How to monitor Windows Event Logs

[Nagiosuser01999]

Hi All

I have been asked is it possible to monitor if someone stops, pauses or deletes windows event logs.

I have tried to setup NagEventLog however I haven't had any luck.

In the Monitoring Wizard I can see that there is a windows event log. Looks like someone has installed this already.

I select that , then add the ip or host name in I wish to monitor , In this case I'm testing this on my workstation.
I have followed the document on configuring NSCA on the Nagios XI Server
I have installed the NagEventLog on my desktop and can confirm that it is talking to Nagios.

when I perform a test I see nothing at all?

I'm not too sure what is going on.
I'm I suppose to add a command?

[jdalrymple]

Your problem seems to be all over the map:

is it possible to monitor if someone stops, pauses or deletes windows event logs

Typically when people ask about Windows event log monitoring they're looking to be alerted if a specific ID or message pops up in one of the system logs. Your description sounds more to me like you want to know if the service is started/stopped/deleted which would be more of a service check. You could just use the WMI or Windows Server wizard to monitor for the service "EventLog"

In the Monitoring Wizard I can see that there is a windows event log. Looks like someone has installed this already.

This would be the more standard method of monitoring event log where you're searching for specific event log contents. Is that what you wish to do? If so it's well documented:https://assets.nagios.com/downloads/nag ... entLog.pdf

I have installed the NagEventLog on my desktop and can confirm that it is talking to Nagios.

How can you confirm? Have you looked for results in unconfigured objects?

[Nagiosuser01999]

Thanks for you reply

If I run the 'Test NSCA daemon' I get the message NSCA send succeeded.

Also I can see that port 5667 is listening on Nagios , So there is no firewall issues going on.
Ok so if you are using NSCA you are wanting to monitor for a specific event ID or message.
And if I’m monitoring the Windows Event Log service I would see if the service is stopped or paused.

What I would like to do is monitor the Windows Event Log service which seems straight forward however I would like to also monitor the event ID’s of windows event logs being cleared/deleted.

I have followed the EventLog.pdf However when I generate a test event log I have no data show up in nagios under that host

[jdalrymple]

If I run the 'Test NSCA daemon' I get the message NSCA send succeeded.

This has me a bit confused, mostly I guess just because I'm unfamiliar with that button. Is that something that is part of the NagEventLog product?

Also I can see that port 5667 is listening on Nagios , So there is no firewall issues going on.

Seeing that port 5667 is not indicative that there are no firewall issues:

Code: Select all

[root@nagioshost ~]# ss -an | grep 5667
LISTEN     0      64                       :::5667                    :::*
[root@nagioshost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:f3:24:9e brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.70/24 brd 10.0.2.255 scope global eth0
    inet6 fe80::20c:29ff:fef3:249e/64 scope link
       valid_lft forever preferred_lft forever

Code: Select all

[root@anotherhost ~]# nmap 10.0.2.70

Starting Nmap 5.51 ( http://nmap.org ) at 2015-10-14 16:32 CDT
Nmap scan report for 10.0.2.70
Host is up (0.00011s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
MAC Address: 00:0C:29:F3:24:9E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.34 seconds

if I’m monitoring the Windows Event Log service I would see if the service is stopped or paused

This isn't done with event log monitoring, this is basic monitoring of a service. Handle this with a wizard as I described above.

I would like to also monitor the event ID’s of windows event logs being cleared/deleted

I've never heard of this, nor do I even know how I'd go about it. It seems like you'd have to duplicate then diff the event log.

[Nagiosuser01999]

That's correct jdalrymple NagEventLog dose have a test button.

I have setup a Check_WM_Service to monitor eventlog. I have tested this and this seems to be working.

I Think I'm suppose to use NagEventLog application to monitor specific event log's , I'm not having much luck with getting this to work.
I will go through the documentation again and see how I go

[jdalrymple]

Note that by default debugging in NSCA is disabled:

Code: Select all

# DEBUGGING OPTION
# This option determines whether or not debugging
# messages are logged to the syslog facility.
# Values: 0 = debugging off, 1 = debugging on

debug=0

Enabling that then watching /var/log/messages will likely prove very beneficial to you.