Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Morello
Posts: 7 Joined: Tue Sep 20, 2016 7:23 am
Post
by Morello » Thu Sep 22, 2016 1:05 am
Hi,
I am trying to monitor and filter windows event logs, i specificly need these below;
1. Events in the last hour
2. Security Related
I am trying this command but it does not give me any entry. Should i need more filtering here?
Code: Select all
check_nrpe -H IPAdress -p Portnumber -c CheckEventLog -a file=security MaxCrit=1 "filter=generated > -1h AND "
OK: No entries found|'count'=0;0;1
But when i used this below, i got some results. Is this correct usage?
Code: Select all
[root@ieiotlvm02 ~]# /usr/lib64/nagios/plugins/check_nrpe -H IP -p Port-c CheckEventLog -a file=security MaxCrit=1 "filter=generated > -2d"
Microsoft-Windows-Security-Auditing, Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege, Microsoft-Windows-Security-Auditing, An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: X-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 5 Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Au
mcapra
Posts: 3739 Joined: Thu May 05, 2016 3:54 pm
Post
by mcapra » Thu Sep 22, 2016 12:04 pm
How you configure the command is slightly different between NSClient++ versions. Can you share the output of:
This worked for me against 0.4.4:
Code: Select all
/usr/local/nagios/libexec/check_nrpe -H 192.168.67.99 -t 30 -c check_eventlog -a "file=security" "filter=written lt -2d"
Morello
Posts: 7 Joined: Tue Sep 20, 2016 7:23 am
Post
by Morello » Fri Sep 23, 2016 1:29 am
Hi,
Here is the outputs,
Code: Select all
[root@localhost ~]# /usr/lib64/nagios/plugins/check_nrpe -H IP
I (0.4.4.19 2015-12-08) seem to be doing fine...
[root@localhost ~]# /usr/lib64/nagios/plugins/check_nrpe -H IP -t 30 -c check_eventlog -a "file=security" "filter=written lt -2d"
OK: No entries found|'count'=0;0;5
Thanks,
BR
mcapra
Posts: 3739 Joined: Thu May 05, 2016 3:54 pm
Post
by mcapra » Fri Sep 23, 2016 1:23 pm
Is seeing 0 security entries in the event log in the past 2 days an expected result?
Morello
Posts: 7 Joined: Tue Sep 20, 2016 7:23 am
Post
by Morello » Mon Sep 26, 2016 12:51 am
No, it is not expected result because when i tried my old command like this below, i can see security events generated for the last 1 hour...
[root@host ~]# /usr/lib64/nagios/plugins/check_nrpe -H X.X.X.X -p XXXX -c CheckEventLog -a file=security MaxCrit=1 "filter=generated > -1h"
Microsoft-Windows-Security-Auditing, Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege, Microsoft-Windows-Security-Auditing, An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: X-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 5 Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Au
Thanks.
tgriep
Madmin
Posts: 9177 Joined: Thu Oct 30, 2014 9:02 am
Post
by tgriep » Mon Sep 26, 2016 2:29 pm
Can you provide more details on that you are looking for?
Are you looking to get an alert on the number of events in the security log in the last hour, day, etc...
There may be some examples on the NSClient.org file but the following link has some details on filtering.
http://docs.nsclient.org/0.4.2/referenc ... log.filter
Be sure to check out our
Knowledgebase for helpful articles and solutions!
Morello
Posts: 7 Joined: Tue Sep 20, 2016 7:23 am
Post
by Morello » Thu Sep 29, 2016 7:29 am
Actually i was looking for the security logs themselved for the last 1 hour.
BR,
Utku
mcapra
Posts: 3739 Joined: Thu May 05, 2016 3:54 pm
Post
by mcapra » Thu Sep 29, 2016 4:25 pm
I'm a bit confused. The
CheckEventLog function of NSClient++ wasn't really designed for just grabbing every single event on a Windows machine over a time period.
If you're interested in examining the last hours worth of event logs, what's stopping you from using something like
Nagios Log Server ? Could you shed a little more light on your use case?