Command to check Windows logs

[jamesc23]

Hope the file provides enough details.

Thanks.

[Box293]

Can you please post your most recent nsclient.ini file.

[jamesc23]

here it is.

[Box293]

I believe this is your issue:

Code: Select all

filter = level IN (error) AND (id IN (3006,3007)

It's missing a closing bracket at the end:

Code: Select all

filter = level IN (error) AND (id IN (3006,3007))

[jamesc23]

Thanks. Unfortunately, it didn't make any difference.

[Box293]

OK so I believe the reason why Willem's guide isn't working for you is because he is using NSClient 0.4.1.105 and you're using 0.4.3.143. Don't get me started on how frustrating it is that the developer makes major changes in functionality in minor version releases. If you're gonna re-write something, then start with a new module! /EndRant

However with a bit of playing I have something sort of working:

Code: Select all

[/settings/eventlog/real-time/filters/RAID_Windows_Event]
log= application
filter=level =1
id= 3006,3007
severity= CRITICAL
ok message= Found no RAID related eventlogs last three days.
target= NSCA
maximum age= 3d

Using some Powershell commands you can insert an event into a log:
https://scompanion.wordpress.com/2012/0 ... owershell/

Code: Select all

$evt=new-object System.Diagnostics.Eventlog("Application")
$evt.Source="Culham.net"
$evtNumber=3006
$evtDescription="This is a test event"
$infoevent=[System.Diagnostics.EventLogEntryType]::Error
$evt.WriteEntry($evtDescription,$infoevent,$evtNumber)
$infoevent=[System.Diagnostics.EventLogEntryType]::Error
$evt.WriteEntry($evtDescription,$infoevent,$evtNumber)

I still think the filter I created above needs some work, however I was able to receive the events in Nagios XI - remember to check Admin > Monitoring Config > Unconfigured Objects.

Let us know how you go ... I've pulled enough hair out today

[jamesc23]

Thanks very much box293. Unfortunately, I still can't get it to work.

Changed codes to what you've provided.

[/settings/eventlog/real-time/filters/RAID_Windows_Event]
log= application
filter=level =1
id= 3006,3007
severity= CRITICAL
ok message= Found no RAID related eventlogs last three days.
destination= NSCA
maximum age= 3d

[Box293]

Are you able to submit an event using the poweshell command, does it come through?

[jamesc23]

Yep. Events go through using powershell. I can see them within event viewer.

[ssax]

This is taken from a working one that I've tested:

Try changing the necessary information, test it, and let us know.

Thank you

Code: Select all

n1= NSCAClient

[/settings/NSCA/n1]
channel = NSCA1

[/settings/NSCA/n1/targets/default]
host=X.X.X.X
encryption=none
password=mypassword

 A set of options to configure the real time checks
[/settings/eventlog/real-time]

; DEBUG - Log missed records (usefull to detect issues with filters) not usefull in production as it is a bit of a resource hog.
debug = 0

; REAL TIME CHECKING - Spawns a backgrounnd thread which detects issues and reports them back instantly.
enabled = true

; LOGS TO CHECK - Comma separated list of logs to check
log = application,system

; STARTUP AGE - The initial age to scan when starting NSClient++
startup age = 20m

; A set of filters to use in real-time mode
[/settings/eventlog/real-time/filters]

[/settings/eventlog/real-time/filters/default]

; DESTINATION - The destination for intercepted messages
;destination=NSCA

; MAXIMUM AGE - How long before reporting "ok" (if this is set to off no ok will be reported only errors)
;maximum age= 20m

; OK MESSAGE - This is the message sent periodically whenever no error is discovered.
ok message= eventlog found no records test default

; SYNTAX - Format string for dates
syntax=%type% %id% %source%: %message%

[/settings/eventlog/real-time/filters/Log_win_app_warning]
log= application
filter=level= 2 AND (id NOT IN (4,5))
severity= warning
ok message= Autoreset, found no records in application eventlog
target=NSCA1
maximum age= 20m