Nagios Quick Notification Response?

[jdalrymple]

http://files.nsclient.org/legacy/

[cusvenus]

I am using version:

Below is the config

[/settings/NSCA/client]
channel = NSCA
hostname = <hostname>

[/settings/NSCA/client/targets/default]
address = <Nagios XI Server IPAddress>
allowed ciphers = ADH
certificate =
encryption = none
password = nagios
timeout = 30
use ssl = false
verify mode = none

[/settings/eventlog]
buffer size = 131072
debug = false
lookup names = true
syntax =

[/settings/eventlog/real-time]
debug = false
enabled = true
log = application,system
startup age = 30m

[/settings/eventlog/real-time/filters]

[/settings/eventlog/real-time/filters/default]
destination=NSCA
maximum age= 3d
ok message= Found no records in eventlog last three days.
syntax=%type% %id% %source%: %message%

[/settings/eventlog/real-time/filters/DVMS_System]
log= system
filter= level IN (info) AND (id IN (3201,3202)
severity= WARNING
ok message= Found no records in system eventlog last three days.
maximum age= 1d

Nagios XI configuration

[root@sncnagiosmysqlmon xinetd.d]# cat nsca
# default: on
# description: NSCA (Nagios Service Check Acceptor)
service nsca
{
flags = REUSE
socket_type = stream
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nsca
server_args = -c /usr/local/nagios/etc/nsca.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 127.0.0.1 <Monitoring Server IP>
}
[root@sncnagiosmysqlmon xinetd.d]#


Nagios Web Config

[cusvenus]

This is what I want to make it work:

[/settings/eventlog/real-time/filters/DVMS_System]
log= system
filter= level IN (info) AND (id IN (3201,3202)
severity= WARNING
ok message= Found no records in system eventlog last three days.
maximum age= 1d

NSCP-0.4.3.143-x64 (This is Nagios Client version)

Is there anything pending in capturing these events. I don't see any in "Unconfigured Objects"

[cusvenus]

Any update on this please?

[jdalrymple]

Enable logging:

Code: Select all

[/settings/log]
file name = nsclient.log
level = debug

restart nscp and see what the log says.

Incidentally I'm assuming you just omitted the [/modules] section because it's implied that checkeventlog is enabled. If that's not the case you will have to put that into your nsclient.ini

[cusvenus]

attached the DebugLog.

Also the config Below:

Code: Select all

[/settings/log]
file name = nsclient.log
level = debug

; Undocumented section
[/modules]

; NRPEServer - A server that listens for incoming NRPE connection and processes incoming requests.
NRPEServer = 1

; CheckSystem - Various system related checks, such as CPU load, process state, service state memory usage and PDH counters.
CheckSystem = 1

; NSClientServer - A server that listens for incoming check_nt connection and processes incoming requests.
NSClientServer = 1

; CheckExternalScripts - Execute external scripts
CheckExternalScripts = 1

; CheckHelpers - Various helper function to extend other checks.
CheckHelpers = 1

; NSCAClient - NSCA client can be used both from command line and from queries to submit passive checks via NSCA
NSCAClient = 1

; CheckEventLog - Check for errors and warnings in the event log.
CheckEventLog = 1

; CheckNSCP - Use this module to check the healt and status of NSClient++ it self
CheckNSCP = 1

; CheckDisk - CheckDisk can check various file and disk related things.
CheckDisk = 1

CheckLogFile = 1

CheckLogFile = enabled

CheckEventLog = enabled

CheckEventLog = 1

NSCAClient = 1

[/settings/logfile/real-time]
enabled = true

[/settings/NSCA/client]
channel = NSCA
hostname = <Hostname>
 
[/settings/NSCA/client/targets/default]
address = <IP Address>
allowed ciphers = ADH
certificate = 
encryption = none
password = 
timeout = 30
use ssl = false
verify mode = none

[/settings/eventlog]
buffer size = 131072
debug = false
lookup names = true
syntax = 
 
