Nagios windows Eventlog monitoring agent problem

[michaelli]

Hi lmiltchev,

I follow your procedure and add the below entries into nsclient.ini

[/settings/NSCA/client/targets/default]
address=nsca://127.31.4.166:5667
encryption=none
password=password

But I am not able to find the host in "Unconfigured Objects" in nagiosxi (172.31.4.166) and this client can connect to nagiosxi port 5667 by telnet.

For NSCA, how can I enable the log so that I can troubleshoot this issue?

Thanks for your helping.

[Box293]

You can watch the Nagios log to see if the check results are being submitted.

Code: Select all

tail -f /usr/local/nagios/var/nagios.log

You'll see something like:

Code: Select all

[1419048801] EXTERNAL COMMAND: PROCESS_SERVICE_CHECK_RESULT;DC01;CPU Load;0;OK CPU Load ok.|'5m'=0%;80;90 '1m'=1%;80;90 '30s'=2%;80;90
[1419048801] Warning:  Passive check result was received for service 'CPU Load' on host 'DC01', but the host could not be found!
[1419048801] Error: External command failed -> PROCESS_SERVICE_CHECK_RESULT;DC01;CPU Load;0;OK CPU Load ok.|'5m'=0%;80;90 '1m'=1%;80;90 '30s'=2%;80;90
[1419048801] External command error: Command failed

When this happens, the object will appear under Unconfigured Objects. In this example, if there was already a service called 'CPU Load' on host 'DC01' then it does not get logged in the nagios.log file and the service simply gets updated.

[/settings/NSCA/client/targets/default]
address=nsca://127.31.4.166:5667
encryption=none
password=password

You will need more than just that added to nsclient.ini.
This post by Willem was helpful and should be followed, have you tried it? http://support.nagios.com/forum/posting ... 0#pr126686

If you want to follow a guide on getting NSClient++ submitting NSCA results to nagios have a look at this one I created:
http://sites.box293.com/nagios/guides/n ... ient-0-4-x

Nagios XI already has NSCA built in, however at the end of this guide it shows you how to turn on debug logging so you can see what is received BEFORE it is submitted to Nagios:
http://sites.box293.com/nagios/guides/n ... core-4-0-x

Finally, you can enable debugging in NSClient++ itself and look in it's logs:
Open a command prompt on the windows box

Code: Select all

cd "\Program Files\NSClient++\"
nscp settings --path /settings/log --key level --set debug

Restart the NSClient++ service

Check the log file in the NSClient++ directory.

One last note: use NSClient++ 0.4.1.105
0.3.9 no longer works with the newer version of NSCA that comes with XI.
0.4.2 onwards is still buggy and is slightly different.

[michaelli]

Thanks Box293 information for logging.

But I try for client windows 7 (32-bits) and windows 2008 (64-bits), EVT_application log can send to nagios xi and display event properly but EVT_system cannot be display in nagios xi.

For windows 2012 with same configure file, both EVT_application and EVT_system cannot be display.

Moreover, how can I keep the error in nagios xi for 30mins?

[lmiltchev]

But I try for client windows 7 (32-bits) and windows 2008 (64-bits), EVT_application log can send to nagios xi and display event properly but EVT_system cannot be display in nagios xi.

Can you show us a screenshot of the error that you are getting?

Moreover, how can I keep the error in nagios xi for 30mins?

Schedule the passive checks on a 30 min interval (in the nsclient.ini file).

[michaelli]

Hi lmiltchev,

It is work for monitor both system and application log by naigos xi but need to generate a error log manually for nagiosxi to recognize in "Unconfigured objects".

1. But now we encounter a new problem about it cannot monitor the level is "critical" (monitoring error and warning log is okay).
I am sure the critical ID is out of the "exclude list"

2. Is it allow to filter the key words in "messages contents"?

3. Any sample config file for setup monitoring log file (eg. c:\softwarea\logs\softwarea.log)

Below is the config file for reference

; A set of options to configure the real time checks
[/settings/eventlog/real-time]

; DEBUG - Log missed records (usefull to detect issues with filters) not usefull in production as it is a bit of a resource hog.
debug = false

; REAL TIME CHECKING - Spawns a backgrounnd thread which detects issues and reports them back instantly.
enabled = true

; LOGS TO CHECK - Comma separated list of logs to check
log = application,system

; STARTUP AGE - The initial age to scan when starting NSClient++
startup age = 30m

; A set of filters to use in real-time mode
[/settings/eventlog/real-time/filters]

[/settings/eventlog/real-time/filters/default]

; DESTINATION - The destination for intercepted messages
destination=NSCA

; MAXIMUM AGE - How long before reporting "ok" (if this is set to off no ok will be reported only errors)
maximum age= 3d

