Page 1 of 2

WindowsEventID Monitoring

PostPosted: Wed Aug 14, 2019 11:05 am
by grayloglearn
Hi Team,

Previously i raise a same ticket but it was locked so again i am raising the query.
I have downloaded the check_eventlog plugin from the below URL to check the how its working but its giving the error while executing script.

https://gallery.technet.microsoft.com/s ... l-4153d359

After downloading that i just executed to check the attached error is showing. Please find the attachment. Could you please help how to enable the EventID to monitor. We are using nscp client 0.5 Version.

Re: WindowsEventID Monitoring

PostPosted: Wed Aug 14, 2019 12:52 pm
by mcapra
The solution is to either sign that script with an authority your system/organization likes, or to change the Powershell execution policy to allow unsigned (or remote signed) scripts to be executed:
http://tritoneco.com/2014/02/21/fix-for ... ly-signed/

Here's more info in an article written by @WillemDH, with a similar problem and solution in the article's comments:
https://outsideit.net/monitoring-window ... led-tasks/

Re: WindowsEventID Monitoring

PostPosted: Thu Aug 15, 2019 10:06 am
by mbellerue
Thanks for the good information, Matt!

grayloglearn, does the above information help with your issue?

Re: WindowsEventID Monitoring

PostPosted: Mon Aug 19, 2019 5:00 am
by grayloglearn
Thanks for the reply.

As you said you have set the policy and tried to execute the script as its working fine. But i want monitor the EventID which attached in attachment. I tried to execute but its saying OK how to make those eventID matches should show critical if not match ok.

Re: WindowsEventID Monitoring

PostPosted: Mon Aug 19, 2019 9:27 am
by mbellerue
If it's not possible to have the script return critical upon finding the specific Event entry, then you could use the Negate plugin in Nagios XI.

https://assets.nagios.com/downloads/nag ... ios-XI.pdf

Re: WindowsEventID Monitoring

PostPosted: Tue Aug 20, 2019 12:12 am
by grayloglearn
Hi Team,

i have seen somewhere the below entries . How to understand this

CheckEventLog -a file=System MaxWarn=1 MaxCrit=1 "filter=generated gt -15m AND severity NOT IN ('success', 'informational') AND id='4320' and source='netbt'" truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"

Re: WindowsEventID Monitoring

PostPosted: Tue Aug 20, 2019 9:47 am
by mbellerue
I'm not familiar with this particular plugin, but I can piece together parts of it.

CheckEventLog -a file=System


Checking the System event log

MaxWarn=1 MaxCrit=1


Warn and Crit settings

"filter=generated gt -15m


Looking for logs generated more than 15 minutes ago? This seems odd. I would think you would want lt for less than, but I don't know the plugin.

AND severity NOT IN ('success', 'informational')


Filter continued, looking for logs where the severity is not success or informational.

AND id='4320' and source='netbt'"


Filter continued, looking for logs where the ID is 4320, and the source is an application called netbt.

truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"


I'm not really sure about the rest of this.

Re: WindowsEventID Monitoring

PostPosted: Tue Aug 27, 2019 11:45 pm
by grayloglearn
Still i am bit confusion, Is there any document to monitor the EventID with simple steps, If you could provide really appropriate.
Small doubt, while installing the nsclient we only check the check where check_nt, Inorder to work check_nrpe in nsclient do we need check check_nrpe while installing??

If need to check we already installed nsclient how to activate that check_nrpe in nsclient??...

Re: WindowsEventID Monitoring

PostPosted: Wed Aug 28, 2019 9:23 am
by mbellerue
I can point you to the NSClient documentation for Windows Event Logs.

https://docs.nsclient.org/reference/win ... kEventLog/

Regarding enabling NRPE on Windows with NSClient, you have to modify the NSClient configuration file. Under the Modules section, find NRPEServer = false and change the setting to true. If it's still not working after you restart the NSClient service, then check your firewall settings to make sure that the port is open.

Re: WindowsEventID Monitoring

PostPosted: Wed Sep 04, 2019 5:40 am
by grayloglearn
Hi Team,
Thanks for the help, I am really bothering about this query but still i am getting some errors while i am trying. I am using nsclient in windows and i enabled nrpe too.

I am using below command to monitor the event ID 7023, Find the attachment for the both nsclient file/

root@ip-XXXx:/usr/local/nagios/libexec# ./check_nrpe -H XXXX -p 5666 -c check_eventlog -a "scan-range=-1500m" "file=System" "warn=count>0" "crit=none" "filter=(id='7023' AND source='Service Control Manager') AND level in('error', 'warning')"
Exception processing request: Request command contained illegal metachars!

To resolve that exception processing request error i have done somechanges in nsclient as below, but still i am getting the error
allow arguments = 1
allow_nasty_meta_chars = 1