Trying to get Windows Event log monitoring working with NCPA agent so that we can monitor a particular event id occurs on a Windows server.
I can locally access the logs with NCPA API
https://localhost:5693/api/logs?token=m ... pplication
However, when I used the below core config manager, it is not returning any result for the event id 4114 which within last 1 hour.
$USER1$/check_ncpa.py -H $HOSTADDRESS$ $ARG1$
-t 'token' -P 5693 -M 'logs’ -q name=Application,severity=all,logged_after=24h,event_id=4114
[nagios@xiserver ~]$ /usr/local/nagios/libexec/check_ncpa.py -H hostip -t 'token' -P 5693 -M 'logs' -q name=Application,severity=all,logged_after=24h,event_id=4114
OK: Application has 0 logs, Total Count has 0 logs (Time range - last 24 hours) | 'Application'=0;;; 'Total Count'=0;;;
Log Name: Application
Source: MSExchangeRepl
Date: 10/3/2017 10:36:06 AM
Event ID: 4114
Task Category: Service
Level: Information
Keywords: Classic
User: N/A
Computer: computer.local
Description:
Database redundancy health check passed.
Database copy: DAG01-DB02
Redundancy count: 2
If I remove all the filters, It only gives the total number of events on the Application logs like below.
OK: Application has 172 logs, Total Count has 172 logs (Time range - last 24 hours) | 'Application'=172;;; 'Total Count'=172;;;
Please let me know how this issue can be fixed.
Windows Event log monitoring with NCPA not working
-
kyang
Re: Windows Event log monitoring with NCPA not working
Have you tried putting the -q ARGS in quotes?
Here's my example of what i mean.
Output:
I do have 2 logs as shown by the API for the past 3 hours as well. (I chose a low interval for the time range, just so I know it works. Too many logs to count if I choose 24hr. So this is exact)
Let us know if this helps!
Here's my example of what i mean.
Code: Select all
usr/local/nagios/libexec/check_ncpa.py -H 192.168.3.46 -t 'mytoken1' -M 'logs' -q 'name=INFORMATION,logged_after=3h,event_id=8224' -w 100 -c 400
Code: Select all
OK: INFORMATION has 2 logs, Total Count has 2 logs (Time range - last 3 hours) | 'INFORMATION'=2;100;400; 'Total Count'=2;100;400;
Let us know if this helps!
Re: Windows Event log monitoring with NCPA not working
Thanks for the reply.
Tried that suggestion, but the issue still persist.
If I use the command as any event_id (such as event_id=262248)
[nagios@xiserver ~]$ /usr/local/nagios/libexec/check_ncpa.py -H IPaddress -t 'token' -P 5693 -M 'logs' -q 'name=Application,severity=ERROR,logged_after=2h,event_id=262248' -w 5 -c 10 --list
logs: [{u'Application': []}, u'logs']
No logs returned.
If I use the command without event_id filter, it provides the results.
[nagios@xiserver ~]$ /usr/local/nagios/libexec/check_ncpa.py -H IPaddress -t 'token' -P 5693 -M 'logs' -q 'name=Application,severity=ERROR,logged_after=2h' -w 5 -c 10 –list
logs: [{u'Application': [{u'category': u'1', u'severity': u'ERROR', u'event_id': u'262248', u'application': u'MSExchange Search Indexer', u'computer_name': lab.local', u'message': u'Exchange Search Indexer failed to enable the Mailbox Database DB01 (GUID = 0e776144-5a72-4147-b1c3-7b84c4671385) after 10 tries. The last failure was: MapiExceptionMdbOffline: Unable to get CI watermark (hr=0x80004005
I have updated this on the thread as well. Other issue is, even though it is an ERROR event, the alert report as OK (Green Color instead of Critical (Red Color). I set the initial state as Critical/changed the arguments as –w 0 –c 1 or -w 0 -c 0 but no luck.
Tried that suggestion, but the issue still persist.
If I use the command as any event_id (such as event_id=262248)
[nagios@xiserver ~]$ /usr/local/nagios/libexec/check_ncpa.py -H IPaddress -t 'token' -P 5693 -M 'logs' -q 'name=Application,severity=ERROR,logged_after=2h,event_id=262248' -w 5 -c 10 --list
logs: [{u'Application': []}, u'logs']
No logs returned.
