Best way to catch a 6008 Windows Error from System Log

[davide.bonicelli]

Hi, do you have any suggest to how to catch the infamous 6008 from the Windows System event log?
The 6008 error appears when there was a blue screen or an improper shutdown.

[scottwilkerson]

Nagios Log Server would be my first inclinations and you would have all the event logs from all of the server in one location
https://www.nagios.com/products/nagios-log-server/

Besides that if you have NCPA installed as an agent you can search for logs by event_id as well
https://www.nagios.org/ncpa/help.php#api-modules-logs

[davide.bonicelli]

forgot to mention an important requisite..no agent installed!
i've got hundreds of windows machine checked with nagiosxi and wmi..

[mcapra]

To do this via pure WQL (which is all check_wmi_plus understands), you'd need to iterate over the Win32_NTLogEvent class's records, or provide a timestamp in the WQL query.

Here's what a single record in the Win32_NTLogEvent class looks like:

Code: Select all

PS>gwmi -Query "SELECT * FROM Win32_NTLogEvent WHERE RecordNumber=7572"


Category         : 2
CategoryString   : Server
EventCode        : 9666
EventIdentifier  : 1073751490
TypeEvent        :
InsertionStrings : {Database Mirroring}
LogFile          : Application
Message          : The Database Mirroring endpoint is in disabled or stopped state.
RecordNumber     : 7572
SourceName       : MSSQLSERVER
TimeGenerated    : 20180626180025.888052-000
TimeWritten      : 20180626180025.888052-000
Type             : Information
UserName         :

Category         : 13568
CategoryString   : Audit Policy Change
EventCode        : 4907
EventIdentifier  : 4907
TypeEvent        :
InsertionStrings : {S-1-5-18, WIN-MK9V74MB7KL$, WORKGROUP, 0x3e7...}
LogFile          : Security
Message          : Auditing settings on object were changed.

                   Subject:
                        Security ID:            S-1-5-18
                        Account Name:           WIN-MK9V74MB7KL$
                        Account Domain:         WORKGROUP
                        Logon ID:               0x3E7

                   Object:
                        Object Server:  Security
                        Object Type:    File
                        Object Name:    \Device\HarddiskVolume1\Boot\zh-TW\memtest.exe.mui
                        Handle ID:      0x3a4

                   Process Information:
                        Process ID:     0x42c
                        Process Name:   C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.2151_none_7f2129e421da1aca\TiWorker.exe

                   Auditing Settings:
                        Original Security Descriptor:   S:AINO_ACCESS_CONTROL
                        New Security Descriptor:                S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
RecordNumber     : 7572
SourceName       : Microsoft-Windows-Security-Auditing
TimeGenerated    : 20180412151428.387247-000
TimeWritten      : 20180412151428.387247-000
Type             : Audit Success
UserName         :

Category         : 0
CategoryString   :
EventCode        : 37
EventIdentifier  : 37
TypeEvent        :
InsertionStrings : {time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->13.89.190.88:123)}
LogFile          : System
Message          : The time provider NtpClient is currently receiving valid time data from time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->13.89.190.88:123).
RecordNumber     : 7572
SourceName       : Microsoft-Windows-Time-Service
TimeGenerated    : 20180621174515.153557-000
TimeWritten      : 20180621174515.153557-000
Type             : Information
UserName         :

You can get all records with a specific EventCode that were written after a specific time like so:

Code: Select all

PS C:\chef-repo> gwmi -Query "SELECT * FROM Win32_NTLogEvent WHERE TimeWritten >= '20180627154515.153557-000' AND EventCode=37"


Category         : 0
CategoryString   :
EventCode        : 37
EventIdentifier  : 37
TypeEvent        :
InsertionStrings : {time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->52.168.138.145:123)}
LogFile          : System
Message          : The time provider NtpClient is currently receiving valid time data from time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->52.168.138.145:123).
RecordNumber     : 9949
SourceName       : Microsoft-Windows-Time-Service
TimeGenerated    : 20180627155619.946260-000
TimeWritten      : 20180627155619.946260-000
Type             : Information
UserName         :

Category         : 0
CategoryString   :
EventCode        : 37
EventIdentifier  : 37
TypeEvent        :
InsertionStrings : {time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->52.168.138.145:123)}
LogFile          : System
Message          : The time provider NtpClient is currently receiving valid time data from time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->52.168.138.145:123).
RecordNumber     : 9948
SourceName       : Microsoft-Windows-Time-Service
TimeGenerated    : 20180627155317.997887-000
TimeWritten      : 20180627155317.997887-000
Type             : Information
UserName         :

Category         : 0
CategoryString   :
EventCode        : 37
EventIdentifier  : 37
TypeEvent        :
InsertionStrings : {time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->52.168.138.145:123)}
LogFile          : System
Message          : The time provider NtpClient is currently receiving valid time data from time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->52.168.138.145:123).
RecordNumber     : 9947
SourceName       : Microsoft-Windows-Time-Service
TimeGenerated    : 20180627155002.004693-000
TimeWritten      : 20180627155002.004693-000
Type             : Information
UserName         :

Category         : 0
CategoryString   :
EventCode        : 37
EventIdentifier  : 37
TypeEvent        :
InsertionStrings : {time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->52.168.138.145:123)}
LogFile          : System
Message          : The time provider NtpClient is currently receiving valid time data from time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->52.168.138.145:123).
RecordNumber     : 9945
SourceName       : Microsoft-Windows-Time-Service
TimeGenerated    : 20180627154624.507163-000
TimeWritten      : 20180627154624.507163-000
Type             : Information
UserName         :

So the trick is really just generating a valid timestamp for your WQL queries, because WQL doesn't have relative time functions (like "5 minutes ago"). You could absolutely 100% write a module for check_wmi_plus that tackles this problem, but the work required would demand a good understanding of WQL and how the check_wmi_plus modules are structured.

I might play around with this when I'm back from vacation. It seems like it'd be a useful module to have.

Or, if you're more comfortable with Python, here's a plugin I wrote a while ago that runs WQL queries which could be modified to satisfy this use case:
https://github.com/mcapra/nagios-check_wmi

[mcapra]

Taking a closer look, you could probably just piggy-back off the default checkeventlog module included with check_wmi_plus for most of the development work. The events.ini file read by that module allows you to include WHERE clauses and custom arguments (like an EventCode).

Here's something on the exchange doing just that through raw wmic commands:
https://exchange.nagios.org/directory/P ... MI/details

[scottwilkerson]

thanks @mcapra

[davide.bonicelli]

Thanks mcapra.
I think a dedicated plugin would be a massive improvement for nagios community

[scottwilkerson]

Thanks mcapra.
I think a dedicated plugin would be a massive improvement for nagios community

I agree. May we close this issue?