Command to check Windows logs

[jamesc23]

Yes our server is still on an old version. I think we're on 2011R1.6. We'll be looking to upgrade our server but it won't be anytime soon as we have other projects to concentrate on which will take a lot of our time.

As for the config in nsclient.in - please see below.

[/settings/eventlog/real-time/filters/default]
destination=NSCA
maximum age= 3d
ok message= Found no records in eventlog last three days.
syntax=%type% %id% %source%: %message%


[/settings/eventlog/real-time/filters/RAID Windows Event]
log = application
filter = id = 3006
severity = WARNING
syntax = %message%
ok message = Found no RAID related eventlogs last three days.
maximum age = 3d

[lmiltchev]

Have you tried generating an event on the Windows server that is compliant with the filter you made as suggested by WillemDH?

[jamesc23]

Yes I have

[jdalrymple]

Your best bet from this point is to see if nscient is even picking up the event. You can look in nsclient.log if you have logging enabled:

Code: Select all

[/settings/log]  
file name = nsclient.log  
debug = 1

Or if you don't have logging enabled, just kill the service:

Code: Select all

net stop nscp

Then restart from an elevated command prompt:

Code: Select all

c:\program files\nsclient++\nscp.exe test

Regenerate the event and watch the debug output for further information.

[jamesc23]

Does the below imply that my filter settings are incorrect?

2015-10-22 11:58:15: debug:D:\source\nscp\include\parsers/filter/realtime_helper.hpp:193: Next miss time is in: 86379s
2015-10-22 11:58:21: debug:D:\source\nscp\modules\CheckEventLog\realtime_thread.cpp:86: Reading eventlog messages...
2015-10-22 11:58:21: debug:D:\source\nscp\modules\CheckEventLog\realtime_thread.cpp Processing: 0000000000542F20
2015-10-22 11:58:42: debug:D:\source\nscp\include\parsers/filter/realtime_helper.hpp:193: Next miss time is in: 86379s
2015-10-22 11:58:55: debug:D:\source\nscp\modules\CheckEventLog\realtime_thread.cpp:86: Reading eventlog messages...
2015-10-22 11:58:55: debug:D:\source\nscp\modules\CheckEventLog\realtime_thread.cpp Processing: 0000000000542F20
2015-10-22 11:58:55: debug:D:\source\nscp\include\parsers/filter/realtime_helper.hpp:148: No filters matched an event

[jdalrymple]

I'm kind of stating the obvious here, so bear with me:

In the config you sent you just have filter = id = 3006. Is that indicative of a drive failure? Can you verify that ID is in your application event log somewhere in the past 3 days?

To answer your question, it does look to me like your realtime log monitor isn't finding anything of interest to tell you about.

[WillemDH]

Try a filter like this pls:

Code: Select all

filter = level IN (error) AND (id IN (3006,3007)

Just as I'm 100 % sure the above syntax works for me in NSClient 0.4.1.105. Generate an error event 3006 with Powershell.

[tmcdonald]

@jamesc23, let us know if JR or Willem's posts were helpful!

[jamesc23]

Ok. I changed the filter according to the suggestion and I'm still getting the no filters matched message. I tried generating Information, Warning and Error messages based on event 3006 and 3007.

I can also verify that the event ID 3006 (read event) are in the application logs. I am assuming that the command nscp.ext test will actually tell me useful information if the event ID is matched?

Please let me know if there's anything else I could try.

Many thanks.

[lmiltchev]

Can you post the "nsclient.log"?