If I use the command without event_id filter, it provides the results.
[nagios@xiserver ~]$ /usr/local/nagios/libexec/check_ncpa.py -H IPaddress -t 'token' -P 5693 -M 'logs' -q 'name=Application,severity=ERROR,logged_after=2h' -w 5 -c 10 –list
logs: [{u'Application': [{u'category': u'1', u'severity': u'ERROR', u'event_id': u'262248', u'application': u'MSExchange Search Indexer', u'computer_name': lab.local', u'message': u'Exchange Search Indexer failed to enable the Mailbox Database DB01 (GUID = 0e776144-5a72-4147-b1c3-7b84c4671385) after 10 tries. The last failure was: MapiExceptionMdbOffline: Unable to get CI watermark (hr=0x80004005
I have updated this on the thread as well. Other issue is, even though it is an ERROR event, the alert report as OK (Green Color instead of Critical (Red Color). I set the initial state as Critical/changed the arguments as –w 0 –c 1 or -w 0 -c 0 but no luck.
-
kyang
Re: Windows Event log monitoring with NCPA not working
Let's try something like this (change the ip, token, event id)
I took out the underscore for event_id. When I left it in, I had the same issue as you did before.
This should give you the logs for that id, but let us know.
I'm seeing this for my warnings and criticals (take notice when I have it at 1 and 2, it won't count it as warning or critical unless I have more more logs than the thresholds itself.)
Also there is a bug on filtering by event_id for some ID's. (There is a fix listed in the GitHub issue if you are still seeing this error.)
https://github.com/NagiosEnterprises/ncpa/issues/383
But for now, let me know if the above command works for your event id.
Code: Select all
/usr/local/nagios/libexec/check_ncpa.py -H IPaddress -t 'token' -P 5693 -M 'logs' -q 'name=Application,severity=ERROR,logged_after=24h,eventid=100737026' -w 5 -c 10 -l list
This should give you the logs for that id, but let us know.
I'm seeing this for my warnings and criticals (take notice when I have it at 1 and 2, it won't count it as warning or critical unless I have more more logs than the thresholds itself.)
Code: Select all
/usr/local/nagios/libexec/check_ncpa.py -H IPaddress -t 'token' -P 5693 -M 'logs' -q 'name=Application,severity=ERROR,logged_after=24h,eventid=100737026' -w 0 -c 1
CRITICAL: Application has 2 logs, Total Count has 2 logs (Time range - last 24 hours) | 'Application'=2;0;1; 'Total Count'=2;0;1;Code: Select all
/usr/local/nagios/libexec/check_ncpa.py -H IPaddress -t 'token' -P 5693 -M 'logs' -q 'name=Application,severity=ERROR,logged_after=24h,eventid=100737026' -w 0 -c 2
WARNING: Application has 2 logs, Total Count has 2 logs (Time range - last 24 hours) | 'Application'=2;0;2; 'Total Count'=2;0;2;
https://github.com/NagiosEnterprises/ncpa/issues/383
But for now, let me know if the above command works for your event id.
Re: Windows Event log monitoring with NCPA not working
Hi,
I tried removing eventid (without underscore), but the event id 4114 didnt work. it pulls all the log files.
