Nagios windows Eventlog monitoring agent problem

[michaelli]

Hi support,

I am trialing the nagios xi for monitoring windows 2008 windows 2013 64bit version. According the nagios article, I go web

http://www.steveshipway.org/software/f_nagios.html

to download the source.

both version nagevlog-setup-1.9.2.exe, Beta version for 64bit windows 2008, Microsoft Library Package and libmcrypt library.

But during installation of 1.9.2, it shows "Service is not installed or error encountered" that I am not able to start the service because "start service" is dimmed.

For 64bit version, I extract the libmcrypt library into the program source folder. Run vredit_x86.exe and then run angevlog and NagevLogCtrl and the result are same as "service is not installed or error encountered!"

PS. During install 1.9.2, it prompts out Runtime error! "Program C:\Windows\SysWOW64\regsvr32.exe" R6034 Error. I hit 4 times okay to continue the installation. Do I need to solve this program first?

Thanks

[WillemDH]

Hey Michaelli,

If you want to use NSCA I would advise you to look at NSClient++ realtime eventlog component for sending events to Nagios XI.
http://www.medin.name/blog/2012/03/20/r ... -nsclient/

Or you could also use Nagios Log Server to manage all your logs.
http://www.nagios.com/products/nagios-log-server

Nagevlog just doesn't work properly on Windows 64bit systems imo..

Grtz

Willem

[abrist]

Nagevlog just doesn't work properly on Windows 64bit systems imo..

Many have reported problems with nagevlog and 64bit systems. Limited successes, but I think those people had to fix the library issues on their own.

[michaelli]

Hi Willem,

Is it possible to install log server into nagiosxi server? Any integration for display the host log into nagiosxi web?

Regards,
Michael Li

[WillemDH]

No Log Server is a separate server. Nsclient realtime eventlog component will send the events to passive service of host, you only need NSClient 0.4.1.105 or later for that. Grtz

[michaelli]

Hi Willem,

For using NSClient 0.4.1.105 to monitor windows system, any steps by step procedure for configure in both servers and client side example with monitoring "error", "warning", "critical" alert and allow to filter some messages patterns?

And I am not able to execute nscp eventlog with below error.

C:\Program Files\NSClient++>nscp --version
NSClient++, Version: 0,4,2,84 2014-03-06, Platform: x64

C:\Program Files\NSClient++>nscp eventlog
Command not found:

Below article is too complicated to understand
http://www.medin.name/blog/2012/03/20/r ... -nsclient/

[WillemDH]

First make sure NSCA is configured:

http://assets.nagios.com/downloads/nagi ... ios-XI.pdf

I would advise you to use NSClient 0.4.1.105, as it is the most stable version for now.

Then make sure NSCA is working and enabled in nsclient.ini

Make a passive service for each filter you set in your nsclient.ini file. (I named them EVT_Application and EVT_System)

Then configure realtime eventlog, this is example subset of my nsclient.ini.

Code: Select all

; A set of options to configure the real time checks
[/settings/eventlog/real-time]

; DEBUG - Log missed records (usefull to detect issues with filters) not usefull in production as it is a bit of a resource hog.
debug = false

; REAL TIME CHECKING - Spawns a backgrounnd thread which detects issues and reports them back instantly.
enabled = true

; LOGS TO CHECK - Comma separated list of logs to check
log = application,system

; STARTUP AGE - The initial age to scan when starting NSClient++
startup age = 30m


; A set of filters to use in real-time mode
[/settings/eventlog/real-time/filters]

[/settings/eventlog/real-time/filters/default]

; DESTINATION - The destination for intercepted messages
destination=NSCA

; MAXIMUM AGE - How long before reporting "ok" (if this is set to off no ok will be reported only errors)
maximum age= 3d

; OK MESSAGE - This is the message sent periodically whenever no error is discovered.
ok message= eventlog found no records test default

; SYNTAX - Format string for dates
syntax=%type% %id% %source%: %message% 

[/settings/eventlog/real-time/filters/EVT_Application]
log= application
filter= level IN (error) AND (id NOT IN (1,3,10,12,13,23,26,33,37,38,58,67,101,103,104,107,108,110,112,274,502,511,1000,1002,1004,1005,1008,1009,1010,1026,1027,1053,1054,1085,1101,1107,1116,1301,1325,1334,1373,1500,1502,1504,1508,1511,1515,1521,1533,1542,2019,2158,2636,2640,2650,2670,3001,3008,3012,3021,3032,3037,3042,3077,3079,3098,3119,3130,3131,3148,3159,3299,4005,4102,4237,4621,5008,5009,5051,5124,5133,5605,5705,6001,6007,6016,6032,6044,6100,7043,7363,7735,7823,7827,7833,8193,8194,8196,8313,9001,10000,10005,10007,10862,10922,11317,12121,12289,12291,12298,12321,13793,13836,14197,14204,15000,16038,16041,16053,16058,16063,16066,16068,16082,16195,16391,16418,16419,16421,17187,17192,17204,17412,17898,18176,19269,19458,19954,19969,19972,20958,21061,22670,35698,35705,35710,35712,35716,35721,35726,37088,37090,37092,37095,37098,37119,37124,37225)) AND (id NOT IN (1006) OR source NOT IN ('Userenv')) AND (id NOT IN (1509) OR source NOT IN ('Userenv')) AND (id NOT IN (1030) OR source NOT IN ('Userenv')) AND (id NOT IN (1055) OR source NOT IN ('Userenv'))
severity= WARNING
ok message= Autoreset, found no records in application eventlog
maximum age= 3d


[/settings/eventlog/real-time/filters/EVT_System]
log= system
filter= level IN (error) AND (id NOT IN (1,3,4,5,8,9,10,11,12,15,19,27,37,39,50,54,56,137,1030,1041,1060,1066,1069,1071,1111,1196,3621,4192,4224,4243,4307,5722,5723,5774,5783,5805,6161,7000,7001,7009,7011,7016,7022,7023,7024,7026,7031,7032,7034,8003,9022,10005,10006,10009,10010,10016)) AND (id NOT IN (36874) OR source NOT IN ('Schannel')) AND (id NOT IN (36887) OR source NOT IN ('Schannel')) AND (id NOT IN (36888) OR source NOT IN ('Schannel')) AND (id NOT IN (7030) OR source NOT IN ('Service Control Manager')) AND (id NOT IN (12292) OR source NOT IN ('VSS')) AND (id NOT IN (36870) OR source NOT IN ('Schannel'))
severity= WARNING
ok message= Autoreset, found no records in system eventlog
maximum age= 3d

Grtz

[lmiltchev]

Thanks for the help, WillamDH!

michaelli, on the Nagios XI side of things, you will have to configure the passive check results for hosts/services that show up under the Unconfigured Objects. For more info, please review the following document:

http://assets.nagios.com/downloads/nagi ... ith_XI.pdf

[michaelli]

Thanks WillemDH and lmiltchev.

I will test it later and Is it the best method to monitor windows sytem log by nagios XI because we will purchase XI license and project will be start at March.
We have over 100 of windows server need to monitor so that we would like to find the simple way to configure. I think windows eventlog is the best client but it doesn't supply 64bit OS.

[lmiltchev]

I would recommend setting this up in a test environment first. Using NagEventLog might work. I haven't played with it for a while, but as far as I remember, when you try to install it on a 64-bit machine, you would get 2 or 3 error messages. However, it would still work (or at least it worked for me when I was testing it). Give it a try. You can also use NSClient++ or if you really need a robust solution - Nagios Log Server.