Monitoring and filtering windows event logs

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Morello
Posts: 7
Joined: Tue Sep 20, 2016 7:23 am

Monitoring and filtering windows event logs

Post by Morello »

Hi,

I am trying to monitor and filter windows event logs, i specificly need these below;

1. Events in the last hour
2. Security Related

I am trying this command but it does not give me any entry. Should i need more filtering here?

Code: Select all

check_nrpe -H IPAdress -p Portnumber -c CheckEventLog -a file=security MaxCrit=1 "filter=generated > -1h AND "
OK: No entries found|'count'=0;0;1
But when i used this below, i got some results. Is this correct usage?

Code: Select all

[root@ieiotlvm02 ~]# /usr/lib64/nagios/plugins/check_nrpe -H IP -p Port-c CheckEventLog -a file=security MaxCrit=1 "filter=generated > -2d"
Microsoft-Windows-Security-Auditing, Special privileges assigned to new logon.  Subject:  Security ID: S-1-5-18  Account Name: SYSTEM  Account Domain: NT AUTHORITY  Logon ID: 0x3E7  Privileges: SeAssignPrimaryTokenPrivilege   SeTcbPrivilege   SeSecurityPrivilege   SeTakeOwnershipPrivilege   SeLoadDriverPrivilege   SeBackupPrivilege   SeRestorePrivilege   SeDebugPrivilege   SeAuditPrivilege   SeSystemEnvironmentPrivilege   SeImpersonatePrivilege, Microsoft-Windows-Security-Auditing, An account was successfully logged on.  Subject:  Security ID: S-1-5-18  Account Name: X-2$  Account Domain: WORKGROUP  Logon ID: 0x3E7  Logon Type:  5  Impersonation Level: Impersonation  New Logon:  Security ID: S-1-5-18  Account Name: SYSTEM  Account Domain: NT AUTHORITY  Logon ID: 0x3E7  Logon GUID: {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID: 0x1d4  Process Name: C:\Windows\System32\services.exe  Network Information:  Workstation Name:  Source Network Address: -  Source Port: -  Detailed Au
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: Monitoring and filtering windows event logs

Post by mcapra »

How you configure the command is slightly different between NSClient++ versions. Can you share the output of:

Code: Select all

check_nrpe -H IPAddress

This worked for me against 0.4.4:

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H 192.168.67.99 -t 30 -c check_eventlog -a "file=security" "filter=written lt -2d"
Former Nagios employee
https://www.mcapra.com/
Morello
Posts: 7
Joined: Tue Sep 20, 2016 7:23 am

Re: Monitoring and filtering windows event logs

Post by Morello »

Hi,

Here is the outputs,

Code: Select all

[root@localhost ~]# /usr/lib64/nagios/plugins/check_nrpe -H IP
I (0.4.4.19 2015-12-08) seem to be doing fine...

[root@localhost ~]# /usr/lib64/nagios/plugins/check_nrpe -H IP -t 30 -c check_eventlog -a "file=security" "filter=written lt -2d"
OK: No entries found|'count'=0;0;5
Thanks,
BR
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: Monitoring and filtering windows event logs

Post by mcapra »

Is seeing 0 security entries in the event log in the past 2 days an expected result?
Former Nagios employee
https://www.mcapra.com/
Morello
Posts: 7
Joined: Tue Sep 20, 2016 7:23 am

Re: Monitoring and filtering windows event logs

Post by Morello »

No, it is not expected result because when i tried my old command like this below, i can see security events generated for the last 1 hour...

[root@host ~]# /usr/lib64/nagios/plugins/check_nrpe -H X.X.X.X -p XXXX -c CheckEventLog -a file=security MaxCrit=1 "filter=generated > -1h"
Microsoft-Windows-Security-Auditing, Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege, Microsoft-Windows-Security-Auditing, An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: X-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 5 Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Au

Thanks.
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Monitoring and filtering windows event logs

Post by tgriep »

Can you provide more details on that you are looking for?
Are you looking to get an alert on the number of events in the security log in the last hour, day, etc...
There may be some examples on the NSClient.org file but the following link has some details on filtering.
http://docs.nsclient.org/0.4.2/referenc ... log.filter
Be sure to check out our Knowledgebase for helpful articles and solutions!
Morello
Posts: 7
Joined: Tue Sep 20, 2016 7:23 am

Re: Monitoring and filtering windows event logs

Post by Morello »

Actually i was looking for the security logs themselved for the last 1 hour.

BR,
Utku
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: Monitoring and filtering windows event logs

Post by mcapra »

I'm a bit confused. The CheckEventLog function of NSClient++ wasn't really designed for just grabbing every single event on a Windows machine over a time period.

If you're interested in examining the last hours worth of event logs, what's stopping you from using something like Nagios Log Server? Could you shed a little more light on your use case?
Former Nagios employee
https://www.mcapra.com/
Locked