How to monitor extended windows eventlogs using Nagios
How to monitor extended windows eventlogs using Nagios
Hello,
We in our production environment are using Nagios to monitor various windows alerts.
Now we also want to monitor Exchange server Failover event i.e. 306 via nagios.
the command which we are using currently is as follow which works fine for EventLogs Application, Systems and Security:
./check_nrpe -t 30 -H IPAddress -p 5666 -c CheckEventLog -a file=Application debug=true MaxWarn=1 MaxCrit=1 filter-generated=\<1d "filter=id = 1009" truncate=1000 unique descriptions "syntax=%id%: (%count%)"
Now, instead of events in Application/ Systems and Security log, I want to configure EventLog for Microsoft-Exchange-HighAvailability/Operational event 306, can anyone help me in this to how to configure this events in Nagios?
Thanks
Ankur
We in our production environment are using Nagios to monitor various windows alerts.
Now we also want to monitor Exchange server Failover event i.e. 306 via nagios.
the command which we are using currently is as follow which works fine for EventLogs Application, Systems and Security:
./check_nrpe -t 30 -H IPAddress -p 5666 -c CheckEventLog -a file=Application debug=true MaxWarn=1 MaxCrit=1 filter-generated=\<1d "filter=id = 1009" truncate=1000 unique descriptions "syntax=%id%: (%count%)"
Now, instead of events in Application/ Systems and Security log, I want to configure EventLog for Microsoft-Exchange-HighAvailability/Operational event 306, can anyone help me in this to how to configure this events in Nagios?
Thanks
Ankur
Re: How to monitor extended windows eventlogs using Nagios
No problem, you should be able to change the log you're monitoring with the 'file' specification.
A possible example (may need some tinkering):
A possible example (may need some tinkering):
Code: Select all
./check_nrpe -t 30 -H IPAddress -p 5666 -c CheckEventLog -a file=Microsoft-Exchange-HighAvailability/Operational debug=true MaxWarn=1 MaxCrit=1 filter-generated=\<1d "filter=id = 306" truncate=1000 unique descriptions "syntax=%id%: (%count%)"
Re: How to monitor extended windows eventlogs using Nagios
I tried this combination, but it did not worked.jolson wrote:No problem, you should be able to change the log you're monitoring with the 'file' specification.
A possible example (may need some tinkering):Code: Select all
./check_nrpe -t 30 -H IPAddress -p 5666 -c CheckEventLog -a file=Microsoft-Exchange-HighAvailability/Operational debug=true MaxWarn=1 MaxCrit=1 filter-generated=\<1d "filter=id = 306" truncate=1000 unique descriptions "syntax=%id%: (%count%)"
Actually I tried many combinations but all failed.
Any more idea are welcome.
Thanks.
Re: How to monitor extended windows eventlogs using Nagios
Are you receiving any errors from the CLI after running the command I mentioned? If so, what errors?
What other combinations have you tried?
What other combinations have you tried?
Re: How to monitor extended windows eventlogs using Nagios
jolson wrote:Are you receiving any errors from the CLI after running the command I mentioned? If so, what errors?
What other combinations have you tried?
The commands/ combinations which I tried are as follow:
./check_nrpe -t 30 -H IPAddress -p 5666 -c CheckEventLog -a file=Microsoft-Exchange-HighAvailability/Operational debug=true MaxWarn=1 MaxCrit=1 filter-generated=\<1d "filter=id = 306" truncate=1000 unique descriptions "syntax=%id%: (%count%)"
./check_nrpe -t 30 -H IPAddress -p 5666 -c CheckEventLog -a filter=new file=all MinWarn=0 MinCrit=0 filter-generated=\<30m filter+eventID=="306" filter+eventType==all filter=all
./check_nrpe -t 30 -H IPAddress -p 5666 -c CheckEventLog -a filter=new file=all MinWarn=0 MinCrit=0 filter == ((source== "HighAvailability") AND (eventtype == "error") OR (eventtype == "warning")) filter-generated=\<30m filter+eventID=="306" filter+eventType==all filter=all
./check_nrpe -t 30 -H IPAddress -p 5666 -c eventlog=System,include,source=HighAvailability,eventtype=error,eventtype=warning,exclude,eventid=15,eventid=16" debug=true MaxWarn=1 MaxCrit=1 filter-generated=\<1d "filter=id = 306" truncate=1000 unique descriptions "syntax=%id%: (%count%)"
And many others...
And the output which I get from above commands is as follow:
Eventlog check ok|'eventlog'=0;1;1;
Output show Status OK, but in the server there are many events with 306 ID's due to automatic Exchange databases failover and output show 0,1,1.
Any suggestion?
Thanks,
Ankur
- Box293
- Too Basu
- Posts: 5126
- Joined: Sun Feb 07, 2010 10:55 pm
- Location: Deniliquin, Australia
- Contact:
Re: How to monitor extended windows eventlogs using Nagios
Turn on debug logging in NSClient++ and restart the service.
Then try executing these commands and check the log to see what logs. (I like using http://tailforwin32.sourceforge.net/ for watching logs on windows servers).
Then try executing these commands and check the log to see what logs. (I like using http://tailforwin32.sourceforge.net/ for watching logs on windows servers).
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: How to monitor extended windows eventlogs using Nagios
any other option?
-
- Skynet Drone
- Posts: 2620
- Joined: Wed Feb 11, 2015 1:56 pm
Re: How to monitor extended windows eventlogs using Nagios
I've fiddled with this a little bit to try and debug your problem. I'm having trouble identifying what "token" to use to tell nsclient I want to query a log besides App/Sys/Sec. This may be one you should reach out to Michael Medin (the developer of NSCP) on. Have you tried that?
https://forums.nsclient.org/
https://forums.nsclient.org/
Re: How to monitor extended windows eventlogs using Nagios
Thanks
Will update if u get the correct syntax.
Ankur.
Will update if u get the correct syntax.
Ankur.
-
- Skynet Drone
- Posts: 2620
- Joined: Wed Feb 11, 2015 1:56 pm
Re: How to monitor extended windows eventlogs using Nagios
We appreciate it - will leave the topic open hoping you get resolve.