Check NRPE - Windows AD Account Lockout

[jsherrod]

I am trying to set up a check using check_nrpe to look at the security log on a Windows server to notify me when an account is locked out. I would like to see the output from the command as the account name that is locked out. Right now it is only letting me know the number of occurrences. Can anyone help me figure out the correct syntax. My check command is below. Thanks!

./check_nrpe -H 192.168.104.237 -p 5666 -c checkEventLog -a file="Security" MaxWarn=1 MaxCrit=1 descriptions "filter=id=644 AND generated gt -5m" filter-eventSource=substr:$ARG4$ filter-message=substr:$ARG5$ truncate=800 unique descriptions "syntax= %source%:"
Eventlog check ok|'eventlog'=0;1;1;

[tonyyarusso]

First, what are $ARG4$ and $ARG5$ for this check?

[tonyyarusso]

It would also help to know which version of the CheckEventLog syntax you're working with, since apparently there are two. It's possible that in order to do what you want you might need to tweak the NSClient++ check yourself, depending on how it was coded - I'm not sure yet.

[jsherrod]

ARG4 and ARG5 weren't being used. I removed that from my check. Right now I am running it from the command line to verify the check output.

./check_nrpe -H 192.168.104.237 -p 5666 -c checkEventLog -a file="Security" MaxWarn=1 MaxCrit=1 descriptions "filter=id=644 AND generated gt -5m"

Eventlog check ok|'eventlog'=0;1;1;


We are using NSClient version 0.3.8.75 2010-05-27. I'm not sure how to check the CheckEventLog.dll version.

[rdedon]

For the CheckEventLog.dll you should be able on the client machine navigate the the .dll file and just give us the date on it. For example:

C:\nsclient\NSClient++-0.3.8-Win32\modules

or where ever you have installed it to (or renamed it). Just right click>properties and give us the created date (e.g.: Created: Thursday, May 27, 2010, 10:49:44 PM)

[jsherrod]

That is the correct date that you mentioned.

Thursday, May 27, 2010, 10:49:44 PM

[tonyyarusso]

Okay, a few things:

First, it appears that the data coming back from NSClient++ is using the Windows-style line endings, which confuses Linux. Since Nagios does not run on Windows, I would consider this a bug in the NSClient++ code. To work around it, you will need to pass the data through a 'tr' filter before using it.

Second, a whole bunch of information comes back. It will be up to you to parse this and reformat it into the way you want it. You might be able to do this with the 'syntax' value, but I'm not sure - I just did it with an additional script.

I created a separate plugin, which in turn calls check_nrpe. The code for this and sample output arebelow. You would of course want to add the ability to take things as arguments, rather than hardcoding it like this, but this should get you pointed in the right direction.

Code: Select all

#!/bin/bash

RAW_OUTPUT=$(/usr/local/nagios/libexec/check_nrpe -H 192.168.5.9 -c checkEventLog -a file="Security" MaxWarn=1 MaxCrit=1 descriptions "filter=id=644 AND generated gt -60m")

STATUS="$?"
if [ "$STATUS" != 0 ]; then
        LOCKED_USER=$(echo $RAW_OUTPUT | tr -d '\r' | sed 's/.*Target Account Name: \([^ ]*\).*/\1/')
        echo "User locked out: $LOCKED_USER"
        exit $STATUS
else
        echo "$RAW_OUTPUT"
        exit 0
fi

Code: Select all

[root@localhost libexec]# ./check_audit
User locked out: Test

[jsherrod]

Thanks Tony, I will give this a try and let you know how I make out

[rdedon]

Touch base back with us if you have any issues or if this does work for you. Thanks!