WindowsEventID Monitoring

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
grayloglearn
Posts: 222
Joined: Thu Jul 06, 2017 8:55 am

WindowsEventID Monitoring

Post by grayloglearn »

Hi Team,

Previously i raise a same ticket but it was locked so again i am raising the query.
I have downloaded the check_eventlog plugin from the below URL to check the how its working but its giving the error while executing script.

https://gallery.technet.microsoft.com/s ... l-4153d359

After downloading that i just executed to check the attached error is showing. Please find the attachment. Could you please help how to enable the EventID to monitor. We are using nscp client 0.5 Version.
You do not have the required permissions to view the files attached to this post.
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: WindowsEventID Monitoring

Post by mcapra »

The solution is to either sign that script with an authority your system/organization likes, or to change the Powershell execution policy to allow unsigned (or remote signed) scripts to be executed:
http://tritoneco.com/2014/02/21/fix-for ... ly-signed/

Here's more info in an article written by @WillemDH, with a similar problem and solution in the article's comments:
https://outsideit.net/monitoring-window ... led-tasks/
Former Nagios employee
https://www.mcapra.com/
User avatar
mbellerue
Posts: 1403
Joined: Fri Jul 12, 2019 11:10 am

Re: WindowsEventID Monitoring

Post by mbellerue »

Thanks for the good information, Matt!

grayloglearn, does the above information help with your issue?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
grayloglearn
Posts: 222
Joined: Thu Jul 06, 2017 8:55 am

Re: WindowsEventID Monitoring

Post by grayloglearn »

Thanks for the reply.

As you said you have set the policy and tried to execute the script as its working fine. But i want monitor the EventID which attached in attachment. I tried to execute but its saying OK how to make those eventID matches should show critical if not match ok.
You do not have the required permissions to view the files attached to this post.
User avatar
mbellerue
Posts: 1403
Joined: Fri Jul 12, 2019 11:10 am

Re: WindowsEventID Monitoring

Post by mbellerue »

If it's not possible to have the script return critical upon finding the specific Event entry, then you could use the Negate plugin in Nagios XI.

https://assets.nagios.com/downloads/nag ... ios-XI.pdf
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
grayloglearn
Posts: 222
Joined: Thu Jul 06, 2017 8:55 am

Re: WindowsEventID Monitoring

Post by grayloglearn »

Hi Team,

i have seen somewhere the below entries . How to understand this

CheckEventLog -a file=System MaxWarn=1 MaxCrit=1 "filter=generated gt -15m AND severity NOT IN ('success', 'informational') AND id='4320' and source='netbt'" truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
User avatar
mbellerue
Posts: 1403
Joined: Fri Jul 12, 2019 11:10 am

Re: WindowsEventID Monitoring

Post by mbellerue »

I'm not familiar with this particular plugin, but I can piece together parts of it.
CheckEventLog -a file=System
Checking the System event log
MaxWarn=1 MaxCrit=1
Warn and Crit settings
"filter=generated gt -15m
Looking for logs generated more than 15 minutes ago? This seems odd. I would think you would want lt for less than, but I don't know the plugin.
AND severity NOT IN ('success', 'informational')
Filter continued, looking for logs where the severity is not success or informational.
AND id='4320' and source='netbt'"
Filter continued, looking for logs where the ID is 4320, and the source is an application called netbt.
truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
I'm not really sure about the rest of this.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
grayloglearn
Posts: 222
Joined: Thu Jul 06, 2017 8:55 am

Re: WindowsEventID Monitoring

Post by grayloglearn »

Still i am bit confusion, Is there any document to monitor the EventID with simple steps, If you could provide really appropriate.
Small doubt, while installing the nsclient we only check the check where check_nt, Inorder to work check_nrpe in nsclient do we need check check_nrpe while installing??

If need to check we already installed nsclient how to activate that check_nrpe in nsclient??...
User avatar
mbellerue
Posts: 1403
Joined: Fri Jul 12, 2019 11:10 am

Re: WindowsEventID Monitoring

Post by mbellerue »

I can point you to the NSClient documentation for Windows Event Logs.

https://docs.nsclient.org/reference/win ... kEventLog/

Regarding enabling NRPE on Windows with NSClient, you have to modify the NSClient configuration file. Under the Modules section, find NRPEServer = false and change the setting to true. If it's still not working after you restart the NSClient service, then check your firewall settings to make sure that the port is open.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
grayloglearn
Posts: 222
Joined: Thu Jul 06, 2017 8:55 am

Re: WindowsEventID Monitoring

Post by grayloglearn »

Hi Team,
Thanks for the help, I am really bothering about this query but still i am getting some errors while i am trying. I am using nsclient in windows and i enabled nrpe too.

I am using below command to monitor the event ID 7023, Find the attachment for the both nsclient file/

root@ip-XXXx:/usr/local/nagios/libexec# ./check_nrpe -H XXXX -p 5666 -c check_eventlog -a "scan-range=-1500m" "file=System" "warn=count>0" "crit=none" "filter=(id='7023' AND source='Service Control Manager') AND level in('error', 'warning')"
Exception processing request: Request command contained illegal metachars!

To resolve that exception processing request error i have done somechanges in nsclient as below, but still i am getting the error
allow arguments = 1
allow_nasty_meta_chars = 1
You do not have the required permissions to view the files attached to this post.
Locked