; OK MESSAGE - This is the message sent periodically whenever no error is discovered.
ok message= eventlog found no records test default

; SYNTAX - Format string for dates
syntax=%type% %id% %source%: %message%

[/settings/eventlog/real-time/filters/EVT_Application]
log= application
filter= level IN (error,warning,critical) AND (id NOT IN (1,3,10,12,13,23,26,33,37,38,58,67,101,103,104,107,108,110,112,274,502,511,1000,1002,1004,1005,1008,1009,1010,1026,1027,1053,1054,1085,1101,1107,1116,1301,1325,1334,1373,1500,1502,1504,1508,1511,1515,1521,1533,1542,2019,2158,2636,2640,2650,2670,3001,3008,3012,3021,3032,3037,3042,3077,3079,3098,3119,3130,3131,3148,3159,3299,4005,4102,4237,4621,5008,5009,5051,5124,5133,5605,5705,6001,6007,6016,6032,6044,6100,7043,7363,7735,7823,7827,7833,8193,8194,8196,8313,9001,10000,10005,10007,10862,10922,11317,12121,12289,12291,12298,12321,13793,13836,14197,14204,15000,16038,16041,16053,16058,16063,16066,16068,16082,16195,16391,16418,16419,16421,17187,17192,17204,17412,17898,18176,19269,19458,19954,19969,19972,20958,21061,22670,35698,35705,35710,35712,35716,35721,35726,37088,37090,37092,37095,37098,37119,37124,37225)) AND (id NOT IN (1006) OR source NOT IN ('Userenv')) AND (id NOT IN (1509) OR source NOT IN ('Userenv')) AND (id NOT IN (1030) OR source NOT IN ('Userenv')) AND (id NOT IN (1055) OR source NOT IN ('Userenv'))
severity= WARNING
ok message= Autoreset, found no records in application eventlog
maximum age= 3d


[/settings/eventlog/real-time/filters/EVT_System]
log= system
filter= level IN (error,warning) AND (id NOT IN (1,3,4,5,8,9,10,11,12,15,19,27,37,39,50,54,56,137,1030,1041,1060,1066,1069,1071,1111,1196,3621,4192,4224,4243,4307,5722,5723,5774,5783,5805,6161,7000,7001,7009,7011,7016,7022,7023,7024,7026,7031,7032,7034,8003,9022,10005,10006,10009,10010,10016)) AND (id NOT IN (36874) OR source NOT IN ('Schannel')) AND (id NOT IN (36887) OR source NOT IN ('Schannel')) AND (id NOT IN (36888) OR source NOT IN ('Schannel')) AND (id NOT IN (7030) OR source NOT IN ('Service Control Manager')) AND (id NOT IN (12292) OR source NOT IN ('VSS')) AND (id NOT IN (36870) OR source NOT IN ('Schannel'))
severity= WARNING
ok message= Autoreset, found no records in system eventlog
maximum age= 3d

[WillemDH]

Fyi, I can strongly advice not to filter on event description or message content. This would imply for NSclient to search through each message description which gives a much bigger load then only source or eventid. If you really need to search in message content, I would advise you to look at Nagios Log Server, which is made for this.

[michaelli]

Hi WillemDH,
Thanks for your reply.

1. how to resolve it unable to monitor the level "critical"?

2. Is it allow to configure two nsca address which can send the alert to two nagiosxi server at the same time?

[/settings/NSCA/client/targets/default]
address=nsca://172.31.4.166:5667
encryption=none
password=password

3. Any sample config file for setup monitoring log file (eg. c:\softwarea\logs\softwarea.log)

[michaelli]

Dear Nagios support,

Any solution for below issues because we are now blocking stage from below problem and the project approval is holding by management team.

1. how to resolve it unable to monitor the level "critical"?

2. Is it allow to configure two nsca address which can send the alert to two nagiosxi server at the same time?

[/settings/NSCA/client/targets/default]
address=nsca://172.31.4.166:5667
encryption=none
password=password

3. Any sample config file for setup monitoring log file (eg. c:\softwarea\logs\softwarea.log)

[WillemDH]

Michaelli,

NSClient is not a product made by Nagios, but by Michael Medin. Nagios support can try to answer questions related to NSClient, but the realtime eventlog capabilities are kind of new and not very well documented as you already mentioned. It works perfect for me for monitoring Windows eventlogs, but I can't help you with your issue to monitor custom logfiles.

I can suggest you however to make a thread here https://www.nsclient.org/forums/forum/nsclient-support/

Grtz

Willem

[michaelli]

Hi WillemDH,

As we will purchase nagiosxi license after this evaluation, I am wondering the support issue if you mention NSClient is not part of nagios production.
Could you help to clarify which support coverage for nagios xi enterprise edition?