Check Event Log Help Needed.

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
kwhogster
Posts: 644
Joined: Wed Oct 14, 2015 6:51 pm
Location: Wood Ridge NJ USA
Contact:

Check Event Log Help Needed.

Post by kwhogster »

Nagios Core 4.1
Nsclient 4.4.23
Windows 2008 Windows 2012 R2 and Windows 2016 Server

Using this command

Code: Select all

define command{
        command_name check_win_eventlog
        command_line $USER1$/ -H $HOSTADDRESS$ -s $ARG1$ -l $ARG2$ -t $ARG3$
}
Each Servers config file entry

Code: Select all

define service {
        host_name               TGCS020-2016
        service_description     Check System Event Logs
        check_command           check_nrpe!check_eventlog -a file=System scan-range=-59m
        servicegroups           Event Logs
        check_interval          60
        check_period            backup_WIN16
        notification_period     backup_WIN16
        use                     generic-service
        }
define service {
        host_name               TGCS020-2016
        service_description     Check Application Event Logs
        check_command           check_nrpe!check_eventlog -a file=Application scan-range=-59m
        servicegroups           Event Logs
        check_interval          60
        check_period            backup_WIN16
        notification_period     backup_WIN16
        use                     generic-service
        }
I would like to filter out certain event errors I get a lot of warnings that are not to worry about example

Event id 157
WARNING: 4/4 System disk (Disk 2 has been surprise removed.), System disk (Disk 1 has been surprise removed.), System disk (Disk 2 has been surprise removed.), System disk (Disk 1 has been surprise removed.)

I get this on my Veeam Proxy servers and on the Veeam Server itself

I tried this

Code: Select all

check_command           check_nrpe!check_eventlog -a file=System scan-range=-59m "filter=id>157"
But then I get all the informational events showing as critical.

Any idea on how to filter out certain events? am I on the right path?

Thank you,

Tom
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Check Event Log Help Needed.

Post by scottwilkerson »

I think what you want is something like this

Code: Select all

check_command           check_nrpe!check_eventlog -a file=System scan-range=-59m "filter=level = 'critical' "
https://docs.nsclient.org/reference/win ... non-errors
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
kwhogster
Posts: 644
Joined: Wed Oct 14, 2015 6:51 pm
Location: Wood Ridge NJ USA
Contact:

Re: Check Event Log Help Needed.

Post by kwhogster »

Scott

thanks

Can I filter the event id also? if so you have an example?
kwhogster
Posts: 644
Joined: Wed Oct 14, 2015 6:51 pm
Location: Wood Ridge NJ USA
Contact:

Re: Check Event Log Help Needed.

Post by kwhogster »

Scott

check_nrpe -t 50 -H TGCS006-2012R2 -c check_eventlog -a file=System scan-range=-5hr "filter=level = 41"

Does this do what I need

Filter out all informational and critical?

If so and I do this than

check_nrpe -t 50 -H TGCS006-2012R2 -c check_eventlog -a file=System scan-range=-5hr "filter=level = 41 and ID NOT Equal 157 "

I see the ID = 157 but how to exclude it?
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Check Event Log Help Needed.

Post by scottwilkerson »

you can do

Code: Select all

check_nrpe -t 50 -H TGCS006-2012R2 -c check_eventlog -a file=System scan-range=-5hr "filter=level = 41 and id IN ('157') "
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
kwhogster
Posts: 644
Joined: Wed Oct 14, 2015 6:51 pm
Location: Wood Ridge NJ USA
Contact:

Re: Check Event Log Help Needed.

Post by kwhogster »

Code: Select all

check_nrpe -t 50 -H TGCS006-2012R2 -c check_eventlog -a file=System scan-range=-5hr "filter=level = 41 and id IN ('157') "
Checked this out and it looks good

How would I add another event id say Event ID 1 Event ID 20 Event ID 10 Event ID 157

Other question

is my Filter=level = 41 correctly setup? I only want to post the errors and warnings only no other types Does the 41 do that?



Thanks

Tom
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Check Event Log Help Needed.

Post by tgriep »

I took a look at the examples on the NSClient++ site and the Level is not defined what they really are but there are some examples of what some of them mean.
Take a look here and search for Severity/Level/Error
https://docs.nsclient.org/reference/win ... kEventLog/

Errors and warnings, you would change the level to 2 or 3 in the command.

If you want to add another ID to the command, I think all you would have to do is to add it to the check.

Code: Select all

check_nrpe -t 50 -H TGCS006-2012R2 -c check_eventlog -a file=System scan-range=-5hr "filter=level = 41 and id IN ('157') and id IN ('1') and id IN ('20') and id IN ('10')"
Be sure to check out our Knowledgebase for helpful articles and solutions!
kwhogster
Posts: 644
Joined: Wed Oct 14, 2015 6:51 pm
Location: Wood Ridge NJ USA
Contact:

Re: Check Event Log Help Needed.

Post by kwhogster »

I changed all my commands to

filter=level = 23

Will posts results

Thanks

Tom
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Check Event Log Help Needed.

Post by tgriep »

OK, post your results.
Be sure to check out our Knowledgebase for helpful articles and solutions!
kwhogster
Posts: 644
Joined: Wed Oct 14, 2015 6:51 pm
Location: Wood Ridge NJ USA
Contact:

Re: Check Event Log Help Needed.

Post by kwhogster »

Seems to be working

Lets locked this as resolved

Thanks

Tom
Locked