Monitoring the Windows Event Log

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Monitoring the Windows Event Log

Post by scottwilkerson »

Lets add the following to your nsclient.ini

Code: Select all

; Section for the EventLog Checker (CheckEventLog.dll).
[/settings/eventlog]

; BUFFER_SIZE - The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.
buffer size = 131072

; LOOKUP NAMES - Lookup the names of eventlog files
lookup names = 1

; DEBUG - Log more information when filtering (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.
debug = 0

; Section for NRPE active/passive check module.
[/settings/NRPE/client]

; CHANNEL - The channel to listen to.
channel = NRPE
restart NSCP

Then run the command again like this

Code: Select all

./check_nrpe -H xxx.xxx.xxx.xxx -p 5666 -c check_eventlog -a "filter=id=4003"
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
amitgupta19
Posts: 286
Joined: Fri Sep 08, 2017 5:53 am

Re: Monitoring the Windows Event Log

Post by amitgupta19 »

Hi Scott,

Thanks for the update.

Still the error remains same.
[amgupta@cblnagios01 libexec]$ ./check_nrpe -H xxx.xxx.xxx.xxx -p 5666 -c check_eventlog -a "filter=id=4003"
No file specified try adding: file=Application
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Monitoring the Windows Event Log

Post by scottwilkerson »

In trying to decipher this issue a little further I used your nsclient.ini file and was able to make the command work on my system as specified, the only difference is I have a slightly newer version of NSClient++

Code: Select all

[root@localhost nagiosxi]# /usr/local/nagios/libexec/check_nrpe -H 192.168.xxx.xxx -c check_eventlog -a "filter=id=4003"
OK: No entries found|'count'=0;0;5
[root@localhost nagiosxi]# /usr/local/nagios/libexec/check_nrpe -H 192.168.xxx.xxx
I (0.4.4.23 2016-04-05) seem to be doing fine...
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
amitgupta19
Posts: 286
Joined: Fri Sep 08, 2017 5:53 am

Re: Monitoring the Windows Event Log

Post by amitgupta19 »

Thanks Scott

One more difference is that i have Nagios Core 4.4.3 and you have Nagios XI. Hope that it does not matter.

I have updated the NSClient to the latest version.

Now the error has changed:

[amgupta@cblnagios01 libexec]$ ./check_nrpe -H 172.23.xxx.xxx
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 172.23.xxx.xxx: 1
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Monitoring the Windows Event Log

Post by scottwilkerson »

lets try modifying the [/settings/NRPE/server] section of the config to the following:

Code: Select all

[/settings/NRPE/server]
ssl options = no-sslv2,no-sslv3
verify mode = none
insecure = true
use ssl = 1
allow nasty characters = 1
allow arguments = 1
port = 5666
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
amitgupta19
Posts: 286
Joined: Fri Sep 08, 2017 5:53 am

Re: Monitoring the Windows Event Log

Post by amitgupta19 »

Hi Scott,

Finally i am able to get the required result.
Thanks for your support.
My requirement is to check the only system log for the Event ID: 7002 every 30 minutes or 1 hour.

Can you suggest this pls?
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Monitoring the Windows Event Log

Post by scottwilkerson »

You would setup a normal Nagios service definition for this check, and set the following in the object to 30 or 60

Code: Select all

check_interval           30
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
amitgupta19
Posts: 286
Joined: Fri Sep 08, 2017 5:53 am

Re: Monitoring the Windows Event Log

Post by amitgupta19 »

Thanks Scott for the reply

For the time range i suppose we have to use the "scan-range".

Also the current formula that i am using is

./check_nrpe -H xxx.xxx.xxx.xxx -p 5666 -c check_eventlog "filter=id=7001"

It is fetching the some logs and giving the data. But i am not sure from which eventlog it is fetching the data.

My requirement to monitor the Security Logs for specific Event ID. How can i specify in the command to search the security logs?

I tried the file=Security but it is not searching in the security log
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Monitoring the Windows Event Log

Post by scottwilkerson »

You should be able to add AND log = 'Security' to the filter

like

Code: Select all

./check_nrpe -H xxx.xxx.xxx.xxx -p 5666 -c check_eventlog "filter=id=7001 AND log = 'Security'" 
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
amitgupta19
Posts: 286
Joined: Fri Sep 08, 2017 5:53 am

Re: Monitoring the Windows Event Log

Post by amitgupta19 »

please refer to the screenshot attached.

It is still not searching in the Security Log.

The message that it is giving is for the id=7001 in Systems Event Log.
Attachments
checkeventlog.JPG
Locked