Page 1 of 1

NSClient, CheckEventLog and VEEAM Backup Logs

PostPosted: Thu Sep 15, 2022 6:57 am
by SultanOfSwing
Hi community,

I am trying to pull VEEAMs Backup entries in the EventLog via NSClient++ (5.2.035) to a LibreNMS server.

LibreNMS receives the output from the NSClient without a hitch. The way the check is implemented in LibreNMS is to basically run the check_nrpe script with various options etc.

My problem is that I am specifically filtering for warnings in the "Veeam Backup" log and/or for entries by the provider "Veeam Backup" and "Veeam MP". The names of the log and provider have been copied and checked for leading spaces etc. I also filter for entries written within in the polling intervall. What I am getting back is some .NET related entry written way outside the filtered timeframe. The script also doesn't seem to tell me where I have srewed up.

I have tried the following permutations to filter out what I want:

./check_nrpe -2 -H my-VEEAM-host -n -c checkeventlog file='Veeam Backup' "filter=severity = 'warning' AND generated > -5m"
./check_nrpe -2 -H my-VEEAM-host -n -c checkeventlog scan-range=-5m file='Veeam Backup' "filter=level in ('warning', 'error', 'critical')" "warning=level = 'warning', problem_count > 0" "critical=level in ('error', 'critical'), problem_count > 0" "empty-state=ok" "provider = 'Veeam Backup' OR provider = 'Veeam MP'"

The Outpu I am getting is always:
.NET Runtime, Category: Veeam.GCP.PlatformService.WebApi.Framework.Common.Middleware.CUnhandledOperationsMiddleware Ev:00000002 RequestPath: /api/v1/proxies/configurationBackupProperties SpanId: |7ee851d5-4728d2d709c98da2. TraceId: 7ee8th: [/api/v1/proxies/configurationBackupProperties] |'problem_count'=1;0;0

Within the NS Client I have extended the INI file with the following:

enabled = true
log='Veeam Backup'
maximum age=300s
; Undocumented key
CheckEventLog = enabled

After each change of the INI file the NSClient service has been restarted.

Since I am getting a somewhat valid response (i.e. the same output I get when I just run the check with the eventlog command) I think my filters are screwed up.

Where am I wrong?

Thanks in advance