So with my check_nrpe now working, I am trying to check my event log for a specific event for Windows Defender. I have tried 2 possible ways and both aren't meeting my demands.
Firstly, I tried a custom plugin for nagions - check_wmi_eventid.sh. This was done purely because I was aware of it before carrying out this Nagios install for a different employer: https://exchange.nagios.org/directory/P ... MI/details
I have successfully set this command up and its output as follows:
Code: Select all
root@glamon2:/usr/local/nagios/libexec# ./check_wmi_eventid.sh -H 192.168.60.41 -u mydomain/myusername -p mypassword -l application -e 1000 -w 1 -c 3 -t1 -m60000
Select EventCode,EventIdentifier,EventType,SourceName from Win32_NTLogEvent where ( Logfile = "application" ) and ( eventcode = "1000" ) and ( EventType = "1" ) and TimeGenerated > "20190807192311.000000-000"
CRITICAL 15 with Severity Level Error in application with in the last 41 Days, 16 hour|eventid1000=15;1;3;;
Code: Select all
root@glamon2:/usr/local/nagios/libexec# ./check_wmi_eventid.sh -H 192.168.60.41 -u mydomain/myusername -p mypassword -l Microsoft-Windows-Windows Defender%4Operational -e 2000 -w 1 -c 3 -t1 -m60000
check_wmi_eventid is a script to check windows event log , for a certian eventid..
Simple example : check application log , for eventtype error(-t) and eventid 9003(-e) with in the last 60 mins(-m60),
set warning (-w) if greater than 1 ,and set error(-c) if greater than 3
check_wmi_eventid -H 172.10.10.10 -u domain/user -p password -l application -e 9003 -w 1 -c 3 -t1 -m60
Adv. example : same as above , but with arguments -O -W -C, these are custom plugin output for OK,Warning and Critical
Marco ITEMCOUNT,LASTSTR , can be used!!
check_wmi_eventid -H 172.10.10.10 -u domain/user -p password -l application -e 9003 -w 1 -c 3 -t1 -m60 -O "Every thing is OK"
-W "Warning : something is not right" -C "It is totaly bad , found ITEMCOUNT events"
With Eventtype error, warning and Information
check_wmi_eventid -H 172.10.10.10 -u domain/user -p password -l application -e 9003 -w 1 -c 3 -t1,2,3 -m60 -O "Every thing is OK"
-W "Warning : something is not right" -C "It is totaly bad , found ITEMCOUNT events"
Try it out :)
If you find any error , please let me know
OPTIONS:
-h Show this message
-H Host/Ip
-u Domain/user
-p password
-f path to credentials file instead. user and password ignored if set. First line Domain\user, second line password
-l Name of the log eg "System" or "Application" or any other Event log as shown in the Windows "Event Viewer".
-t Eventtype: # 1=error , 2=warning , 3=Information,4=Security Audit Success,5=Security Audit Failure. Multiple Eventypes possible with , separation
-e Eventid, Multiple Eventids possible with , separation
-s Sting search for string in message,Multiple strings possible with , separation
-S SourceName ,Multiple SourceNames possible with , separation
-m Number of past min to check for events.
-w Warning
-W Custom waring string - ITEMCOUNT,LASTSTR marco can be used ex. -W "ITEMCOUNT Wanings with in the LASTSTR"
-c Critical
-C Custom critical string - ITEMCOUNT,LASTSTR marco can be used ex. -W "ITEMCOUNT Critical with in the LASTSTR"
-O Custom ok sting - ITEMCOUNT,LASTSTR marco can be used ex. -W "Everything ok with in the LASTSTR"
-U CUstom unknown string - ITEMCOUNT,LASTSTR marco can be used ex. -W "ITEMCOUNT Unknowns with in the LASTSTR"
-d Debug
-v Version
Or via method two, which I have not been able to create a correct syntax for yet (example syntax):
Code: Select all
root@glamon2:/usr/local/nagios/libexec# ./check_nrpe -H 192.168.60.41 -c CheckEventLog -a file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -2d AND severity NOT IN ('success', 'informational') AND source != 'SideBySide'" truncate=800 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
PS, putting a % between the space in "Windows Defender" doesn't work.