NSClient++ - 0.4.3.131 real time event log filter syntax

[michaelli]

Hi support,

I would like to filter alert message more detail.

exampe:
filter=level=1 AND (id NOT IN (4,5,1001,2807,3007,3109,4000))

;level 1 = error alert

From above example, eg 2807 and 3007 are error messages but from different source.

SORUCE ID Description
sharepoint ID 2087 "erorr for ......"
nagios ID 2087 "unable connect to ....."
ABC soft ID 3007 "system error ...."
EFC com ID 3007 "EFC unable to load ...."

From about same ID but different source, How can we define the filter messages for over example? (I just want ignore sharepoint ID 2087 and ignore EFC ID 3007 and keep alert for nagios and ABC soft).

[jolson]

You should be able to define the ID's that you want to see directly.

Code: Select all

filter=id = 555 or id  = 554

Let me know if that helps!

[michaelli]

Hi jolson,

My filter statement is get all error type messages with ignore some error ID.

I think your example about we know that id = 555 or id = 554 are belong to errors and want to show in nagiosxi

Our real environment is all error / warning should show in nagios. If some event ID is confirmed fault alarm / no harmful for the system. Then we will ignore this error ID.

Some application company may use same ID but different meaning. We are looking for prevent this error happening.

Please correct my filter syntax if I wrong.

[jolson]

The following syntax worked well for me.

Code: Select all

filter=level=1 AND (id NOT IN (4,5,1001,2807,3007,3109,4000)) AND (source NOT IN (ExampleSource))

Replace 'ExampleSource' with whatever source you want excluded. The source is case sensitive.

[michaelli]

Hi jolson,

your statement only filter the alert message for 1 SOURCE only.

[jolson]

You can add more sources like so:

Code: Select all

filter=level=1 AND (id NOT IN (4,5,1001,2807,3007,3109,4000)) AND (source NOT IN (ExampleSource,ExampleSource2))

[michaelli]

Hi jolson,

I have tried your filter syntax but the result is not expected.
filter=level=1 AND (id NOT IN (4,5,1001,2807,3007,3109,4000)) AND (source NOT IN (ex1,ex2))

Below is my testing command and nscp test debug messages

ID 6 is not in ignored list, So it can display in nagios

Code: Select all

C:\>eventcreate /ID 6 /L application /T error /SO ex10 /D "testing application error source ex10
SUCCESS: An event of type 'error' was created in the 'application' log with 'ex10' as the source.

D   eventlog Reading eventlog messages...
D   eventlog Processing: 0042A530
D   eventlog Next miss time is in: 1042s

ID4 is in ignore list and source is ex11. It should be match filter and display in nagios. But result is not expected.

Code: Select all

C:\>eventcreate /ID 4 /L application /T error /SO ex11 /D "testing application error source ex11"
SUCCESS: An event of type 'error' was created in the 'application' log with 'ex11' as the source.

D   eventlog Reading eventlog messages...
D   eventlog Processing: 0042A530
D   eventlog No filters matched an event
D   eventlog Next miss time is in: 961s

ID 4 is in ignore list and source is ex2. It can filtered.

Code: Select all

C:\>eventcreate /ID 4 /L application /T error /SO ex2 /D "testing application error source ex2"
SUCCESS: An event of type 'error' was created in the 'application' log with 'ex2' as the source.

D   eventlog Reading eventlog messages...
D   eventlog Processing: 0042A530
D   eventlog No filters matched an event
D   eventlog Next miss time is in: 884s

Therefore, the syntax is not enable for filter ID with source. Any other method because I cannot find more information for filter syntax even in nsclient.org?

[lmiltchev]

You have opened a new support ticket in our email ticketing system. We will continue communication via emails. I am locking this topic.