Windows Event log id monitoring

[Naveed]

Hi,

I am monitoring windows event log ids from nagios XI.

Is there any way to monitor more than one event id in one service, my few services are dependent on 2 different event id. Whenever those 2 ids observed in logs than I need to restart my services.

For one event id I am using below command and its working fine.

check_nrpe!CheckEventLog!-a file=application MaxWarn=1 MaxCrit=2 "filter=generated > -10m AND id='10100'"!!!!!!

Please guide.

Thanks

[rkennedy]

I don't think this is going to be possible, you'll need to set up individual checks for each event ID you'd like to monitor.

[Naveed]

Thanks

[rkennedy]

No problem - did you have further questions or are we good to mark this thread as resolved?

[ruffsense]

write a powershell script. Something like this.

Code: Select all

function check_eventid()
{
$date=(Get-Date).AddMinutes(-10)
get-eventlog -logname system -after $date | ?{$_.eventid -eq "16" -or $_.eventid -eq "35"} | select EventID,EntryType,Message
}

change the 16 and 35 in de evenid you want to find.

[avandemore]

@Naveed do you consider this issue resolved?

You can find more information here:
https://docs.nsclient.org/0.4.4/
https://assets.nagios.com/downloads/nag ... ios-XI.pdf

[Naveed]

Thank you very much!

function check_eventid()
{
$date=(Get-Date).AddMinutes(-10)
get-eventlog -logname system -after $date | ?{$_.eventid -eq "16" -or $_.eventid -eq "35"} | select EventID,EntryType,Message
}


Will above function check either 16 or 35 "or" it will check both ids at the same time?

will and operator work for this function?

[rkennedy]

it will check for either/or ID at the same time.

The and function will not work because an eventid is only going to have one variable since they are unique to the issue.

[ruffsense]

Here you go.

Code: Select all

function check_eventid()
{
$time = "$($args[0])"
$event = "$($args[1])"
$eventid1 = "$($args[2])"
$eventid2 = "$($args[3])"
$date=(Get-Date).AddMinutes(-$time)
$log = get-eventlog -logname $event -after $date | ?{$_.eventid -eq "$eventid1" -or $_.eventid -eq "$eventid2"}
if ($log) {
   $log | ForEach-Object{echo "CRITICAL status – EventID = $($_.EventID), $($_.TimeGenerated)"}
#echo "CRITICAL status – $($log | % { echo "EventID ="$_.EventID,"," "TimeGenerated ="$_.TimeGenerated})"
   exit 2 #returns critical status
}
   else
   {
      echo "OK status – There are no events with your eventID"
      exit 0 #Return OK status
   }
}

how to run: check_eventid 10 system 1 19

10=time in minutes
system=is which log
1=eventid
19=eventid

goodluck

[ssax]

Just as an FYI, you can can monitor multiple event IDs in one service but it will do an OR so it would alert if either is present (but not both):

Code: Select all

check_nrpe!CheckEventLog!-a file=application MaxWarn=1 MaxCrit=2 "filter=generated > -10m AND id IN (8224,17137)"!!!!!!

Do you need to restart it only if both are present OR restart it if either message is present?


Thank you