this issue Sep 17, 2024 · 4 comments
Closed

Windows Events receiver is starting to collect logs from beginning after restarting the machine #35232

saikalyan-bhagavathula opened this issue Sep 17, 2024 · 4 comments
Labels
bug Something isn't working needs triage New item requiring triage os:windows receiver/windowseventlog

Comments

@saikalyan-bhagavathula
Copy link

Component(s)

receiver/windowseventlog

What happened?

Description

Try to collect few windows event logs by providing start_at: beginning. After collecting few logs, restart the machine and run the opentelemetry with same configuration. You can see same logs were collected which we got before restarted the machine.

Steps to Reproduce

  • Start the opentelemetry with basic configuration provided below.
  • After it collected the logs you can stop the opentelemetry.
  • Try to restart the opentelemetry service.

Expected Result

  • Only need to collect the events that are generated after we stop the opentlemetry.

Actual Result

  • As the configuration have start_at: beginning it again collecting it from beginning.

Collector version

1.0.109

Environment information

Environment

OS: ("Windows 2022")
Compiler: (n/a)

OpenTelemetry Collector configuration

receivers:
  windowseventlog:
    channel: application
    start_at: "beginning"
exporters:
  debug:
    verbosity: detailed
service:
  pipelines:
    logs:
      receivers: [windowseventlog]
      exporters: [debug]

Log output

No response

Additional context

I think the issue here we are using context while getting the windows events, but that context will be dead once we stop the opentelemtry. so, it is trying to fetch events from starting again once we restart.
@saikalyan-bhagavathula saikalyan-bhagavathula added bug Something isn't working needs triage New item requiring triage labels Sep 17, 2024
@github-actions GitHub Actions
Copy link
Contributor

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@VihasMakwana
Copy link
Contributor

@saikalyan-bhagavathula Thanks for filing this issue.

By default, windowseventlog stores the offset in memory. As a result, when you restart the collector, you observe that data is duplicated.

You can avoid this by using file_storage extension and add storage under windowseventlog. Read more about storage here.

Your new config would look something like:

receivers:
  windowseventlog:
    channel: application
    start_at: "beginning"
    storage: file_storage
exporters:
  debug:
    verbosity: detailed
extensions:
  file_storage:
    directory: /path/to/directory
service:
  extensions: [file_storage]
  pipelines:
    logs:
      receivers: [windowseventlog]
      exporters: [debug]

@pjanotti
Copy link
Contributor

/label os:windows

@pjanotti
Copy link
Contributor

Given that this is documented behavior of the receiver we should close this one.

@github-actions github-actions bot mentioned this issue Sep 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs triage New item requiring triage os:windows receiver/windowseventlog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pjanotti @crobert-1 @saikalyan-bhagavathula @VihasMakwana