Services on Windows host

[SteveBeauchemin]

Here are a couple examples of my production tests. Just use the parts you like. It should get you jump-started.

It uses the older syntax and that is why I use the -2 parameter on check_nrpe.
We remove many items we do not need to know about. Tests run every 5 minutes.

Check Command definition

Code: Select all

/usr/local/nagios/libexec/check_nrpe -2 -u -t 60:3 --host $HOSTADDRESS$ --command $ARG1$ $ARG2$ $ARG3$ $ARG4$ $ARG5$ $ARG6$ $ARG7$ $ARG8$

Here is a Service Definition looking at System Eventlog

Config Name = svc-NRPE-MS-CheckEventlog-System
Description = NRPE_Eventlog_System

Code: Select all

$ARG1$ = CheckEventLog -a unique=1 file=system
$ARG2$ = "syntax=System Event Log %severity%: Source=%source%: Event ID=%id% Message=%message%"
$ARG3$ = "filter=generated gt -10m AND severity IN ('error', 'critical')
$ARG4$ = AND (id NOT IN (1,3,4,5,8,9,10,11,12,15,17,18,19,27,37,39,41,50,54,56,137,1030,1041,1060,1066,1069,1071,1111,1196,3621,4192,4224,4243,4307,5722,5723,5805,6008))
$ARG5$ = AND (id NOT IN (36888) OR source NOT IN ('Schannel')) AND (id NOT IN (36887) OR source NOT IN ('Schannel'))
$ARG6$ = AND (id NOT IN (36874) OR source NOT IN ('Schannel')) AND (id NOT IN (36870) OR source NOT IN ('Schannel')) AND (id NOT IN (36871) OR source NOT IN ('Schannel'))
$ARG7$ = AND (id NOT IN (7030) OR source NOT IN ('ServiceControlManager'))"
$ARG8$ = MaxWarn=1 MaxCrit=1

Here is a Service Definition looking at Application Eventlog

Config Name = svc-NRPE-MS-CheckEventlog-Application
Description = NRPE_Eventlog_Application

Code: Select all

$ARG1$ = CheckEventLog -a unique=1 file=application
$ARG2$ = "syntax=App Event Log %severity%: Source=%source%: Event ID=%id% Message=%message%"
$ARG3$ = "filter=generated gt -10m AND severity IN ('error')
$ARG4$ = AND (id NOT IN (1,3,10,12,13,23,26,33,37,38,58,67,101,103,104,107,108,110,112,274,502,511,1000,1002,1004,1005,1009,1010,1026,1027,1053,1054,1085,1101,1107,1116,1301,1325,1334,1373,1500,1502,1504,1508,1511,1515,1521,1533))
$ARG5$ = AND (id NOT IN (1509) OR source NOT IN ('Userenv')) AND (id NOT IN (1055) OR source NOT IN ('Userenv')) AND (id NOT IN (1030) OR source NOT IN ('Userenv')) AND (id NOT IN (1006) OR source NOT IN ('Userenv'))
$ARG6$ = AND (id NOT IN (12292) OR source NOT IN ('VSS'))
$ARG7$ = AND (source NOT IN ('Microsoft-SharePoint Products-SharePoint Foundation')) AND (source NOT IN ('Microsoft-Windows-Perflib'))"
$ARG8$ = MaxWarn=10 MaxCrit=20

Hope it helps. It works for me at my company.

Disclaimer: Internet research provided me most of the information so if anything looks familiar - Thanks! Maybe I got it from you.

Steve B

[bomahony]

Nice one mate! Definately will have a look, although we refrain from sending vars over the wire, where at all possible, so ill probably use your stuff below.
Also there is a total of 8 or 10 win hosts in the env from thousands of nodes, so these should be pretty standard for those, without much changes.


Like an idiot, I never bothered reading the nsclient.ini file. I literally just ran "nscp settings --activate-module CheckEventLog --add-defaults. This has populated my config with a load of absolute waffle, but I can see:
Eventlog configuration - Section for the EventLog Checker (CheckEventLog.dll).
[/settings/eventlog]

So i guess it goes in there. I assume I shouldnt be using real-time? [but under realtime there is the filter = UNKNOWN syntax, so I assume that is used].

Never even thought of App log. Anything else you would suggest, other than my sparse checks above? I dont really do much with Windows, so not sure what we really need [these are all just RDP and LogRhythm hosts].

[scottwilkerson]

I've never really used real-time, not that familiar with it, but my guess is it would put a little more load on your Windows server.