NagEventLog license

[tgfde]

Hello,

I'm getting the error below from the nsclient log on windows 2008 when running local command to monitor a windows event from the event log.

command:
./check_nrpe -H %HOST ADDRESS% -p 5666 -c checkEventLog -a file=system MaxWarn=1 MaxCrit=4 filter.eventID==35 filter.written==\<2d filter.severity==information filter.eventSource=Time-Service truncate=1022 filter=in filter=all descriptions

log:
2014-07-30 13:52:51: error:c:\source\nscp\branches\stable\modules\checkeventlog\eventlog_record.hpp:134: Could not extract DLL for eventsource: WinRM: SYSTEM\CurrentControlSet\Services\EventLog\system\WinRM.EventMessageFile -- Failed to get value: 2: The system cannot find the file specified.
2014-07-30 13:52:51: error:modules\NRPEListener\NRPEListener.cpp:325: NRPESocketException: To much data cant create return packet (truncate datat)


Thanks.

[tgfde]

Ok I got the following command to work. However, it tells me everything is ok even though I see the event in the event viewer. The event id below gets written to the event log when a windows service has entered a running state so I know there are a lot of them in the event log. But the command tells me everything is ok.

./check_nrpe -H IP ADDRESS -p 5666 -c CheckEventLog -a filter=new file="system" MaxWarn=10 MaxCrit=10 filter-written=\>2d filter-eventID=="7036" filter-eventType==information filter=in filter=all

Thanks.

[sreinhardt]

Can you show us the event as seen in windows, s that we can compare them to your filter?

[lmiltchev]

Are you sure your syntax is correct? Did you follow the examples, posted here:

http://www.nsclient.org/nscp/wiki/Check ... #ideventid

It seems like you have "filter-", where you should have "filter=", you have "==", "\>"...

[tgfde]

I got it working with the command from the link provided.
i just have to figure out how to check what's written in the event log in the last ten minutes only.

Thank you!

[sreinhardt]

You might try the scan-range flag as defined here: http://docs.nsclient.org/reference/Chec ... scan-range

[tgfde]

Ok. I got the command to work locally from the Nagios host. However, when I set everything up in the UI, the service check is sending me a critical notification for every entry in the event log (system) Please below.

Local

Code: Select all

./check_nrpe -H HOSTADRESS -p 5666 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -5m AND source = 'srv' AND id IN ('2019')" truncate=800 unique descriptions "syntax=%severity%: %source%: %id%: %message% (%count%)"
Eventlog check ok|'eventlog'=0;1;1;

UI

Code: Select all

 $USER1$/check_nrpe -H $HOSTADDRESS$ -c CheckEventLog -a file=$ARG1$ MaxWarn=$ARG2$ MaxCrit=$ARG3$ "filter=generated gt $ARG4$ AND source = '$ARG5$' AND id IN ('$ARG6$')" truncate=800 unique descriptions "syntax=%severity%: %source%: %id%: %message% (%count%)" 

Code: Select all

arg1 = system
arg2 = 1
arg3 = 1
arg4 = -5m
arg5 = 'srv'
arg6 = '2019'

Please advise on why it is sending a critical error other than the specified event id (2019).

Here's what I get from the UI...
informational: Service Control Manager: 7036: The Application Experience service entered the running state. (1), eventlog: 1 > critical

Thanks in advanced.

[scottwilkerson]

Earlier in this post
http://support.nagios.com/forum/viewtop ... 10#p107190

you were looking for events with an ID of 7036 and now that is what is reporting, are you sure you have applied the configuration since making the changes?

[tgfde]

I deleted the previous command and added a new one today. I also applied the configuration so many times already.

[tmcdonald]

arg5 = 'srv'
arg6 = '2019'

Are you quoting the arguments both in the command definition and in the ARGn fields? If so, they are probably being double-quoted in the final command giving you something like:

Code: Select all

[...] AND source = ''srv'' AND id IN (''2019'')" truncate= [...]

which would normally cause a SQL error, but I don't like making assumptions.