NSClient++ and CheckEventLog

[bryceee]

I am hitting my head against a brick wall here

How can i use nsclient++ to monitor all warning and critial events on a server for the last 60 minutes

I have tried
./check_nrpe -H HOSTNAME -p 5666 -c CheckEventLog -a filter=new file="system" MaxWarn=1 MaxCrit=1 filter-generated=\<1h filter-eventType==error filter=in filter=all
returns Unknown argument: filter-generated

and

./check_nrpe -H HOSTNAME -p 5666 CheckEventLog file=application file=system filter=new filter=out MaxWarn=1 MaxCrit=1 filter-generated=>2d filter-severity==success filter-severity==informational truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
Returns nothing

trying to get this working from the terminal before I create the command.

appreciate any help

[lmiltchev]

You can probably try running something like this:

Code: Select all

./check_nrpe -H HOSTNAME -p 5666 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'informational'"

[bryceee]

Thank you so much, that gave me out put

./check_nrpe -H Hostname -p 5666 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'informational'"
Service Control Manager(info, 7036, informational)[Windows Font Cache Service, stopped, ], Service Control Manager(info, 7036, informational)[Software Protection, stopped, ], Service Control Manager(info, 7036, informational)[Windows Event Log, stopped, ], Service Control Manager(info, 7036, informational)[Device Setup Manager, stopped, ], Service Control Manager(info, 7036, informational)[Windows Remote Management (WS-Management), stopped, ], Service Control Manager(info, 7036, informational)[Cryptographic Services, stopped, ], Service Control Manager(info, 7036, informational)[Plug and Play, running, ], Service Control Manager(info, 7036, informational)[Power, running, ], Service Control Manager(info, 7036, informational)[DCOM Server Process Launcher, running, ], Service Control Manager(info, 7036, informational)[RPC Endpoint Mapper, running, ], Service Control Manager(info, 7036, informational)[Remote Procedure Call (RPC), running, ], Service Control Manager(info, 7036, informational)[Local Session Manage

Now I will just play with it to get the correct level of error loggins.

[bryceee]

Okay, so it looks like I have it pulling the right information now.
How can I change the output formatting.

The test is send it like this
***** Nagios *****

Notification Type: PROBLEM

Service: Application Event Log
Host: Perth Splunk Server
Address:IP Address
State: CRITICAL

Date/Time: Fri Aug 29 10:23:32 WST 2014

Additional Info:

Wlclntfy(info, 6003, warning)[SessionEnv, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], Wlclntfy(info, 6003, warning)[SessionEnv, ], Wlclntfy(info, 6003, warning)[AUInstallAgent, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], Wlclntfy(info, 6000, warning)[AUInstallAgent, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], Wlclntfy(info, 6003, warning)[SessionEnv, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], COM+(warning, 4440, warning)[WIN-CIJQ9OQMQF3

our old nagios with nrpe_nt , sent them like so

***** Nagios *****

Notification Type: PROBLEM

Service: Eventlog Check
Host: PERMBOX02
Address: IP Address
State: CRITICAL

Date/Time: Fri Aug 29 04:51:08 WST 2014

Additional Info:

MSExchangeDiagnostics(1006): Err=20 Warn=0 Instances=20 MSExchange ActiveSync(1021): Err=0 Warn=4 Instances=4 MSExchange Unified Messaging(1344): Err=0 Warn=2 Instances=2 ASP.NET 4.0.30319.0(1309): Err=0 Warn=2 Instances=2 M1EMS(0): Err=29 Warn=0 Instances=29

I would like to format the new check like the additional info in the second alert but am having issues doing this.
This is what my current command check is

# Check EventLog Application
define command{
command_name check_eventlog_app
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 -c CheckEventLog -a file=application MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'warning'"
}

thanks

[slansing]

What are you looking to do, add "MSExchangeDiagnostics" in front of the text? That is all plugin output, you would need to change the check command itself to return alternative information if you want to change that. My guess is your old check used something else to produce this information?

[bryceee]

i would like to get the same output that the old nagios server did.
The old server is a 2.11 and used nrpe_nt.

I am not sure how I would have to modify the command checl, hence the question?
Is there a newer version of the nrpe_nt?

[slansing]

Well, we would have to see how the old system was being checked, we would need to entire command definition that Nagios was running against that system in order to weigh in on that front.

[bryceee]

nrpe_old_Server.cfg

The commands from the old server

(13.25 KiB) Downloaded 815 times

Hi guys,

these are the old check commands from the old nagios server.
I hope that that it is the right information.

[slansing]

Sorry, I mean the old server itself, the one you are checking against. We need to see how (for example) nt_eventlog_30 is defined, without knowing what the previous plugin was, and how you had the command set up it's hard to tell what options you may want to use with the new version, or if they are even available.

[bryceee]

I have uploaded the old nsclient that we have on our existing servers. I hope this helps

Nagios.zip

(965.3 KiB) Downloaded 509 times