How to monitor for a Event ID

maddev · Post by **maddev** » Thu May 07, 2015 6:45 am

I am looking to monitor the occurrences of few system events on windows servers; Say whenever a event ID 1074 is logged I need someone to be notified and so on.

I have nsclient++ installed on windows machines and use Nagios XI 2014. Any Idea on how to achieve this ?

jdalrymple · Post by **jdalrymple** » Thu May 07, 2015 10:23 am

You have to have "CheckEventLog = 1" in your modules section of nsclient.ini

Then after that it's just a matter of fiddling with the filters to make them work to suit your needs.

Code: Select all

[jdalrymple@localhost libexec]$ ./check_nrpe -H <windows-IP> -c checkeventlog -a warn=1 crit=2 filter="id=1074"
OK: No entries found|'count'=0;1;2

ssax · Post by **ssax** » Thu May 07, 2015 10:50 am

What version of NSClient++ are you using?

Make sure that you have these options set in your nsclient.ini:

Code: Select all

[/settings/NRPE/server]
allow arguments=1
allow nasty meta chars=1

Restart your nsclient service.

You should be able to use CheckEventLog:

From command line:

Code: Select all

./check_nrpe -H YOURHOST -p 5666 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -5m AND id='1074'"

Adding the service in XI CCM:

Code: Select all

Check command: check_nrpe
$ARG1$: CheckEventLog
$ARG2$: -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -5m AND id='1074'"

http://docs.nsclient.org/0.4.3/referenc ... ckEventLog

maddev · Post by **maddev** » Fri May 08, 2015 2:46 am

Hi I am getting the below output when I execute in command line

Code: Select all

./check_nrpe -H 10.161.232.51 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -5m AND id='1074'"
Eventlog check ok|'eventlog'=0;1;1

But testing check comman through XI CCM console throws below error

Code: Select all

COMMAND: /usr/local/nagios/libexec/check_nrpe -H 10.161.232.51 -t 30 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated \> -5m AND id=\'1074\'"
OUTPUT: Parsing failed: generated \> -5m AND id=\'1074\'

Also, Can't we do this using check_nt ? without changing the nsclient.ini file

ssax · Post by **ssax** » Fri May 08, 2015 10:38 am

Paste in the exact $ARG2$ that I put in:

Code: Select all

-a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -5m AND id='1074'"

Don't worry if the test fails.

maddev · Post by **maddev** » Fri May 08, 2015 12:41 pm

Here's the output

Code: Select all

COMMAND: /usr/local/nagios/libexec/check_nrpe -H <hostIP> -t 30 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated \> -5m AND id=\'1074\'"
OUTPUT: Parsing failed: generated \> -5m AND id=\'1074\'

scottwilkerson · Post by **scottwilkerson** » Fri May 08, 2015 12:44 pm

Commands that have a log to escaping often will not work properly through the "test Command" button in the GUI, because of the required escaping to prevent XSS via the webUI.

However this will not affect the actual running of the command if you enter it as ssax suggested.

Nagios Support Forum

How to monitor for a Event ID

How to monitor for a Event ID

Re: How to monitor for a Event ID

Re: How to monitor for a Event ID

Re: How to monitor for a Event ID

Re: How to monitor for a Event ID

Re: How to monitor for a Event ID

Re: How to monitor for a Event ID