NSClient++ and CheckEventLog
NSClient++ and CheckEventLog
I am hitting my head against a brick wall here
How can i use nsclient++ to monitor all warning and critial events on a server for the last 60 minutes
I have tried
./check_nrpe -H HOSTNAME -p 5666 -c CheckEventLog -a filter=new file="system" MaxWarn=1 MaxCrit=1 filter-generated=\<1h filter-eventType==error filter=in filter=all
returns Unknown argument: filter-generated
and
./check_nrpe -H HOSTNAME -p 5666 CheckEventLog file=application file=system filter=new filter=out MaxWarn=1 MaxCrit=1 filter-generated=>2d filter-severity==success filter-severity==informational truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
Returns nothing
trying to get this working from the terminal before I create the command.
appreciate any help
How can i use nsclient++ to monitor all warning and critial events on a server for the last 60 minutes
I have tried
./check_nrpe -H HOSTNAME -p 5666 -c CheckEventLog -a filter=new file="system" MaxWarn=1 MaxCrit=1 filter-generated=\<1h filter-eventType==error filter=in filter=all
returns Unknown argument: filter-generated
and
./check_nrpe -H HOSTNAME -p 5666 CheckEventLog file=application file=system filter=new filter=out MaxWarn=1 MaxCrit=1 filter-generated=>2d filter-severity==success filter-severity==informational truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
Returns nothing
trying to get this working from the terminal before I create the command.
appreciate any help
Re: NSClient++ and CheckEventLog
You can probably try running something like this:
Code: Select all
./check_nrpe -H HOSTNAME -p 5666 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'informational'"
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: NSClient++ and CheckEventLog
Thank you so much, that gave me out put
./check_nrpe -H Hostname -p 5666 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'informational'"
Service Control Manager(info, 7036, informational)[Windows Font Cache Service, stopped, ], Service Control Manager(info, 7036, informational)[Software Protection, stopped, ], Service Control Manager(info, 7036, informational)[Windows Event Log, stopped, ], Service Control Manager(info, 7036, informational)[Device Setup Manager, stopped, ], Service Control Manager(info, 7036, informational)[Windows Remote Management (WS-Management), stopped, ], Service Control Manager(info, 7036, informational)[Cryptographic Services, stopped, ], Service Control Manager(info, 7036, informational)[Plug and Play, running, ], Service Control Manager(info, 7036, informational)[Power, running, ], Service Control Manager(info, 7036, informational)[DCOM Server Process Launcher, running, ], Service Control Manager(info, 7036, informational)[RPC Endpoint Mapper, running, ], Service Control Manager(info, 7036, informational)[Remote Procedure Call (RPC), running, ], Service Control Manager(info, 7036, informational)[Local Session Manage
Now I will just play with it to get the correct level of error loggins.
./check_nrpe -H Hostname -p 5666 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'informational'"
Service Control Manager(info, 7036, informational)[Windows Font Cache Service, stopped, ], Service Control Manager(info, 7036, informational)[Software Protection, stopped, ], Service Control Manager(info, 7036, informational)[Windows Event Log, stopped, ], Service Control Manager(info, 7036, informational)[Device Setup Manager, stopped, ], Service Control Manager(info, 7036, informational)[Windows Remote Management (WS-Management), stopped, ], Service Control Manager(info, 7036, informational)[Cryptographic Services, stopped, ], Service Control Manager(info, 7036, informational)[Plug and Play, running, ], Service Control Manager(info, 7036, informational)[Power, running, ], Service Control Manager(info, 7036, informational)[DCOM Server Process Launcher, running, ], Service Control Manager(info, 7036, informational)[RPC Endpoint Mapper, running, ], Service Control Manager(info, 7036, informational)[Remote Procedure Call (RPC), running, ], Service Control Manager(info, 7036, informational)[Local Session Manage
Now I will just play with it to get the correct level of error loggins.
Re: NSClient++ and CheckEventLog
Okay, so it looks like I have it pulling the right information now.
How can I change the output formatting.
