Hi Team,
We want to monitor the application and service logs event Id and specific string. Can someone help how to define a command to monitor the application and service logs event Id.Please find the attachment for your reference we want to monitor the 317 Event ID which is in application and service logs event Id, for that we have define below command but we are not sure is it correct or not.
I am just worrying about does check_eventlog command will work for application and service logs also? >
/usr/local/nagios/libexec/check_nrpe -H XXXX-u -t 30 -c check_eventlog -a "scan-range=-55000m" "file=AD FS 2.0/Admin" "warn=count>0" "crit=none" "filter=(id='317' AND source=' AD FS 2.0') AND level in('error', 'warning') "
And we want to monitor the string in eventlog in "application and service logs" please find the attachment. We want to monitor the string "The certificate has been revoked" in details i have highlighted in screenshot.
application and service logs event Id and specific string
-
grayloglearn
- Posts: 222
- Joined: Thu Jul 06, 2017 8:55 am
application and service logs event Id and specific string
You do not have the required permissions to view the files attached to this post.
Re: application and service logs event Id and specific strin
It looks like this particular function was meant to look at a single log file only. However, you can search for the string in the message by using this command.
Do keep in mind that parsing the messages field will make the command take a little longer to execute.
Code: Select all
/usr/local/nagios/libexec/check_nrpe -H XXXX-u -t 30 -c check_eventlog -a "scan-range=-55000m" "file=AD FS 2.0/Admin" "warn=count>0" "crit=none" "filter=(id='317' AND source=' AD FS 2.0' AND message='The certificate has been revoked') AND level in('error', 'warning') "As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
grayloglearn
- Posts: 222
- Joined: Thu Jul 06, 2017 8:55 am
Re: application and service logs event Id and specific strin
Hi Team,
Thanks for the reply. Its showing something wrong. as per attachment the event ID 317 generated 8-10-2019 3:16 PM. Our command is running as scan range -550000m , If we convert 550000 m to hours 916.66667 hours. its nearly 38 days means we are checking if last 38days logs will have 317 Id then it should give alert but its showing OK. I tried with -5500m but still i am getting the ok state only.
Still i have doubt does check_eventlog will search automatically in application and serverlogs area. or do we need specify any thing in command again.
/usr/local/nagios/libexec/check_nrpe -H XXXX -u -t 90 -c check_eventlog -a "scan-range=-5500m" "file=AD FS 2.0/Admin" "warn=count>0" "crit=none" "filter=(id='317' AND source=' AD FS 2.0' AND message='The certificate has been revoked') AND level in('error', 'warning') "
OK: No entries found|'count'=0;0;0
you can see the event generated ID times and scan range time which i have kept.
/usr/local/nagios/libexec/check_nrpe -H XXXX -u -t 90 -c check_eventlog -a "scan-range=-550000m" "file=AD FS 2.0/Admin" "warn=count>0" "crit=none" "filter=(id='317' AND source=' AD FS 2.0' AND message='The certificate has been revoked') AND level in('error', 'warning') "
OK: No entries found|'count'=0;0;0
Thanks for the reply. Its showing something wrong. as per attachment the event ID 317 generated 8-10-2019 3:16 PM. Our command is running as scan range -550000m , If we convert 550000 m to hours 916.66667 hours. its nearly 38 days means we are checking if last 38days logs will have 317 Id then it should give alert but its showing OK. I tried with -5500m but still i am getting the ok state only.
Still i have doubt does check_eventlog will search automatically in application and serverlogs area. or do we need specify any thing in command again.
/usr/local/nagios/libexec/check_nrpe -H XXXX -u -t 90 -c check_eventlog -a "scan-range=-5500m" "file=AD FS 2.0/Admin" "warn=count>0" "crit=none" "filter=(id='317' AND source=' AD FS 2.0' AND message='The certificate has been revoked') AND level in('error', 'warning') "
OK: No entries found|'count'=0;0;0
you can see the event generated ID times and scan range time which i have kept.
/usr/local/nagios/libexec/check_nrpe -H XXXX -u -t 90 -c check_eventlog -a "scan-range=-550000m" "file=AD FS 2.0/Admin" "warn=count>0" "crit=none" "filter=(id='317' AND source=' AD FS 2.0' AND message='The certificate has been revoked') AND level in('error', 'warning') "
OK: No entries found|'count'=0;0;0
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: application and service logs event Id and specific strin
I noticed there was an additional space in the query after source, try
Code: Select all
/usr/local/nagios/libexec/check_nrpe -H XXXX-u -t 30 -c check_eventlog -a "scan-range=-55000m" "file=AD FS 2.0/Admin" "warn=count>0" "crit=none" "filter=(id='317' AND source='AD FS 2.0' AND message='The certificate has been revoked') AND level in('error', 'warning') "-
grayloglearn
- Posts: 222
- Joined: Thu Jul 06, 2017 8:55 am
Re: application and service logs event Id and specific strin
Hi Team,
Still i am not getting valid out put from.
/usr/local/nagios/libexec/check_nrpe -H xxxx -u -t 30 -c check_eventlog -a "scan-range=-55000m" "file=AD FS 2.0/Admin" "warn=count>0" "crit=none" "filter=(id='317' AND source='AD FS 2.0' AND message='The certificate has been revoked') AND level in('error', 'warning') "
OK: No entries found|'count'=0;0;0
but when i try with without message its given warning but its also not valid one
/usr/local/nagios/libexec/check_nrpe -H XXXX -u -t 30 -c check_eventlog -a "scan-range=-5500m" "file=AD FS 2.0/Admin" "warn=count>0" "crit=none" "filter=(id='317' AND source='AD FS 2.0') AND level in('error', 'warning')"
OK: No entries found|'count'=0;0;0
but as per logs the alert was generate at sunday event though its not giving valid output. where we are doing wrong that we are not able to understand.
Still i am not getting valid out put from.
/usr/local/nagios/libexec/check_nrpe -H xxxx -u -t 30 -c check_eventlog -a "scan-range=-55000m" "file=AD FS 2.0/Admin" "warn=count>0" "crit=none" "filter=(id='317' AND source='AD FS 2.0' AND message='The certificate has been revoked') AND level in('error', 'warning') "
OK: No entries found|'count'=0;0;0
but when i try with without message its given warning but its also not valid one
/usr/local/nagios/libexec/check_nrpe -H XXXX -u -t 30 -c check_eventlog -a "scan-range=-5500m" "file=AD FS 2.0/Admin" "warn=count>0" "crit=none" "filter=(id='317' AND source='AD FS 2.0') AND level in('error', 'warning')"
OK: No entries found|'count'=0;0;0
but as per logs the alert was generate at sunday event though its not giving valid output. where we are doing wrong that we are not able to understand.
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: application and service logs event Id and specific strin
I think it would be best to direct the conversation to the actual software creators as we are not the authors of NSClient++ and this could in fact be a bug.
they have a forum here
https://forums.nsclient.org/
they have a forum here
https://forums.nsclient.org/