check_nagioslogserver.php

[tylerhoadley]

Not sure if I should post this here or in XI support forums but I'm having a issue getting the "check_nagioslogserver.php" check to go critical on '1 matching entries found'. I thought I had tested this last week where I would leave =warn='' and crit='1' in the check and would report as CRITICAL, but now it will only result in OK status.

Code: Select all

[root@nagios libexec]# ./check_nagioslogserver.php --url='https://SERVER/nagioslogserver/' --apikey='KEY' --minutes='30' --warn='' --crit='1' --query='{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"*"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1442861603011,"to":1442948003012}}},{"fquery":{"query":{"query_string":{"query":"message:(\"EVENTIDCODE\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"Hostname:(\"WINSERVERNAME\")"}},"_cache":true}}]}}}}}'
OK: 1 matching entries found |logs=1;;1

[root@nagios libexec]# ./check_nagioslogserver.php --url='https://SERVER/nagioslogserver/' --apikey='KEY' --minutes='30' --warn='1' --crit='2' --query='{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"*"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1442861603011,"to":1442948003012}}},{"fquery":{"query":{"query_string":{"query":"message:(\"EVENTIDCODE\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"Hostname:(\"WINSERVERNAME\")"}},"_cache":true}}]}}}}}'
OK: 1 matching entries found |logs=1;1;2

Anyone have some insight into the php warn/critical calculation/result?

If I should post this in the XI Support forum, please let me know, but figured this check is supported by the log server side rather than the XI side.

Thanks,

[tylerhoadley]

Well, I believe I figured this out... Hopefully someone else out there finds this helpful on the 1 match found

I used this as my warn/crit args

Code: Select all

--crit="@1:~"
CRITICAL: 1 matching entries found |logs=1;;@1:~

Cheers

[hsmith]

Thank you for sharing your fix!

[eloyd]

Wow, that is one ugly check. PLEASE tell me you're not typing that by hand?

I do have a question about your solution. That's obviously a Nagios range specifier, but my interpretation is that you're alerting on anything that is in the range of 1 through negative infinity. Not sure how the top end can be negative infinity, but I'm glad it's working for you.

Can I ask you to try something? Just use zero for the critical value? In theory, if the result is not in the range specified (zero) then it should alert.

[hsmith]

I'm interested in this as well.

[tylerhoadley]

the basis of the check is to alert on anything 1 or greater. These queries are defined in the nagios log server, however to test them without impacting our XI environment, I ran them locally via cmd before enabling the checks in XI. At the time of writing this, our XI version is/was 5.2.7, log server 1.4.1.

I'll test 0, but believe that came back critical if 0 was the result. I will have to wait for a 1 result on one of the many checks I have setup. I'm sure one will pop up today so will test and post once I can.

However with the args supplied, I've had no issues with 1 or greater going critical in XI.

[tylerhoadley]

I came across this via the url found within the --help arg on the check. up until this check, I was unaware of the @ or ~ characters being used (XI customer for a few years now and core user for years prior). I always thought 1 was the same as ≥1, however it did not tell nagios to go critical. Finally if you read over the url link below, "@1:~" means ≥1 to positive infinite. in the comment "@~:1" would be negative infinite to ≤1.

https://nagios-plugins.org/doc/guidelin ... HOLDFORMAT

# ./check_nagioslogserver.php --help

<Snipped>

--warn=<WARNING> The warning values, see:
https://nagios-plugins.org/doc/guidelin ... HOLDFORMAT
--crit=<CRITICAL> The critical values, see
https://nagios-plugins.org/doc/guidelin ... HOLDFORMAT

[hsmith]

Thank you for sharing

[tylerhoadley]

came in this morning, noticed a critical 1 on a check so tested it out with --crit=0.

Code: Select all

# ./check_nagioslogserver.php --url='https://kgnslogpr.empire.ca/nagioslogserver/' --apikey='KEY' --minutes='30' --crit='0' --query='{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"*"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1442861603011,"to":1442948003012}}},{"fquery":{"query":{"query_string":{"query":"message:(\"EVENTIDCODE\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"Hostname:(\"WINSERVERNAME\")"}},"_cache":true}}]}}}}}'
OK: 1 matching entries found |logs=1;;

# echo $?
0

[hsmith]

I'll see if I can get this tested tomorrow.