[nagios@xi01 ~]$ /usr/local/nagios/libexec/check_ncpa.py -H IP -t 'Apptix123' -P 5693 -M 'logs' -q 'name=Application,severity=INFORMATION,logged_after=2h,eventid=4114' -w 0 -c 1 -l list
logs: [{u'Application': [{u'category': u'3', u'severity': u'INFORMATION', u'event_id': u'264224', u'application': u'MSExchange ADAccess', u'computer_name': u'server.lab.local', u'message': u'Process MAD.EXE (PID=3820). Exchange Active Directory Provider has discovered the following servers with the following characteristics:\r\n\r\n (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)\r\n\r\nIn-site:\r\nlab.local\tCDG 1 7 7 1 0 1 1 7 1\r\nserver.lab.local\tCDG 1 7 7 1 0 1 1 7 1\r\n\r\nOut-of-site:\r\n\r\n\r\n\r\n', u'time_generated': u'10/09/17 14:26:58'}, {u'category': u'0', u'severity': u'INFORMATION', u'event_id': u'1003', u'application': u'Software Protection Platform Service', u'computer_name': u'server.lab.local', u'message': u'The Software Protection service has completed licensing status check.\r\nApplication Id=55c92734-d682-4d71-983e-d6ec3f16059f\r\nLicensing Status=\n1: 1d63ae00-7733-4e46-b0d0-ae0ab81d7638, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n2: 4ae528f4-05c3-446e-90ea-a4fbd460b83a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n3:
for the event id 1111, it can filter that log but still thats not marked as "Critical" even though i set critical threshold as 1.
[nagios@xi01 ~]$ /usr/local/nagios/libexec/check_ncpa.py -H IP -t 'Apptix123' -P 5693 -M 'logs' -q 'name=System,severity=ERROR,logged_after=2h,eventid=1111' -w 0 -c 1 -l list
logs: [{u'System': [{u'category': u'0', u'severity': u'ERROR', u'event_id': u'1111', u'application': u'UmrdpService', u'computer_name': u'server.lab.local', u'message': u'Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.\r\n', u'time_generated': u'10/09/17 14:26:32'}]}, u'logs']
I tried removing eventid (without underscore), but the event id 4114 didnt work. it pulls all the log files.
[nagios@xi01 ~]$ /usr/local/nagios/libexec/check_ncpa.py -H IP -t 'Apptix123' -P 5693 -M 'logs' -q 'name=Application,severity=INFORMATION,logged_after=2h,eventid=4114' -w 0 -c 1 -l list
logs: [{u'Application': [{u'category': u'3', u'severity': u'INFORMATION', u'event_id': u'264224', u'application': u'MSExchange ADAccess', u'computer_name': u'server.lab.local', u'message': u'Process MAD.EXE (PID=3820). Exchange Active Directory Provider has discovered the following servers with the following characteristics:\r\n\r\n (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)\r\n\r\nIn-site:\r\nlab.local\tCDG 1 7 7 1 0 1 1 7 1\r\nserver.lab.local\tCDG 1 7 7 1 0 1 1 7 1\r\n\r\nOut-of-site:\r\n\r\n\r\n\r\n', u'time_generated': u'10/09/17 14:26:58'}, {u'category': u'0', u'severity': u'INFORMATION', u'event_id': u'1003', u'application': u'Software Protection Platform Service', u'computer_name': u'server.lab.local', u'message': u'The Software Protection service has completed licensing status check.\r\nApplication Id=55c92734-d682-4d71-983e-d6ec3f16059f\r\nLicensing Status=\n1: 1d63ae00-7733-4e46-b0d0-ae0ab81d7638, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n2: 4ae528f4-05c3-446e-90ea-a4fbd460b83a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n3:
for the event id 1111, it can filter that log but still thats not marked as "Critical" even though i set critical threshold as 1.
[nagios@xi01 ~]$ /usr/local/nagios/libexec/check_ncpa.py -H IP -t 'Apptix123' -P 5693 -M 'logs' -q 'name=System,severity=ERROR,logged_after=2h,eventid=1111' -w 0 -c 1 -l list
logs: [{u'System': [{u'category': u'0', u'severity': u'ERROR', u'event_id': u'1111', u'application': u'UmrdpService', u'computer_name': u'server.lab.local', u'message': u'Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.\r\n', u'time_generated': u'10/09/17 14:26:32'}]}, u'logs']
Re: Windows Event log monitoring with NCPA not working
Also, how can i apply the fix listed here? or did you mean to say it will be fixed in the next release?
https://github.com/NagiosEnterprises/nc ... gs.py#L352
https://github.com/NagiosEnterprises/nc ... gs.py#L352
Re: Windows Event log monitoring with NCPA not working
I mentioned this on the Github issue too. I was just saving the line that is the issue, and will fix it for the next release. A patch has not been created yet! There should be a bug fix coming soon, and this should be resolved then.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.