Nagios Event Log NSCLIENT help

[mcapra]

I'm confused, it looks like you shared the definition for the check_eventlog command, yet have configured your service to use check_win_nrpe. Just so we're on the same page, which command are you intending to leverage for your check?

[me@work55]

Note

On my network at home tried the same commands and services get the same results

On the one server I cleared the event log and then it was OK

Then an application information event 6013 caused it to go critical again I m not checking for informational messages

Thoughts

[me@work55]

Code: Select all

# Use for nrpe ( windows checking)
define command{
        command_name    check_win_nrpe
        command_line    /usr/local/nagios/libexec/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ $ARG2$
        }

[me@work55]

mcapra

check this one out might help you understand this

https://support.nagios.com/forum/viewto ... =7&t=42127

[mcapra]

Does using a list rather that setting the severity directly in the filter affect your results? If I fictitiously generate an error, I get this:

Code: Select all

[root@xi-stable ~]# /usr/local/nagios/libexec/check_nrpe -H 192.168.67.99 -p 5666 -c checkeventlog   -a file=application MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity in ('warning', 'error')"
Desktop Window Manager, ???|'count'=1;1;1
[root@xi-stable ~]# echo $?
2

Which is a very different result that using the format of -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'warning'". It looks as if your service definition should be altered to use the check_eventlog command instead since that uses the same filter format.

[me@work55]

Are you saying do not use the check nrpe?

Can you give me an example of that you mean?

I tried this and no good

Code: Select all

define command{
command_name check_eventlog
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 -t 30 -c CheckEventLog -a filter file=application MaxWarn=1 MaxCrit=1 "filter=generated lt -1h AND severity NOT IN ('success', 'informational')" unique descriptions "syntax=%source% {EventID %id%}[%severity%](Count=%count%)^MDate:%generated%^M%message%^M"
}

        define service{
        use                     generic-service
        host_name               metro-12r2-ltdb
        service_description     Windows System Event Log
        servicegroups           Event_Logs
        is_volatile             0
        check_period            24x7
        max_check_attempts      3
        normal_check_interval   5
        retry_check_interval    1
        contact_groups          win-admins
        notification_interval   120
        notification_period     24x7
        notification_options    w,u,c,r
        check_command           check_eventlog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'warning'"

#       check_command           check_win_nrpe!checkeventlog! -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'warning'"
}




Checking services...
Error: Service check command 'check_eventlog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'warning'"' specified in service 'Windows System Event Log' for host 'metro-12r2-ltdb' not defined anywhere!
        Checked 1063 services.

[me@work55]

I just tried modifying the service changing > to < no change

Changed the nsclient.ini from gt -2d to gt -1h no change.

The service is working to an extent the problem is that it is reading the entire event log system or application it is not only checking the last hour

Also I see some informational events listed I only and checking for warnings and errors

Thoughts

Tom

[tmcdonald]

This probably won't directly solve your problem but I would be remiss if I did not mention it. We developed a product called Nagios Logserver to address the issues with using Core + NSClient / NRPE to monitor logs. It works passively so you get it much closer to real-time, and the product is designed specifically to work well with parsing logs and pulling out certain fields. I would strongly advise checking it out, and if you still prefer to use Core afterward, we can continue troubleshooting that.

[me@work55]

I tried that product and did not like it

I need this to work correctly

this is a Nagios issue

[rkennedy]

The problem is actually with the syntax, or NSClient++ - Nagios is only presenting the information. You may have better luck creating a thread over here directly - https://forums.nsclient.org/

If you try another version, does it work successfully? check_eventlog appears to be the newer version at this point, while checkeventlog is deprecated. This page may help you out - https://docs.nsclient.org/reference/win ... kEventLog/