Question about notifications Version2

[benhank]

Hey guys, I have been tasked with a new project:
We have the NLS running as well as Nagiosxi.
Certain windows event logs are being monitored.
I have a user who has requested that when a notification for the event log is sent to him, he would like the notification email to contain:
1. The Message text contained in the event log
2. Retain the original formatting of the Original event log.

For example:
instead of:

Code: Select all

A user account was enabled. Subject: Security ID: S-1-5-21-2240559137-3205043459-73869318-4993 Account Name: bhankers Account Domain: HEALTHONE Logon ID: 0x14a6890a2 Target Account: Security ID: S-1-5-21-2322775055-62736158-2413983362-1006 Account Name: dopey Account Domain: WKENNAGWEBT01

He would like to see:

Capture.PNG

Lastly, the solution will only be used for HIM, and not our other users.They will continue to get notifications formatted normally.
What Nagios solution would you suggest?
NLS, Nagiosxi or Having a custom solution created by you guys ?
Thanks!

[dwhitfield]

What you'll need to do is create a custom service notification command. You can see how these are added to contacts on the Alert Settings tab of Contact Management (http://YOURSERVER/nagiosxi/includes/com ... 26page%3D1). It's the second blue button.

As for creating the command itself, that's done under the commands option in the CCM (http://YOURSERVER/nagiosxi/includes/com ... 26page%3D1)

Page 7 of https://assets.nagios.com/downloads/nag ... iables.pdf is where things will get useful for you (minus the variables themselves on pages 2 and 4).

[benhank]

thanks man!

[cdienger]

Glad to help! Let us know if you run into any problems or have any questions.

[benhank]

can regex formatting be used in notifications?

[cdienger]

Can you clarify? Are you looking to add tabs, carriage returns, etc.. with something like [ \t] and [\r]? This isn't possible and https://assets.nagios.com/downloads/nag ... iables.pdf covers expected format, but I want to make sure I'm understanding the request as a feature request may be in order.

[dwhitfield]

So, the real question here is what you mean by "in notifications"?

If you mean, "Can I use regex to send emails?", then yes, that *is* possible. You can set up *any* script to run in a command, so if that script includes regex there you go.

If you want to use the notifications as they are set up to do in XI, then as @cdienger noted, the PDF I sent yesterday goes over the expected format.

[benhank]

What I mean is email notifications.
As for the regex, I was hoping that I could add carriage returns via regex.
In my OP i mentioned that I am looking for a solution using either XI or NLS.
In NLS The Json and raw format of a log event looks like this:

Code: Select all

"message": "A user account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2240559137-3205043459-73869318-4993\r\n\tAccount Name:\t\tbhankers\r\n\tAccount Domain:\t\tHEALTHONE\r\n\tLogon ID:\t\t0x14a6890a2\r\n\r\nNew Account:\r\n\tSecurity ID:\t\tS-1-5-21-2322775055-62736158-2413983362-1005\r\n\tAccount Name:\t\tdopey\r\n\tAccount Domain:\t\tWKENNAGWEBT01\r\n\r\nAttributes:\r\n\tSAM Account Name:\tdopey\r\n\tDisplay Name:\t\t<value not set>\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t<value not set>\r\n\tHome Drive:\t\t<value not set>\r\n\tScript Path:\t\t<value not set>\r\n\tProfile Path:\t\t<value not set>\r\n\tUser Workstations:\t<value not set>\r\n\tPassword Last Set:\t<never>\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t513\r\n\tAllowed To Delegate To:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x15\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Normal Account' - Enabled\r\n\tUser Parameters:\t<value not set>\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\tAll\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-",

Im thinking that if I can get Nagios to correcty read the Json or RAW format perhaps I can get the formatting of the email notification I am looking for.

[benhank]

thanks guys!
you can lock this Im gonna try to make it work from the log server