WindowsEventID Monitoring

This board serves as an open discussion and support collaboration point for Nagios XI. NOTE: Nagios XI customers should use the Customer Support forum to obtain expedited support.

WindowsEventID Monitoring

Postby grayloglearn » Wed Aug 14, 2019 11:05 am

Hi Team,

Previously i raise a same ticket but it was locked so again i am raising the query.
I have downloaded the check_eventlog plugin from the below URL to check the how its working but its giving the error while executing script.

https://gallery.technet.microsoft.com/s ... l-4153d359

After downloading that i just executed to check the attached error is showing. Please find the attachment. Could you please help how to enable the EventID to monitor. We are using nscp client 0.5 Version.
Attachments
error.PNG
grayloglearn
 
Posts: 166
Joined: Thu Jul 06, 2017 8:55 am

Re: WindowsEventID Monitoring

Postby mcapra » Wed Aug 14, 2019 12:52 pm

The solution is to either sign that script with an authority your system/organization likes, or to change the Powershell execution policy to allow unsigned (or remote signed) scripts to be executed:
http://tritoneco.com/2014/02/21/fix-for ... ly-signed/

Here's more info in an article written by @WillemDH, with a similar problem and solution in the article's comments:
https://outsideit.net/monitoring-window ... led-tasks/
Former Nagios employee
http://www.mcapra.com/
User avatar
mcapra
 
Posts: 3584
Joined: Thu May 05, 2016 3:54 pm

Re: WindowsEventID Monitoring

Postby mbellerue » Thu Aug 15, 2019 10:06 am

Thanks for the good information, Matt!

grayloglearn, does the above information help with your issue?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
mbellerue
 
Posts: 806
Joined: Fri Jul 12, 2019 11:10 am

Re: WindowsEventID Monitoring

Postby grayloglearn » Mon Aug 19, 2019 5:00 am

Thanks for the reply.

As you said you have set the policy and tried to execute the script as its working fine. But i want monitor the EventID which attached in attachment. I tried to execute but its saying OK how to make those eventID matches should show critical if not match ok.
Attachments
eventid3.PNG
grayloglearn
 
Posts: 166
Joined: Thu Jul 06, 2017 8:55 am

Re: WindowsEventID Monitoring

Postby mbellerue » Mon Aug 19, 2019 9:27 am

If it's not possible to have the script return critical upon finding the specific Event entry, then you could use the Negate plugin in Nagios XI.

https://assets.nagios.com/downloads/nag ... ios-XI.pdf
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
mbellerue
 
Posts: 806
Joined: Fri Jul 12, 2019 11:10 am

Re: WindowsEventID Monitoring

Postby grayloglearn » Tue Aug 20, 2019 12:12 am

Hi Team,

i have seen somewhere the below entries . How to understand this

CheckEventLog -a file=System MaxWarn=1 MaxCrit=1 "filter=generated gt -15m AND severity NOT IN ('success', 'informational') AND id='4320' and source='netbt'" truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
grayloglearn
 
Posts: 166
Joined: Thu Jul 06, 2017 8:55 am

Re: WindowsEventID Monitoring

Postby mbellerue » Tue Aug 20, 2019 9:47 am

I'm not familiar with this particular plugin, but I can piece together parts of it.

CheckEventLog -a file=System


Checking the System event log

MaxWarn=1 MaxCrit=1


Warn and Crit settings

"filter=generated gt -15m


Looking for logs generated more than 15 minutes ago? This seems odd. I would think you would want lt for less than, but I don't know the plugin.

AND severity NOT IN ('success', 'informational')


Filter continued, looking for logs where the severity is not success or informational.

AND id='4320' and source='netbt'"


Filter continued, looking for logs where the ID is 4320, and the source is an application called netbt.

truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"


I'm not really sure about the rest of this.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
mbellerue
 
Posts: 806
Joined: Fri Jul 12, 2019 11:10 am

Re: WindowsEventID Monitoring

Postby grayloglearn » Tue Aug 27, 2019 11:45 pm

Still i am bit confusion, Is there any document to monitor the EventID with simple steps, If you could provide really appropriate.
Small doubt, while installing the nsclient we only check the check where check_nt, Inorder to work check_nrpe in nsclient do we need check check_nrpe while installing??

If need to check we already installed nsclient how to activate that check_nrpe in nsclient??...
grayloglearn
 
Posts: 166
Joined: Thu Jul 06, 2017 8:55 am

Re: WindowsEventID Monitoring

Postby mbellerue » Wed Aug 28, 2019 9:23 am

I can point you to the NSClient documentation for Windows Event Logs.

https://docs.nsclient.org/reference/win ... kEventLog/

Regarding enabling NRPE on Windows with NSClient, you have to modify the NSClient configuration file. Under the Modules section, find NRPEServer = false and change the setting to true. If it's still not working after you restart the NSClient service, then check your firewall settings to make sure that the port is open.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
mbellerue
 
Posts: 806
Joined: Fri Jul 12, 2019 11:10 am

Re: WindowsEventID Monitoring

Postby grayloglearn » Wed Sep 04, 2019 5:40 am

Hi Team,
Thanks for the help, I am really bothering about this query but still i am getting some errors while i am trying. I am using nsclient in windows and i enabled nrpe too.

I am using below command to monitor the event ID 7023, Find the attachment for the both nsclient file/

root@ip-XXXx:/usr/local/nagios/libexec# ./check_nrpe -H XXXX -p 5666 -c check_eventlog -a "scan-range=-1500m" "file=System" "warn=count>0" "crit=none" "filter=(id='7023' AND source='Service Control Manager') AND level in('error', 'warning')"
Exception processing request: Request command contained illegal metachars!

To resolve that exception processing request error i have done somechanges in nsclient as below, but still i am getting the error
allow arguments = 1
allow_nasty_meta_chars = 1
Attachments
logfile.txt
Logfile
(7.58 KiB) Downloaded 7 times
nsclient-support.txt
nsclient
(1.15 KiB) Downloaded 7 times
eventid222.PNG
Needs to be monitor this attached ID
grayloglearn
 
Posts: 166
Joined: Thu Jul 06, 2017 8:55 am

Next

Return to Nagios XI

Who is online

Users browsing this forum: Google [Bot] and 20 guests