Page 1 of 4

Monitoring the Windows Event Log

Posted: Tue Jul 23, 2019 11:38 am
by amitgupta19
I am using the Nagios Core 4.4.3 on CentOS.

I have got the requirement to monitor the Windows Event Log.

Can anyone guide me how to do it using the NSClient++?

I know that we can do it using the Nagios Log Server as well, also can you point to any document which has all the details to achieve this using the Nagios Log Server.

Re: Monitoring the Windows Event Log

Posted: Tue Jul 23, 2019 1:04 pm
by scottwilkerson
NSClient only can scan for pre-defined things, here is their documentation
https://docs.nsclient.org/reference/win ... kEventLog/

For Nagios Log Server, see this:
https://assets.nagios.com/downloads/nag ... Server.pdf

Re: Monitoring the Windows Event Log

Posted: Wed Jul 24, 2019 6:52 am
by amitgupta19
I have the requirement to search only the some specific Event ID.

After going through the documentation for the NSClient, i could not find that how do i implement it?

Which script i need to download to my Nagios Server.

What command should i use?

Can you guide me?

Re: Monitoring the Windows Event Log

Posted: Thu Jul 25, 2019 6:29 am
by scottwilkerson
In the "Checking for specific messages"section here
https://docs.nsclient.org/reference/win ... c-messages

You can see you can apply a filter and specify an id which corresponds to the event id

Code: Select all

check_eventlog "filter=provider = 'Microsoft-Windows-Security-SPP' and id = 903"
or you could use just something like the following where the event id you want to use is 903

Code: Select all

check_eventlog "filter=id = 903"

Re: Monitoring the Windows Event Log

Posted: Tue Jul 30, 2019 6:34 am
by amitgupta19
Hi Scott,

Thanks for your response.

When i try to run the command manually it is giving the following error:

[xxxxxxxxx@cblnagios01 libexec]$ ./check_nrpe -H xxxxxxxx -p 5666 -c checkeventlog "filter=id=7002"
No file specified try adding: file=Application

If you can suggest me what command should i write in the commands.cfg file, and services.cfg file that will be great.

Re: Monitoring the Windows Event Log

Posted: Wed Jul 31, 2019 7:02 am
by amitgupta19
Can anyone look into it?

Re: Monitoring the Windows Event Log

Posted: Wed Jul 31, 2019 3:02 pm
by benjaminsmith
Hi @amitgupta19 ,
Can anyone look into it?
The command doesn't look quite right, try running:

Code: Select all

./check_nrpe -H xxxxxxxx -p 5666 -c check_eventlog - a "filter=id=7002"
Let me know if you get it working.

Re: Monitoring the Windows Event Log

Posted: Thu Aug 01, 2019 7:27 am
by amitgupta19
Please find here with the update:
Error remains the same.

[xxxxxxx@cblnagios01 libexec]$ ./check_nrpe -H xxxxxxxx -p 5666 -c check_eventlog - a "filter=id=7002"
No file specified try adding: file=Application

Re: Monitoring the Windows Event Log

Posted: Thu Aug 01, 2019 3:39 pm
by benjaminsmith
Hello @amitgupta19

It's working on my system.
nsclient.png
nsclient.png (5.17 KiB) Viewed 3090 times
It looks like there was an extra space in front of the a in the last command. My apologies, can you try it again?
./check_nrpe -H xxxxxxxx -p 5666 -c check_eventlog -a "filter=id=7002"

Re: Monitoring the Windows Event Log

Posted: Mon Aug 05, 2019 7:26 am
by amitgupta19
Hi Benjamin,

Thanks for the clarification, i have typed the whole command instead of copy and pasting. Now it is giving a different e error:

[xxxxxxxx@cblnagios01 libexec]$ ./check_nrpe -H 172.16.xxx.xxx -p 5666 -c check_eventlog -a "filter=id=7002"
Exception processing request: Request contained arguments (not currently allowed, check the allow arguments option).