Information: Forum is in read-only mode
For details and other support options see

[closed] MWAgent 5.0 Build 335 RB - Updated 2007-08-16

Support, Questions and Discussions on MonitorWare Agent

Moderator: alorbach

Google Ads

[closed] MWAgent 5.0 Build 335 RB - Updated 2007-08-16

Postby alorbach » Mon Jan 29, 2007 4:50 pm


The Rolling Beta program is open, features and bugfixes will be added continuously.
The changelog below helps you to keep track on the changes.
Feel free to test this new rolling beta version, if you are experiencing any problems,
kindly let us know via support email ( or this forum.

A note on Win32 and x64 Edition
MonitorWare Agent is available for 2 platforms. Since Build 333, bot Editions are unified in one Setup file, this includes the win32 platform and the x64 platform. If you had win32 installed before, your installation will be upgraded to x64 automatically without loss of any configurations.

:arrow: Download of the rolling beta
:arrow: MonitorWare Agent 5.0 Rolling Beta Manual

Below the change since version 4.3:

:!: 2007-08-16 / build 335
:arrow: Features/Enhancements
- Syslog Listener: Added Compressed Syslog Message handling into TCP Receiver as well now. This also includes the support for -transport-tls like octet-counted framing.
- EventLog Monitor: Added a new feature to automatically process EventLog backup logfiles, see MS KB312571 for more. This feature has to be enabled on EventLogType basis. The Eventlog Monitor will search for these backupfiles during each iteration. When it finds some it tries to continue processing the Eventlog from the last known position. A Checksum of the previous processed Event is being used, to compare with the current EventLog record. If this checksum does not match, the whole backup logfile will be processed. Otherwise the EventLog Monitor will resume at the last known position within the backup logfile.

:!: 2007-08-01 / build 334
:arrow: Features/Enhancements
- Filter Engine: Added new special Filter called "FileExists", this filter kindly checks if a file does exist or not.
- EventLog Monitor: Added an advanced option for better Thirdparty EventLog support. It is used to set default buffer for EventLog entries. For thirdparty eventlog implementations like NetApp, we recommend a higher default buffer of at least 65536 bytes. To avoid missunderstanding, this new feature _DOES NOT_ limit the maximum size of EventLog messages in any kind!
- EventLog Monitor: Added an option to force using local eventlog message libraries instead of the remote machines ones. Somethimes local event sources are more reliable, or required for Thirdparty EventLog implementations.
- Forward Syslog Action: Added a new major feature into this Action, Diskqueue. This new option is only available for TCP based Syslog. Whenever a connection to a remote syslog server failes, the action starts caching the syslog messages in a local temp file. The folder for these files can be configured. You do not need to worry about multiple Actions using this feature, the filenames are generated using a unique GUID which is automatically generated for each Action. Once the Syslog target becomes available again, the cached messages are being sent automatically. If you restart the Service while the Syslog Cache was active, it cannot be checked during service startup if the Syslog target is available now. Once the action is called again, the check is done and if the syslog target is available, the messages are being sent. The size of this cache is only limited by the disk size. Files are splitted by 10MB by default, but this can also be configured. The maximum supported file size is 2GB.

:!: 2007-07-09 / build 333
:arrow: Features/Enhancements
- Setup: The Win32 and x64 edition are now unified in one installation package! This means ONE Setup, both editions - automatically detected during the installation. So if you install MonitorWare Agent on a Win32 based System, the Win32 Version of the Service will be installed. If you install MonitorWare Agent on a x64 based system, the x64 Version of the service will be installed.

:arrow: Bugfixes
- Syslog Listener: This bug concerns the UDP and TCP listener only. A problem with RFC3164 parsing could lead to an internal crash of the Syslog Listener. This condition happened very
seldom, depending on some syslog messages. This Bug has been fixed now.

:!: 2007-06-28 / build 331
:arrow: Features/Enhancements
- Property Engine: Added property replacer option "compsp", to compress spaces inside a property
- SMTP Listener: Added more core functionality into the new service.
- Syslog Listener: Implemented the compressed syslog receiver for syslog over UDP (over TCP is not yet supported).
- Core Engine: Enhanced performance of debuglogging and added more debug outputs into certain areas of the Agent.
- Core Engine: Implemented advanced memory management which is available on Windows XP/2003 and higher. This will speeds up overall processing in general depending on your Services and Actions.

