monitoring Windows system log with NCPA

[mvndnburg]

Hi,

We're running NCPA 2.0.3 with Nagios 5.4.0 (Linux) and the check_ncpa.py plugin, version 1.1.0.

I want to monitor Windows event logs with the NCPA. Accessing the logs with NCPA API through a URL is successful. That is:

https://<host>:5693/api/logs?token=<token>&name=Application&severity=ERROR

returns a nice overview of the log entries.
But I am not able to turn this into a service with the check_ncpa.py plugin.

I have tried the following arguments but none work:

-t 'token' -P 5693 -M 'api/logs&name=Application&severity=ERROR'
-t 'token' -P 5693 -M 'api/logs?token=token&name=Application&severity=ERROR'
-t 'token' -P 5693 -M 'api/logs/name=Application&severity=ERROR'
-t 'token' -P 5693 -M 'api/logs/name=Application/severity=ERROR'

The error message returned is something like The logs () requested does not exist.

Running check_ncpa.py from the command line returns the following:

/usr/local/nagios/libexec/check_ncpa.py -H <host> -t 'token' -P 5693 -M 'logs/name=Application' --list
error/
path: name=Application
message: The logs requested does not exist. You may be trying to access the 'logs' node.
code: 100
logs:

and:

/usr/local/nagios/libexec/check_ncpa.py -H <host> -t 'token' -P 5693 -M 'logs/' --list
logs/
message: No log type selected. Select log types using 'name=<type>'. Example: api/logs?name=System. Multiple log types can be selected.

and:

/usr/local/nagios/libexec/check_ncpa.py -H <host> -t 'token' -P 5693 -M '/' --list
root/
processes: []
logs/
message: No log type selected. Select log types using 'name=<type>'. Example: api/logs?name=System. Multiple log types can be selected.
memory/

and:

/usr/local/nagios/libexec/check_ncpa.py -H <host> -t 'token' -P 5693 -M 'api/logs' --list
logs/
message: No log type selected. Select log types using 'name=<type>'. Example: api/logs?name=System. Multiple log types can be selected.

So... what's the correct path to use to access the Windows system logs through the NCPA's API?


Edit: ncpa_plugin version.

[cdienger]

Hi mvndnburg,

You can use:

Code: Select all

./check_ncpa.py -H w.x.y.z -t TOKEN -M 'logs' -q 'name=Application,severity=ERROR' --list

[mvndnburg]

Excellent, that works.

Would it be an idea to update the NCPA documentation with this? Or rather, to add this little example to the Extended Modules / logs section?

Secondly: my alerting works now: if there are certain errors I'll get an email specifying that there are <n> errors in the log for the last <i> minutes. Would it be possible to include the log error texts in the error email? That is, combine the check_ncpa.py output of --list with the criteria of --caution and --warning?

That way the receiver of the alert email can already decide on the basis of the email content what kind of action is needed, without having to go into the Windows logs.

[mcapra]

That seems reasonable. I filed an issue on the GitHub for that functionality:
https://github.com/NagiosEnterprises/ncpa/issues/337

Did you have additional questions regarding this issue, or can we close this thread?

[mvndnburg]

Much appreciated for adding that to the backlog.

For now, as a workaround, I am thinking about an event handler to do the following:

1. an error occurs in the Windows log
2. NCPA throws the error to Nagios XI
3a. Nagios XI triggers the alert ("there are <n> errors in the application log") and sends an email to <recipient>.
3b. Nagios XI triggers an event handler.
4. The event handler *queries* the NCPA API of the relevant host and receives the actual alerts as a JSON object.
5. The event handler sends a formatted email with this information to <recipient>.

The nasty part is the extra overhead and the tricky part is obtaining the right <recipient> for step 5. Is this available in the event handler script (-arguments) as a macro or argument, or would I have to dive into the Nagios database to retrieve the <recipient> based on the contact group for the host?

[mcapra]

So here's the big old stock Nagios XI notification handler:

Code: Select all

/usr/bin/php /usr/local/nagiosxi/scripts/handle_nagioscore_notification.php --notification-type=host --contact="$CONTACTNAME$" --contactemail="$CONTACTEMAIL$" --type=$NOTIFICATIONTYPE$ --escalated="$NOTIFICATIONISESCALATED$" --author="$NOTIFICATIONAUTHOR$" --comments="$NOTIFICATIONCOMMENT$" --host="$HOSTNAME$" --hostaddress="$HOSTADDRESS$" --hostalias="$HOSTALIAS$" --hostdisplayname="$HOSTDISPLAYNAME$" --hoststate=$HOSTSTATE$ --hoststateid=$HOSTSTATEID$ --lasthoststate=$LASTHOSTSTATE$ --lasthoststateid=$LASTHOSTSTATEID$ --hoststatetype=$HOSTSTATETYPE$ --currentattempt=$HOSTATTEMPT$ --maxattempts=$MAXHOSTATTEMPTS$ --hosteventid=$HOSTEVENTID$ --hostproblemid=$HOSTPROBLEMID$ --hostoutput="$HOSTOUTPUT$" --longhostoutput="$LONGHOSTOUTPUT$" --datetime="$LONGDATETIME$"

What you would probably want is the $CONTACTEMAIL$ macro, which is only available in notifications (not event handlers):
https://assets.nagios.com/downloads/nag ... olist.html

So your reasoning is correct, you'd just need to do it as a notification handler rather than an event handler. So you'd write a beautiful script, then assign it as a notification command for your contact that gets the Windows event log notifications. Making a separate contact might make sense if you don't want the "what event logs are causing problems" script to run for every single notification this contact receives.

Or you could hard-code the email in your script, but that's not terribly extendable to multiple contacts.

[mvndnburg]

Thanks for the hint. I'll see what I can do with this.

You can go ahead and close this thread now.