WindowsEventID Monitoring

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: WindowsEventID Monitoring

Post by scottwilkerson »

Change this line

Code: Select all

allow_nasty_meta_chars = 1
to this

Code: Select all

allow nasty characters = 1
and then restart nsclient++
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
grayloglearn
Posts: 222
Joined: Thu Jul 06, 2017 8:55 am

Re: WindowsEventID Monitoring

Post by grayloglearn »

Finally its working for me. Just want to check with you if we add below line what nsclient consider.

allow_nasty_meta_chars = 1



Iam just attaching the lines to help someone who want to monitor the event ID, Hope this will help atleast one.

How to enable the Event ID monitor using check_nrpe for windows server

Event ID monitoring for windows via check_nrpe
1) Install the nsclient in windows and while installing the nsclient select the check_nrpe check box.
2) Go to the nsclient.ini file add the below.

[/settings/NRPE/server]
allow arguments = 1
allow_nasty_meta_chars = 1

The nslcient I have used as version 0.4.4
Open Port 5666,12489 from Windows

Now check the communication from server to remote windows server. use the below command to check , check_nrpe will work or not.

root@ip-XXXXX:/usr/local/nagios/libexec# ./check_nrpe -H 172.31.89.249
I (0.4.4.23 2016-04-05) seem to be doing fine

3) Then check the event log/ID which monitor.
The below is the screen shot I want to monitor,


Event ID 7023 I want to monitor for that use the below command

./check_nrpe -H 172.31.89.249 -c check_eventlog -a "scan-range=-1500m" "file=System" "warn=count>0" "crit=none" "filter=(id='7023' AND source='Service Control Manager') AND level in('error', 'warning')"

-c check_eventlog : Its an inbuild command with check_nrpe
-a scan-range: it will check last 1500 min (Its depend from last how many minutes you want)
File=System: You can see the screen shot LogName is System( If you want to monitor Application give application or security give security)
Warn=count>0 : in last 1500 min if any eventID with 7023 will generate more than 0, means atleast 1
"crit=none": If there is no critical
"filter=(id='7023' AND source='Service Control Manager') AND level in('error', 'warning')" : It will Filter Event ID 7023 and Source which is screen shot as Service Control Manager and the level in Either in error and warning) level you can see as below screen shot.


I checked it its working fine.
root@ip-XXXXx:/usr/local/nagios/libexec# ./check_nrpe -H 172.31.89.249 -c check_eventlog -a "scan-range=-1500m" "file=System" "warn=count>0" "crit=none" "filter=(id='7023' AND source='Service Control Manager') AND level in('error', 'warning')"
WARNING: 1/1 System Service Control Manager (The IP Helper service terminated with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.)|'count'=1;0;0
You do not have the required permissions to view the files attached to this post.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: WindowsEventID Monitoring

Post by scottwilkerson »

grayloglearn wrote:Now check the communication from server to remote windows server. use the below command to check , check_nrpe will work or not.

root@ip-XXXXX:/usr/local/nagios/libexec# ./check_nrpe -H 172.31.89.249
I (0.4.4.23 2016-04-05) seem to be doing fine
this is the expected response.

this all appears to be working properly
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked