Monitoring Windows Event Logs

[aap]

Hi,

Does anybody have any experience of using Nagios to monitor windows event logs? We are currently using the Windows Event log Config wizard but unable to get any information from the configured servers.

Currently getting "OK: No data received yet" on all the logs and nothing is reported.

Any idea and suggestions are welcome.

[SDohmen]

I am not sure if you have done this but we do it as follows:

On the server which needs to be monitored we install NSClient++.

In the nsc.ini from the client we add something like:

Code: Select all

event_id_1=CheckEventLog file=system debug=true MaxWarn=1 MaxCrit=1 "filter=generated gt -30d AND id IN (1) AND source IN ('Microsoft-Windows-Kernel-General','Microsoft-Windows-WHEA-Logger','Microsoft-Windows-DiskDiagnostic','Microsoft-Windows-CorruptedFileRecovery-Client') AND type IN ('warning', 'error')" truncate=800 unique descriptions "syntax=%id%: (%count%)"
event_id_2=CheckEventLog file=system debug=true MaxWarn=1 MaxCrit=1 "filter=generated gt -30d AND id IN (2) AND source IN ('Microsoft-Windows-CorruptedFileRecovery-Client','dmboot') AND type IN ('warning', 'error')" truncate=800 unique descriptions "syntax=%id%: (%count%)"

Then we add a service which uses check_nrpe with event_id_# as argument.

I hope this helps.

[aap]

We are using the plugin that requires the NagEventLog addon agent. It requires us to configure NSCA.

Do you know if we also require the NSClient ?

[lmiltchev]

Have you tried the Windows Event Log Monitoring Wizard?

http://exchange.nagios.org/directory/Ad ... rd/details

http://assets.nagios.com/downloads/nagi ... entLog.pdf

[SDohmen]

We are using the plugin that requires the NagEventLog addon agent. It requires us to configure NSCA.

Do you know if we also require the NSClient ?

NSCA is a part of the nsclient++ package as well but i believe there is a seperate nsca package also. The downside on NSCA however is that the checks are passive and not active which we prefer in our environment. Both should be fine however for logging the eventlogs.

[aap]

Have you tried the Windows Event Log Monitoring Wizard?

http://exchange.nagios.org/directory/Ad ... rd/details

http://assets.nagios.com/downloads/nagi ... entLog.pdf

@lmiltchev Yes I am using this one. Installation is fine however; I get the "No check results for service yet... " message even when an error log is generated. I can successfully send a test log from the monitored server but the Nagios server does not seem to be picking it up.

I have done everything as listed in the install document but to no avail.

Any ideas where I'm going wrong? My implentation is on Centos6 and Nagios XI 2011R1.8

[scottwilkerson]

Lets check Admin -> Monitoring Config -> Unconfigured Objects to make sure they aren't showing up under a different hostname.

If that is empty, lets do the following from the Nagios XI server to see if we can spot any errors from NSCA or xinetd

Code: Select all

tail -f /var/log/messages

[aap]

Hi,

Think I spotted something. Here goes...

nsca[4274]: Received invalid packet type/version from client - possibly due to client using wrong password or crypto algorithm?
xinetd[24853]: EXIT: nsca status=0 pid=4274 duration=1(sec)

Any ideas?

[scottwilkerson]

Yep, make sure in Admin -> Check Transfers -> Inbound Transfers -> NSCA Tab
you select the same encryption method and use the same password as on the Windows machine when you click the NSCA Daemons button on the Nagios EventLog Service Control Manager

[aap]

Hi,

All is working fine now. The issue was related to the configuration of the agent. Configured with the FQDN of the server matching the Nagios server and ensured that the encryption algorithm was the same(not sure why this changed) and all is working OK.

Thanks