[/settings/eventlog/real-time]
debug = false
enabled = true
log = application,system
startup age = 30m
 
[/settings/eventlog/real-time/filters]
 
[/settings/eventlog/real-time/filters/default]
destination=NSCA
maximum age= 3d
ok message= Found no records in eventlog last three days.
syntax=%type% %id% %source%: %message% 
 
;[/settings/eventlog/real-time/filters/EVT_Application]
;log= application
;filter= level IN (error) AND (id NOT IN (1,3,10,12,13,23,26,33,37,38,58,67,101,103,104,107,108,110,112,274,502,511,1000,1002,1004,1005,1009,1010,1026,1027,1053,1054,1085,1101,1107,1116,1301,1325,1334,1373,1500,1502,1504,1508,1511,1515,1521,1533,1542,2019,2158,2636,2670,3001,3008,3012,3021,3032,3037,3042,3077,3079,3098,3119,3130,3131,3148,3159,4005,4102,4237,4621,5008,5009,5051,5124,5133,5605,5705,6001,6007,6016,6032,6044,6100,7043,7363,7735,7823,7827,7833,8193,8194,8196,8313,9001,10000,10005,10007,10862,10922,11317,12121,12289,12291,12298,12321,13793,13836,14197,14204,15000,16038,16041,16053,16058,16063,16066,16068,16082,16195,16391,16418,16419,16421,17187,17192,17204,17412,17898,18176,19269,19458,19954,19969,19972,20958,21061,22670,35698,35705,35710,35712,35716,35721,35726,37088,37090,37092,37095,37098,37119,37124,37225)) AND (id NOT IN (1509) OR source NOT IN ('Userenv')) AND (id NOT IN (1055) OR source NOT IN ('Userenv')) AND (id NOT IN (1030) OR source NOT IN ('Userenv')) AND (id NOT IN (1006) OR source ;NOT IN ('Userenv'))
;severity= WARNING
;ok message= Found no records in application eventlog last three days.
;maximum age= 3d
 
 
[/settings/eventlog/real-time/filters/EVT_System]
log= system
filter= level IN (info) AND (id IN (3201,3202)
severity= WARNING
ok message= Found no records in system eventlog last three days.
maximum age= 1d

[jdalrymple]

Looks to me like it's working:

Code: Select all

2015-09-18 11:26:26: debug:D:\source\nscp\modules\CheckEventLog\realtime_thread.cpp:100: Processing: 00000000014A49D0
2015-09-18 11:26:26: debug:D:\source\nscp\include\parsers/filter/realtime_helper.hpp:148: No filters matched an event
2015-09-18 11:26:26: debug:D:\source\nscp\modules\CheckEventLog\realtime_thread.cpp:100: Processing: 00000000014A49D0
2015-09-18 11:26:26: debug:D:\source\nscp\include\parsers/filter/realtime_helper.hpp:148: No filters matched an event

It wont' send any nsca events to Nagios unless there is something interesting to send.

[cusvenus]

My goal is to make the below working?

[/settings/eventlog/real-time/filters/EVT_System]
log= system
filter= level IN (info) AND (id IN (3201,3202)
severity= WARNING
ok message= Found no records in system eventlog last three days.
maximum age= 1d

I don't see anything in Unconfigured Objects or anything related in the NagiosXI. Can you hep me on how to setup from the front end of what we see in the log?

This is basically tracking iisreset from command line will generate 3201 and 3202 and I don't see anything showing up related.


--- September 21, 2015 at 12:42 PM CDT ---

Any update on this please - Thank You

[tgriep]

I think you are missing a close parentheses in your filter.
Change this from

Code: Select all

filter= level IN (info) AND (id IN (3201,3202)

to

Code: Select all

filter= level IN (info) AND (id IN (3201,3202))

Restart the NSClient on the windows system and see if that resolves it.

[cusvenus]

Let me check and Confirm.