:arrow: Bugfixes
- EventLog Monitor: ActiveDirectory GUID resolution now is set to true by default when we process the security log (and only than). This matches configuration program behaviour.
- Rule Engine: Fixed a bug that could cause the product to become unresponsive after an error in an action.
- Property Engine: Fixed a bug which could leed to invalid detections of search strings.

:!: 2007-05-23 / build 330
:arrow: Features/Enhancements
- Property Engine: Added new property $NOW, which is the local time in the format YYYY-MM-DD HH.MM.SS. Note that "." is used instead of ":" in the timestamp to make this value suitable for filename-generation.
- EventLog Monitor: The EventLog can now be automatically cleared (either after n number of polling cycles or after a specified hour). It also possible to backup the eventlog before deleting it. Please note that an empty log may also be saved just after a clear. So far, applies to Event Log Monitor V1 only.
- SMTP Listener: Added a new Service call SMTP Listener. It mimics a SMTP server and converts incoming mails to InfoUnits. Please note that this feature is not yet fully implemented. Most importantly, this version of the rolling beta may abort if the SMTP listener is used. You may try it to get a glimpse of the new feature, but for it to be stable please wait for the next rolling beta version.

:!: 2007-05-09 / build 329
:arrow: Features/Enhancements
- RFC 3195 Changes: Enhanced Syslog/BEEP implementation for better interoperability with Cisco's implementation in IOS. The BEEP support has been in our products for a long time, but so far no major vendor offered BEEP support. Now that a first major vendor implementation is available, we need to tweak a few protocol parameters to make it fully interoprable. This has happened now.

:!: 2007-05-07 / build 328
:arrow: Bugfixes
- Syslog Action: Fixed a bug where a UDP socket send returned with "WSAEMSGSIZE (10040) Message too long" when an oversize packet was tried to be sent. The message is now simply trunscated, there is no other option available to handle such cases.

:!: 2007-04-25 / build 327
:arrow: Features/Enhancements
- Send Syslog/Setp Action: It is now possible to configure a service name for the port instead of a number only. This service name will be used to make a port lookup in the system services file. This feature was added by a customer request.
- Core / Command Line: Added a new command line option -o. This MUST be specified together with -r and MUST be immediately after -r (as the second option). If specified, the service does a single run of InforSources supporting that property and then terminates. So far, only the event log monitor supports this option.
:arrow: Bugfixes
- EventLog Monitor (SID Cache): A bug which could occur when a SID could not sucessfully resolved could lead to unexpected internal EventLog Monitor Service interruptions. This bug has been removed now.

:!: 2007-04-11 / build 326
:arrow: Bugfixes
- EventLog Monitor: Fixed a bug which caused an internal shutdown of the Eventlog Monitor when more than one Eventressource was used. This bug was introduced due the changes in Build 325

:!: 2007-03-16 / build 325
:arrow: Features/Enhancements
- EventLog Monitor: Added support for Resolving ActiveDirectory Schema GUID's as some Security Events on Domain Controllers have them. For Example Event 565, which usually has a lot of these Schema GUID's! The GUID's are internally cached to speed up EventLog processing operations.
:arrow: Bugfixes
- SendEmail/Syslog Action: This is for Actions using TCP (So applies only if the Syslog Action was configured with TCP). A Send/Receive TimeOut of 30 seconds has beend added into into these actions to avoid possible lockdowns of a service.
- PortProbe If the hostname was to long, this could cause the portprobe to fail interally if the portprobe failed resolving the DNS Name.

:!: 2007-01-29 / build 324
:arrow: Features/Enhancements
- Forward Syslog Action: Added support for sending multiple messages over a persistent syslog/TCP connection.
- Forward Syslog Action: Added capability to force -transport-tls like octet-counted framing for syslog/TCP connections
- Syslog Server: Added capability to work with -transport-tls framing on the syslog server side (but not yet compression)
Site Admin
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Google Ads

Return to MonitorWare Agent

Who is online

Users browsing this forum: No registered users and 0 guests