The test is send it like this
***** Nagios *****
Notification Type: PROBLEM
Service: Application Event Log
Host: Perth Splunk Server
Address:IP Address
State: CRITICAL
Date/Time: Fri Aug 29 10:23:32 WST 2014
Additional Info:
Wlclntfy(info, 6003, warning)[SessionEnv, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], Wlclntfy(info, 6003, warning)[SessionEnv, ], Wlclntfy(info, 6003, warning)[AUInstallAgent, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], Wlclntfy(info, 6000, warning)[AUInstallAgent, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], Wlclntfy(info, 6003, warning)[SessionEnv, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], COM+(warning, 4440, warning)[WIN-CIJQ9OQMQF3
our old nagios with nrpe_nt , sent them like so
***** Nagios *****
Notification Type: PROBLEM
Service: Eventlog Check
Host: PERMBOX02
Address: IP Address
State: CRITICAL
Date/Time: Fri Aug 29 04:51:08 WST 2014
Additional Info:
MSExchangeDiagnostics(1006): Err=20 Warn=0 Instances=20 MSExchange ActiveSync(1021): Err=0 Warn=4 Instances=4 MSExchange Unified Messaging(1344): Err=0 Warn=2 Instances=2 ASP.NET 4.0.30319.0(1309): Err=0 Warn=2 Instances=2 M1EMS(0): Err=29 Warn=0 Instances=29
I would like to format the new check like the additional info in the second alert but am having issues doing this.
This is what my current command check is
# Check EventLog Application
define command{
command_name check_eventlog_app
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 -c CheckEventLog -a file=application MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'warning'"
}
thanks
How can I change the output formatting.
The test is send it like this
***** Nagios *****
Notification Type: PROBLEM
Service: Application Event Log
Host: Perth Splunk Server
Address:IP Address
State: CRITICAL
Date/Time: Fri Aug 29 10:23:32 WST 2014
Additional Info:
Wlclntfy(info, 6003, warning)[SessionEnv, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], Wlclntfy(info, 6003, warning)[SessionEnv, ], Wlclntfy(info, 6003, warning)[AUInstallAgent, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], Wlclntfy(info, 6000, warning)[AUInstallAgent, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], Wlclntfy(info, 6003, warning)[SessionEnv, ], Wlclntfy(info, 6000, warning)[SessionEnv, ], COM+(warning, 4440, warning)[WIN-CIJQ9OQMQF3
our old nagios with nrpe_nt , sent them like so
***** Nagios *****
Notification Type: PROBLEM
Service: Eventlog Check
Host: PERMBOX02
Address: IP Address
State: CRITICAL
Date/Time: Fri Aug 29 04:51:08 WST 2014
Additional Info:
MSExchangeDiagnostics(1006): Err=20 Warn=0 Instances=20 MSExchange ActiveSync(1021): Err=0 Warn=4 Instances=4 MSExchange Unified Messaging(1344): Err=0 Warn=2 Instances=2 ASP.NET 4.0.30319.0(1309): Err=0 Warn=2 Instances=2 M1EMS(0): Err=29 Warn=0 Instances=29
I would like to format the new check like the additional info in the second alert but am having issues doing this.
This is what my current command check is
# Check EventLog Application
define command{
command_name check_eventlog_app
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 -c CheckEventLog -a file=application MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'warning'"
}
thanks
-
- Posts: 7698
- Joined: Mon Apr 23, 2012 4:28 pm
- Location: Travelling through time and space...
Re: NSClient++ and CheckEventLog
What are you looking to do, add "MSExchangeDiagnostics" in front of the text? That is all plugin output, you would need to change the check command itself to return alternative information if you want to change that. My guess is your old check used something else to produce this information?
Re: NSClient++ and CheckEventLog
i would like to get the same output that the old nagios server did.
The old server is a 2.11 and used nrpe_nt.
I am not sure how I would have to modify the command checl, hence the question?
Is there a newer version of the nrpe_nt?
The old server is a 2.11 and used nrpe_nt.
I am not sure how I would have to modify the command checl, hence the question?
Is there a newer version of the nrpe_nt?
-
- Posts: 7698
- Joined: Mon Apr 23, 2012 4:28 pm
- Location: Travelling through time and space...
Re: NSClient++ and CheckEventLog
Well, we would have to see how the old system was being checked, we would need to entire command definition that Nagios was running against that system in order to weigh in on that front.
Re: NSClient++ and CheckEventLog
these are the old check commands from the old nagios server.
I hope that that it is the right information.
-
- Posts: 7698
- Joined: Mon Apr 23, 2012 4:28 pm
- Location: Travelling through time and space...
Re: NSClient++ and CheckEventLog
Sorry, I mean the old server itself, the one you are checking against. We need to see how (for example) nt_eventlog_30 is defined, without knowing what the previous plugin was, and how you had the command set up it's hard to tell what options you may want to use with the new version, or if they are even available.
Re: NSClient++ and CheckEventLog
I have uploaded the old nsclient that we have on our existing servers. I hope this helps