Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

WindowsEventID Monitoring

https://support.nagios.com/forum/viewtopic.php?t=55185

Page 2 of 2

Re: WindowsEventID Monitoring

Posted: Wed Sep 04, 2019 6:52 am
by scottwilkerson
Change this line

Code: Select all

allow_nasty_meta_chars = 1
to this

Code: Select all

allow nasty characters = 1
and then restart nsclient++

Re: WindowsEventID Monitoring

Posted: Wed Sep 04, 2019 11:05 pm
by grayloglearn
Finally its working for me. Just want to check with you if we add below line what nsclient consider.

allow_nasty_meta_chars = 1


Iam just attaching the lines to help someone who want to monitor the event ID, Hope this will help atleast one.

How to enable the Event ID monitor using check_nrpe for windows server

Event ID monitoring for windows via check_nrpe
1) Install the nsclient in windows and while installing the nsclient select the check_nrpe check box.
2) Go to the nsclient.ini file add the below.

[/settings/NRPE/server]
allow arguments = 1
allow_nasty_meta_chars = 1

The nslcient I have used as version 0.4.4
Open Port 5666,12489 from Windows

Now check the communication from server to remote windows server. use the below command to check , check_nrpe will work or not.

root@ip-XXXXX:/usr/local/nagios/libexec# ./check_nrpe -H 172.31.89.249
I (0.4.4.23 2016-04-05) seem to be doing fine

3) Then check the event log/ID which monitor.
The below is the screen shot I want to monitor,


Event ID 7023 I want to monitor for that use the below command

./check_nrpe -H 172.31.89.249 -c check_eventlog -a "scan-range=-1500m" "file=System" "warn=count>0" "crit=none" "filter=(id='7023' AND source='Service Control Manager') AND level in('error', 'warning')"

-c check_eventlog : Its an inbuild command with check_nrpe
-a scan-range: it will check last 1500 min (Its depend from last how many minutes you want)
File=System: You can see the screen shot LogName is System( If you want to monitor Application give application or security give security)
Warn=count>0 : in last 1500 min if any eventID with 7023 will generate more than 0, means atleast 1
"crit=none": If there is no critical
"filter=(id='7023' AND source='Service Control Manager') AND level in('error', 'warning')" : It will Filter Event ID 7023 and Source which is screen shot as Service Control Manager and the level in Either in error and warning) level you can see as below screen shot.


I checked it its working fine.
root@ip-XXXXx:/usr/local/nagios/libexec# ./check_nrpe -H 172.31.89.249 -c check_eventlog -a "scan-range=-1500m" "file=System" "warn=count>0" "crit=none" "filter=(id='7023' AND source='Service Control Manager') AND level in('error', 'warning')"
WARNING: 1/1 System Service Control Manager (The IP Helper service terminated with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.)|'count'=1;0;0

Re: WindowsEventID Monitoring

Posted: Thu Sep 05, 2019 8:29 am
by scottwilkerson
grayloglearn wrote:Now check the communication from server to remote windows server. use the below command to check , check_nrpe will work or not.

root@ip-XXXXX:/usr/local/nagios/libexec# ./check_nrpe -H 172.31.89.249
I (0.4.4.23 2016-04-05) seem to be doing fine
this is the expected response.

this all appears to be working properly
All times are UTC-05:00
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited