IBM Support

WinCollect: WinCollect File Forwarder protocol does not collect the last event on a file

Troubleshooting


Problem

When a log source is configured to use the WinCollect File Forwarder protocol, it is noticed that the protocol does not collect the last event on the files that are monitored.

Symptom

  • If the protocol is configured to collect the events from new files, the last event event on the files is never collected.
  • If the protocol is configured to collect events that are appended on a file, when new events are appended on the file, the last event is not collected, but next time events are appended, the event that was not read before is collected along with the new events.
  • If the file the protocol is monitoring only contains one event (one line), this event is not collected.
  • The internal logs in the WinCollect agent located in \Program Files\IBM\Wincollect\logs\WinCollect.log show that the file is detected, processed, but no event is processed. On the following internal WinCollect logs you can see on the third line that zero event was processed:
    01-23 05:02:48.710 Processing file : C:\MyLogs\events.txt
    01-23 05:02:49.789 Opened file C:\MyLogs\events.txt
    ​​​​​​​01-23 05:02:49.789 Processed 0 records in 0 msec.

Cause

This is working as designed, the protocol WinCollect File Forwarder reads from the beginning of the line until it finds a new line (\n), or in other words an Enter, if the event does not contain this new line at the end, then it is not read.
For example, the protocol is collecting the events from a file that contains the following three line, the last line ends with a dot not with a new line (enter), so only the first two lines are collect:
2023-02-05 11:00:00 A connection has been started.
2023-02-05 11:00:00 The file has been updated.
2023-02-05 11:00:00 A connection has been closed.
But if the last line ends with a new line (enter) which in the following example is represented with an empty line at the end, then the three lines are collected:
2023-02-05 11:00:00 A connection has been started.
2023-02-05 11:00:00 The file has been updated.
2023-02-05 11:00:00 A connection has been closed.

Resolving The Problem

Customer needs to modify the script or configuration that posts the events on the file, so at the end of the file, there is always a new line or an extra line with information that does not affect the activity monitoring if it is not collected.
Example of events where the last line ends with an new line or enter:
2023-02-05 11:00:00 A connection has been started.
2023-02-05 11:00:00 The file has been updated.
2023-02-05 11:00:00 A connection has been closed.

Example of events where an extra line is added at the end:
2023-02-05 11:00:00 A connection has been started.
2023-02-05 11:00:00 The file has been updated.
2023-02-05 11:00:00 A connection has been closed.
*** End of transaction ***

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
06 February 2024

UID

ibm17115934