Monitoring the Windows Event Log

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
amitgupta19
Posts: 286
Joined: Fri Sep 08, 2017 5:53 am

Monitoring the Windows Event Log

Post by amitgupta19 »

I am using the Nagios Core 4.4.3 on CentOS.

I have got the requirement to monitor the Windows Event Log.

Can anyone guide me how to do it using the NSClient++?

I know that we can do it using the Nagios Log Server as well, also can you point to any document which has all the details to achieve this using the Nagios Log Server.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Monitoring the Windows Event Log

Post by scottwilkerson »

NSClient only can scan for pre-defined things, here is their documentation
https://docs.nsclient.org/reference/win ... kEventLog/

For Nagios Log Server, see this:
https://assets.nagios.com/downloads/nag ... Server.pdf
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
amitgupta19
Posts: 286
Joined: Fri Sep 08, 2017 5:53 am

Re: Monitoring the Windows Event Log

Post by amitgupta19 »

I have the requirement to search only the some specific Event ID.

After going through the documentation for the NSClient, i could not find that how do i implement it?

Which script i need to download to my Nagios Server.

What command should i use?

Can you guide me?
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Monitoring the Windows Event Log

Post by scottwilkerson »

In the "Checking for specific messages"section here
https://docs.nsclient.org/reference/win ... c-messages

You can see you can apply a filter and specify an id which corresponds to the event id

Code: Select all

check_eventlog "filter=provider = 'Microsoft-Windows-Security-SPP' and id = 903"
or you could use just something like the following where the event id you want to use is 903

Code: Select all

check_eventlog "filter=id = 903"
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
amitgupta19
Posts: 286
Joined: Fri Sep 08, 2017 5:53 am

Re: Monitoring the Windows Event Log

Post by amitgupta19 »

Hi Scott,

Thanks for your response.

When i try to run the command manually it is giving the following error:

[xxxxxxxxx@cblnagios01 libexec]$ ./check_nrpe -H xxxxxxxx -p 5666 -c checkeventlog "filter=id=7002"
No file specified try adding: file=Application

If you can suggest me what command should i write in the commands.cfg file, and services.cfg file that will be great.
amitgupta19
Posts: 286
Joined: Fri Sep 08, 2017 5:53 am

Re: Monitoring the Windows Event Log

Post by amitgupta19 »

Can anyone look into it?
benjaminsmith
Posts: 5324
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: Monitoring the Windows Event Log

Post by benjaminsmith »

Hi @amitgupta19 ,
Can anyone look into it?
The command doesn't look quite right, try running:

Code: Select all

./check_nrpe -H xxxxxxxx -p 5666 -c check_eventlog - a "filter=id=7002"
Let me know if you get it working.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
amitgupta19
Posts: 286
Joined: Fri Sep 08, 2017 5:53 am

Re: Monitoring the Windows Event Log

Post by amitgupta19 »

Please find here with the update:
Error remains the same.

[xxxxxxx@cblnagios01 libexec]$ ./check_nrpe -H xxxxxxxx -p 5666 -c check_eventlog - a "filter=id=7002"
No file specified try adding: file=Application
benjaminsmith
Posts: 5324
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: Monitoring the Windows Event Log

Post by benjaminsmith »

Hello @amitgupta19

It's working on my system.
nsclient.png
nsclient.png (5.17 KiB) Viewed 3089 times
It looks like there was an extra space in front of the a in the last command. My apologies, can you try it again?
./check_nrpe -H xxxxxxxx -p 5666 -c check_eventlog -a "filter=id=7002"
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
amitgupta19
Posts: 286
Joined: Fri Sep 08, 2017 5:53 am

Re: Monitoring the Windows Event Log

Post by amitgupta19 »

Hi Benjamin,

Thanks for the clarification, i have typed the whole command instead of copy and pasting. Now it is giving a different e error:

[xxxxxxxx@cblnagios01 libexec]$ ./check_nrpe -H 172.16.xxx.xxx -p 5666 -c check_eventlog -a "filter=id=7002"
Exception processing request: Request contained arguments (not currently allowed, check the allow arguments option).
Locked