Page 3 of 4
Re: Monitoring the Windows Event Log
Posted: Thu Aug 08, 2019 10:35 am
by scottwilkerson
Lets add the following to your nsclient.ini
Code: Select all
; Section for the EventLog Checker (CheckEventLog.dll).
[/settings/eventlog]
; BUFFER_SIZE - The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.
buffer size = 131072
; LOOKUP NAMES - Lookup the names of eventlog files
lookup names = 1
; DEBUG - Log more information when filtering (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.
debug = 0
; Section for NRPE active/passive check module.
[/settings/NRPE/client]
; CHANNEL - The channel to listen to.
channel = NRPE
restart NSCP
Then run the command again like this
Code: Select all
./check_nrpe -H xxx.xxx.xxx.xxx -p 5666 -c check_eventlog -a "filter=id=4003"
Re: Monitoring the Windows Event Log
Posted: Thu Aug 08, 2019 12:04 pm
by amitgupta19
Hi Scott,
Thanks for the update.
Still the error remains same.
[amgupta@cblnagios01 libexec]$ ./check_nrpe -H xxx.xxx.xxx.xxx -p 5666 -c check_eventlog -a "filter=id=4003"
No file specified try adding: file=Application
Re: Monitoring the Windows Event Log
Posted: Thu Aug 08, 2019 12:28 pm
by scottwilkerson
In trying to decipher this issue a little further I used your nsclient.ini file and was able to make the command work on my system as specified, the only difference is I have a slightly newer version of NSClient++
Code: Select all
[root@localhost nagiosxi]# /usr/local/nagios/libexec/check_nrpe -H 192.168.xxx.xxx -c check_eventlog -a "filter=id=4003"
OK: No entries found|'count'=0;0;5
[root@localhost nagiosxi]# /usr/local/nagios/libexec/check_nrpe -H 192.168.xxx.xxx
I (0.4.4.23 2016-04-05) seem to be doing fine...
Re: Monitoring the Windows Event Log
Posted: Fri Aug 09, 2019 7:03 am
by amitgupta19
Thanks Scott
One more difference is that i have Nagios Core 4.4.3 and you have Nagios XI. Hope that it does not matter.
I have updated the NSClient to the latest version.
Now the error has changed:
[amgupta@cblnagios01 libexec]$ ./check_nrpe -H 172.23.xxx.xxx
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 172.23.xxx.xxx: 1
Re: Monitoring the Windows Event Log
Posted: Fri Aug 09, 2019 7:17 am
by scottwilkerson
lets try modifying the
[/settings/NRPE/server] section of the config to the following:
Code: Select all
[/settings/NRPE/server]
ssl options = no-sslv2,no-sslv3
verify mode = none
insecure = true
use ssl = 1
allow nasty characters = 1
allow arguments = 1
port = 5666
Re: Monitoring the Windows Event Log
Posted: Mon Aug 12, 2019 7:30 am
by amitgupta19
Hi Scott,
Finally i am able to get the required result.
Thanks for your support.
My requirement is to check the only system log for the Event ID: 7002 every 30 minutes or 1 hour.
Can you suggest this pls?
Re: Monitoring the Windows Event Log
Posted: Mon Aug 12, 2019 7:40 am
by scottwilkerson
You would setup a normal Nagios service definition for this check, and set the following in the object to 30 or 60
Re: Monitoring the Windows Event Log
Posted: Thu Oct 03, 2019 11:08 am
by amitgupta19
Thanks Scott for the reply
For the time range i suppose we have to use the "scan-range".
Also the current formula that i am using is
./check_nrpe -H xxx.xxx.xxx.xxx -p 5666 -c check_eventlog "filter=id=7001"
It is fetching the some logs and giving the data. But i am not sure from which eventlog it is fetching the data.
My requirement to monitor the Security Logs for specific Event ID. How can i specify in the command to search the security logs?
I tried the file=Security but it is not searching in the security log
Re: Monitoring the Windows Event Log
Posted: Thu Oct 03, 2019 11:34 am
by scottwilkerson
You should be able to add
AND log = 'Security' to the filter
like
Code: Select all
./check_nrpe -H xxx.xxx.xxx.xxx -p 5666 -c check_eventlog "filter=id=7001 AND log = 'Security'"
Re: Monitoring the Windows Event Log
Posted: Thu Oct 03, 2019 12:16 pm
by amitgupta19
please refer to the screenshot attached.
It is still not searching in the Security Log.
The message that it is giving is for the id=7001 in Systems Event Log.