monitor event logs under "applications and services logs"

[luffywallis]

Hi all;
i'm trying to track events on applications and services logs/Microsoft/Windows/Diagnosis-PLA/Operational. i know that it's not possible using check_wmi_eventid, and my only solution is to use check_nrpe checkeventlog. i'm confused on how to point to the specific location, since all the examples that i found on net point to basic locations (application, system....). Thank you

[eloyd]

I'm going to put a big plug in here for Nagios Log Server. You can monitor all your Windows event logs and application logs by sending them to the Nagios Log Server, and then search for strings and patterns there, then alert through Nagios from Log Server. Plus, for a small size installation, it's free!

[ssax]

What version of NSClient++ are you running?

[ssax]

Here is what worked for me on the latest version of NSClient++:

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H X.X.X.X -c checkeventlog -a file=YOURLOGNAME MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'informational'"

[ssax]

I right clicked on the even log and view the properties to get the full name, yours would be:

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H X.X.X.X -c checkeventlog -a file=Microsoft-Windows-Diagnosis-PLA/Operational MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'informational'"

[luffywallis]

I right clicked on the even log and view the properties to get the full name, yours would be:

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H X.X.X.X -c checkeventlog -a file=Microsoft-Windows-Diagnosis-PLA/Operational MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'informational'"

thank you ssax, that worked for me
i just want to ask about the messages received by mail in nagios notification: i want to add the details of the event log in the received mail. i tried the solution described here :
http://serverfault.com/questions/410020 ... tification
(config changed in /etc/nagios/misccommands.cfg), i rebooted the nagios server, but that didn't work...any hint?

[rkennedy]

Can you post your notify-service-by-email definition for us to look at?

[luffywallis]

Can you post your notify-service-by-email definition for us to look at?

Okay, sorry i was wrong, i'm using centreon, so i had to change it through centreon interface.after doing that LONGSERVICEOUTPUT has been added. this is the definition of notify-by-email:

Code: Select all

/usr/bin/printf "%b" "***** centreon Notification *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $DATE$ Additional Info : $SERVICEOUTPUT$\n Description: $LONGSERVICEOUTPUT$" | /bin/mail -s "** $NOTIFICATIONTYPE$ alert - $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$

but even with this, i'm not getting what i want. in fact, when i type the command directly in the server, this is what i got:

Code: Select all

 ./check_nrpe -H hostname -c checkeventlog -a file=Microsoft-Windows-Diagnosis-PLA/Operational MaxWarn=1 MaxCrit=1 "filter=generated > -1m AND severity = 'informational' AND id=2031" unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
information: Microsoft-Windows-Diagnosis-PLA: Performance counter \ServiceModelOperation 4.0.0.0(xxxxxxxxxxxx|xxxx|)\Calls Duration has tripped its alert threshold. The counter value of 4.000038 is over the limit value of 1.000000. 1.000000 is the alert threshold value. (%count%)|'count'=6;1;1

but in the email notification, this is what i got:

Code: Select all

***** centreon Notification *****

Notification Type: PROBLEM

Service: eventlog_service
Host: hostname
Address: hostname
State: CRITICAL

Date/Time: 02-03-2016 Additional Info : information: Microsoft-Windows-Diagnosis-PLA: Performance counter \ServiceModelOperation 4.0.0.0(xxxxxxxxxxxx|xxxx
 Description: 

how to get this information " The counter value of 4.000038 is over the limit value of 1.000000. 1.000000 is the alert threshold value. (%count%)|'count'=6;1;1" into the mail notification?

[tmcdonald]

I'm sorry, but we do not support Centreon or other competing software. You will need to visit their forums for support.