Setting up Windows monitoring.

[gdolidze]

When i setup linux server they come up right away but on the windows side i takes a while, i don't now how long because i see them on the 2nd day i come into office.
is there a reason why it take so long for windows side to show up on the dashboard.

[tmcdonald]

That all depends on what you are monitoring on your Windows machines. If it is just a single event ID that does not occur often, then it might only show up every 2 days.

Also, do you have a time/date difference between the Windows machines and Logserver?

[gdolidze]

I just follow this http://10.1.1.154/nagioslogserver/index ... up/windows
and it takes a long time to show up. and the servers are on vmware.

also i found this

The server is reporting the below information in C:\Program Files (x86)\nxlog\data\nxlog. Does the server need to be defined somewhere in the log server or is the log server’s firewall running?


2015-06-15 11:07:18 INFO reconnecting in 200 seconds
2015-06-15 11:07:18 ERROR couldn't connect to tcp socket on 10.1.1.154:3515; No connection could be made because the target machine actively refused it.
2015-06-15 11:08:30 INFO connecting to 10.1.1.154:3515
2015-06-15 11:08:51 INFO reconnecting in 200 seconds
2015-06-15 11:08:51 ERROR couldn't connect to tcp socket on 10.1.1.154:3515; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2015-06-15 11:10:01 INFO connecting to 10.1.1.154:3515
2015-06-15 11:10:22 INFO reconnecting in 200 seconds
2015-06-15 11:10:22 ERROR couldn't connect to tcp socket on 10.1.1.154:3515; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2015-06-15 11:10:38 INFO connecting to 10.1.1.154:3515
2015-06-15 11:10:59 INFO reconnecting in 200 seconds
2015-06-15 11:10:59 ERROR couldn't connect to tcp socket on 10.1.1.154:3515; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2015-06-15 11:12:11 INFO connecting to 10.1.1.154:3515
2015-06-15 11:12:32 INFO reconnecting in 200 seconds
2015-06-15 11:12:32 ERROR couldn't connect to tcp socket on 10.1.1.154:3515; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2015-06-15 11:13:42 INFO connecting to 10.1.1.154:3515
2015-06-15 11:14:03 INFO reconnecting in 200 seconds
2015-06-15 11:14:03 ERROR couldn't connect to tcp socket on 10.1.1.154:3515; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2015-06-15 11:14:19 INFO connecting to 10.1.1.154:3515
2015-06-15 11:14:40 INFO reconnecting in 200 seconds
2015-06-15 11:14:40 ERROR couldn't connect to tcp socket on 10.1.1.154:3515; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2015-06-15 11:15:52 INFO connecting to 10.1.1.154:3515
2015-06-15 11:15:53 INFO reconnecting in 200 seconds
2015-06-15 11:15:53 ERROR couldn't connect to tcp socket on 10.1.1.154:3515; No connection could be made because the target machine actively refused it.
2015-06-15 11:17:23 INFO connecting to 10.1.1.154:3515

[jolson]

Could you post your nxlog configuration from the Windows machine in question? Also, please ensure that port 3515 (by default) is open on your Nagios Log Server instance - you could telnet to it as a test.

Code: Select all

telnet nagios.log.server.ip 3515

Make certain that logstash is running on Nagios Log Server:

Code: Select all

service logstash start

[gdolidze]

the port is open as well.
logstash is also running

## See the nxlog reference manual at
## http://nxlog.org/nxlog-docs/en/nxlog-re ... anual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>

<Extension json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>

# Watch your own files
<Input file1>
Module im_file
File '%ROOT%\data\nxlog.log'
SavePos TRUE
</Input>

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog

# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
</Input>

<Output out>
Module om_tcp
Host 10.1.1.154
Port 3515

Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();

# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

<Route 1>
Path internal, file1, eventlog => out
</Route>

[jolson]

Your configuration looks proper to me. If you run a tcpdump on Nagios Log Server, can you see any packets coming in?

Code: Select all

yum install tcpdump -y
tcpdump -n dst port 3515 and host windows.server.ip.address

If not, try re-copying the nxlog configuration from the Windows Server installation guide, and restarting the nxlog service. Any packets at that point?

[gdolidze]

The server just showed up around 5 hours after i did the nxlog installation.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:35:58.419881 IP cfjh50.cfjh.net.58288 > solr.cfjh.net.must-backplane: Flags [P.], seq 1903760032:1903761456, ack 3357686629, win1424
19:35:58.420600 IP cfjh50.cfjh.net.58288 > solr.cfjh.net.must-backplane: Flags [P.], seq 1424:2743, ack 1, win 256, length 1319
19:35:58.420944 IP cfjh50.cfjh.net.domain > solr.cfjh.net.60743: 44484* 1/0/0 PTR solr.cfjh.net. (68)
19:35:58.421353 IP cfjh50.cfjh.net.domain > solr.cfjh.net.50195: 25260* 1/0/0 PTR cfjh50.cfjh.net. (69)
19:35:58.421603 IP cfjh50.cfjh.net.58288 > solr.cfjh.net.must-backplane: Flags [P.], seq 2743:4159, ack 1, win 256, length 1416
5 packets captured
6 packets received by filter
0 packets dropped by kernel

[jolson]

This sounds like a timezone issue, as tmcdonald had mentioned earlier. Please ensure that the time on your NLS box is set properly. Log into the NLS box and type the following:

Code: Select all

hwclock
date
grep timezone /etc/php.ini
ls -l /etc/localtime

Does the above look accurate? If not, you may need to change the configuration of your box. The easiest way to do so is a combination of our supplied script and the ntp daemon.

Code: Select all

/usr/local/nagioslogserver/scripts/change_timezone.sh -z America/Chicago
ntpdate 0.centos.pool.ntp.org
service ntpd start
chkconfig ntpd on