NagEventLog alert truncated at 192 Char

[brucej543]

Configured EventLog Service to check the security log for event ID 4732. Finds the event and sends passive alert to NagiosXI. Only the first 192 char of the detail event is sent. Is there some sort of filter or limit to what NagEventLog will extract from the Window security file?

[ssax]

Are you logging the passive results? Do they show as cutoff in your /usr/local/nagios/var/nagios.log?

Code: Select all

grep log_passives /usr/local/nagios/etc/nagios.cfg
log_passive_checks=1

If you have to set it to 1, make sure to restart the nagios service after so that the changes become active:

Code: Select all

service nagios restart

The reason I ask is because it could be nagios that is cutting it off, see here:

https://support.nagios.com/kb/article/n ... s-478.html

[brucej543]

I made the suggested changes and no difference in the result. It looks like the NSCA Eventlog agent on the Windows server is not reading the full message we are scanning for or it is cutting off the message on the Windows server. I tried to turn on the full logging of the NSCA daemon on the Windows server but not data is be written to the log files.

[ssax]

Which version of NagEventLog do you have installed? Which version of Windows?

One of our techs labbed it up and he received a 512 character message that wasn't cut off.

[brucej543]

The server is a Windows 2012 R2, with NCPA 2.1.6 and Navelog-setup 1.9.2 installed. Filter settings: Event log to check is Security, doing Event ID matching on 4732 and 636. For the events we tried just Audit Success only and also all events with the same results.

We are checking to see if anyone was added to the Administrators Group and send an alerts.

[tgriep]

I did some further testing of the nagEventLog application and from what I found is that the application seems to send the log entry as one long line as the Service Output.
That should allow it to display up to 256 characters in the XI GUI and is should not be cut off at 192.

If the nagEventLog application could send the data in multiple lines, it would display more data but there is not a option to do that.

Update, the 256 character limit is a limitation of the nagEventLog application.

[brucej543]

Thank you for your research and information. We actually getting 256 message (My error in what was being received). A few more questions:
Is there a way to modify what the event log is sending (what fields are being extracted or is it just extracting the message from the log and sending the first 256 characters?
Do you know of an alternate way using Nagios XI to get the full message or extracting the required data for the alert to be useful.

The inability to get the full information from the log will most likely have an effect on us expanding are current license to unlimited system.

[tgriep]

To get the nagEventLog application to send more than 256 characters, you would have to edit the source code to increase the size of the buffer and recompile the application.

You said that you have the NCPA application setup on the server. You could use that to send the Event Logs.
I have a few examples that you could put in the ncpa.cfg file on the Windows server.

Code: Select all

%HOSTNAME%|EVT_Application = /logs --name Application --logged_after 5m --severity ERROR --check true --event_id 1 --warning 10 --critical 20
%HOSTNAME%|EVT_Security = /logs --name Security --logged_after 200m --severity AUDIT_FAILURE --event_id 4776 --check true --warning 3 --critical 5

For more details on the NCPA log settings, take a look at this link.
https://www.nagios.org/ncpa/help.php#api-modules-logs

[brucej543]

Thanks for the information. If we modify the nagEventLog app to send more than 256 characters, is there any thing on the Nagios XI side that needs to done to accept the information?

[brucej543]

Forgot to ask, what is the nagEventLog application written in?