Custom Windows log file content monitoring

[Nashisu]

Hi all,

I'd kindly like to request some help to configure some monitoring of custom log files being generated/overwritten every 30 minutes on a Windows 2012 Server running a SIEM application. The server is already being monitored by Nagios Core for standard physical server checks via NSClient++.

These text based log files contain a simple numeric count (messages per second / MPS) from the SIEM for a numerous entities; each numeric count for each entity has a specific threshold that I need to stipulate in Nagios if possible.

Here is an example of an entity:

Entity Name = ExampleA
Average Count = 200
Threshold = 500
80% warning threshold = 400
90% critical threshold = 450
Log file location: 'C:\Users\User_Name\Stats\MPS_ExampleA.txt'

I'd like to somehow monitor the MPS count for this entity via Nagios by reading the log file content (eg. 200) and alert if that number hits the warning or critical threshold (400 / 450). Essentially, I'd prefer to use a standard plugin if possible, but I'm certainly open to any ideas and further discussion.

[mcapra]

Most of the "file checking" plugins only do simple regex matches, which doesn't seem particularly useful for your use case. You could probably do this with a simple Powershell script, though I'm no Powershell expert.

Can you post a sample of the file you're trying to check? Though writing the whole plugin would be a bit out of scope, we might be able to offer some tips.

[Nashisu]

Thanks for the prompt reply. I've attached an example log file which is being generated by a Dev's script. As you'll see, it's a very simple text file with a single numeric value and nothing else. The file itself is updated & overwritten every 30 minutes on the Windows server via the same Dev script, so there's only ever one copy of it.

This numeric value is dynamic depending on 'traffic' going through the SIEM, and it's this MPS numeric count that I've been asked to somehow monitor in Nagios. The attached example is linked to the thresholds mentioned above. Ideally, I'd like to generate a warning alert when that number reaches 400 and a critical alert when it reaches 450.

[tacolover101]

you will want to write a powershell script that checks the LAST LINE of the txt file attached. then, add some simple login in powershell to determine the state based on your threshold requirements.

i don't think the nagios guys will write this for you, but if you have a powershell developer on your team they should be able to whip it up pretty quick.

[mcapra]

As @tacolover101 pointed out, the Powershell would be pretty dirt simple. Though as a matter of policy we don't typically handle writing plugins in response to forum posts.

I would think understanding the Get-Content cmdlet would be a good starting point:
https://technet.microsoft.com/en-us/lib ... 76843.aspx

And here are the general Nagios plugin development guidelines:
https://nagios-plugins.org/doc/guidelines.html

[Nashisu]

Thank you both @tacolover101 & @mcapra, I really appreciate your advice. Unfortunately as I don't have any powershell scripting experience, please could you possibly share any Nagios plugin/script examples or guides to anything remotely similar to this? I'll go ahead and do some further reading & will ask colleagues for help and see where that leads me. Thanks again!

[dwhitfield]

It doesn't need to be powershell. Anything you have access to on Windows. Python and Perl work on Windows, for example, although my experience with Perl in Windows suggests you should stay away from it if possible (although, to be fair, most of that experience was 9 years ago).

I'm not convinced the regex scripts won't work: http://stackoverflow.com/questions/2362 ... tain-range -- Obviously, it makes life easier if each server has the same warning and critical values.