Syntax for filters in check_eventlog

[tejanagios]

Could you please point me some examples to use check_eventlog

I have found this link, https://outsideit.net/real-time-eventlog-monitoring/

couldn't understand it well. Looking at the NSCA settings configuration page on nsclient++ documentation.

there is a mention of scheduler in it, they say that the protocol cannot work without a scheduler? if so, how is this conig done without a scheduler ?

Could you point me to the syntax to write filter's . the nagvis agent that comes out of the box and included in Nagios XI crashes upon installation. Why is this not excluded from Nagios XI (5.2.3) would this be the same when we decide to buy nagios XI ?

Kindly answer me these above questions and post content or link where necessary.

[/settings/eventlog]
buffer size = 131072
debug = false
lookup names = true
syntax =

[/settings/eventlog/real-time]
debug = false
enabled = true
log = application,system
startup age = 30m

[/settings/eventlog/real-time/filters]

[/settings/eventlog/real-time/filters/default]
destination=NSCA
maximum age= 3d
ok message= Found no records in eventlog last three days.
syntax=%type% %id% %source%: %message%

[/settings/eventlog/real-time/filters/EVT_Application]
log= application
filter= level IN (error) AND (id NOT IN (1,3,10,12,13,23,26,33,37,38,58,67,101,103,104,107,108,110,112,274,502,511,1000,1002,1004,1005,1009,1010,1026,1027,1053,1054,1085,1101,1107,1116,1301,1325,1334,1373,1500,1502,1504,1508,1511,1515,1521,1533,1542,2019,2158,2636,2670,3001,3008,3012,3021,3032,3037,3042,3077,3079,3098,3119,3130,3131,3148,3159,4005,4102,4237,4621,5008,5009,5051,5124,5133,5605,5705,6001,6007,6016,6032,6044,6100,7043,7363,7735,7823,7827,7833,8193,8194,8196,8313,9001,10000,10005,10007,10862,10922,11317,12121,12289,12291,12298,12321,13793,13836,14197,14204,15000,16038,16041,16053,16058,16063,16066,16068,16082,16195,16391,16418,16419,16421,17187,17192,17204,17412,17898,18176,19269,19458,19954,19969,19972,20958,21061,22670,35698,35705,35710,35712,35716,35721,35726,37088,37090,37092,37095,37098,37119,37124,37225)) AND (id NOT IN (1509) OR source NOT IN ('Userenv')) AND (id NOT IN (1055) OR source NOT IN ('Userenv')) AND (id NOT IN (1030) OR source NOT IN ('Userenv')) AND (id NOT IN (1006) OR source NOT IN ('Userenv'))
severity= WARNING
ok message= Found no records in application eventlog last three days.
maximum age= 3d

[Box293]

What version of NSClient++ are you using?

[jolson]

there is a mention of scheduler in it, they say that the protocol cannot work without a scheduler? if so, how is this conig done without a scheduler ?

NSCA is an event scheduler for _passive_ checks - you can certainly check on your events actively. If you need to see your event logs in real-time, you'll need to use NSCA as a scheduler to send events out to the Nagios XI box.

Check out some of these examples:

Code: Select all

./check_nrpe -H 192.168.145.1 -c Check_EventLog -a 'debug' 'warning=count > 0' 'critical=count > 5' "filter=level = 3 AND message like 'none of the' AND log = 'System' AND id in (1014,1015)" 'scan-range=-1000m'

WARNING: 0/1 System Microsoft-Windows-DNS-Client (Name resolution for the name mail.google.com timed out after none of the configured DNS servers responded.)|'count'=1;0;5

level = 3 means Warning:
4 = Information
3 = Warning
2 = Error
1 = Critical

If you wanted to check the last 2d for warnings or errors:

Code: Select all

./check_nrpe -H 192.168.145.1 -c check_eventlog -a scan-range=-4800m file=System filter="level in ('warning', 'error') AND source = 'Service Control Manager'"

WARNING: 0/1 System Service Control Manager (The VMware Workstation Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.)|'count'=1;0;5

The last 5 minutes for specific IDs:

Code: Select all

./check_nrpe -H 192.168.145.1 -c check_eventlog -a scan-range=-5m 'filter=id=7036'

WARNING: 0/1 System Service Control Manager (The Multimedia Class Scheduler service entered the running state.)|'count'=1;0;5

[ssax]

In addition to jolson's post, did you read through this one as well?

https://www.medin.name/blog/2012/03/20/ ... -nsclient/

Because the real-time eventlog monitoring is a passive check, the scheduler needs to be enabled in order to schedule the passive checks.

You can do active checks (nagios reaching out to the server to check on an interval, will not be real-time) using NRPE as well.

To not muddy the waters here, let's focus on getting you up and running the way that you want it to work.

The nagvis agent that comes out of the box and included in Nagios XI crashes upon installation

What nagvis agent are you talking about?

[tejanagios]

What version of NSClient++ are you using?

Nsclient++ 0.4.4.15;

[tejanagios]

HI ssax,

The Windows event log configuring wizard in Nagios XI; requires you to download and install an agent on the systems

http://assets.nagios.com/downloads/addo ... -1.9.2.exe

nageventlog agent. the build doesn't work.


#######
I have read michael medins' blog as well, its in-complete, older version and not clear enough to understand.
############

key -value pair style of writing filters is what i am after, can you please post or point me to such tutorial or documentation please. thank you.
##########################################################

I was looking at installing NCPA agent instead of Nsclient++ , can you point me to the pros and cons please.
Q2. can i run nrpe style external powershell commands using a NCPA agent...?
Q3. is it a good idea to have all my performance checks active and service checks passive ?

[ssax]

I believe NagEventLog is not compatible with 64bit systems (or at least has issues), it's a third party tool and hasn't been updated in a while, I would just get NSClient++ working.

At this point I would recommend using NSClient++ if you are going to be using passive checks.

NCPA can process NRPE checks just like NSClient++

It's entirely up to you on what you want active vs passive, it depends on your business requirements. Generally I would just use active checks and save passive for long running scripts, near real-time event logging, or using in higher security environments (PCI/HIPPA/SANS compliance).

Please read more about them here:

Code: Select all

https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/3/en/passivechecks.html