WindowsEventID Monitoring
-
- Posts: 222
- Joined: Thu Jul 06, 2017 8:55 am
WindowsEventID Monitoring
Hi Team,
Previously i raise a same ticket but it was locked so again i am raising the query.
I have downloaded the check_eventlog plugin from the below URL to check the how its working but its giving the error while executing script.
https://gallery.technet.microsoft.com/s ... l-4153d359
After downloading that i just executed to check the attached error is showing. Please find the attachment. Could you please help how to enable the EventID to monitor. We are using nscp client 0.5 Version.
Previously i raise a same ticket but it was locked so again i am raising the query.
I have downloaded the check_eventlog plugin from the below URL to check the how its working but its giving the error while executing script.
https://gallery.technet.microsoft.com/s ... l-4153d359
After downloading that i just executed to check the attached error is showing. Please find the attachment. Could you please help how to enable the EventID to monitor. We are using nscp client 0.5 Version.
You do not have the required permissions to view the files attached to this post.
Re: WindowsEventID Monitoring
The solution is to either sign that script with an authority your system/organization likes, or to change the Powershell execution policy to allow unsigned (or remote signed) scripts to be executed:
http://tritoneco.com/2014/02/21/fix-for ... ly-signed/
Here's more info in an article written by @WillemDH, with a similar problem and solution in the article's comments:
https://outsideit.net/monitoring-window ... led-tasks/
http://tritoneco.com/2014/02/21/fix-for ... ly-signed/
Here's more info in an article written by @WillemDH, with a similar problem and solution in the article's comments:
https://outsideit.net/monitoring-window ... led-tasks/
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: WindowsEventID Monitoring
Thanks for the good information, Matt!
grayloglearn, does the above information help with your issue?
grayloglearn, does the above information help with your issue?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
- Posts: 222
- Joined: Thu Jul 06, 2017 8:55 am
Re: WindowsEventID Monitoring
Thanks for the reply.
As you said you have set the policy and tried to execute the script as its working fine. But i want monitor the EventID which attached in attachment. I tried to execute but its saying OK how to make those eventID matches should show critical if not match ok.
As you said you have set the policy and tried to execute the script as its working fine. But i want monitor the EventID which attached in attachment. I tried to execute but its saying OK how to make those eventID matches should show critical if not match ok.
You do not have the required permissions to view the files attached to this post.
Re: WindowsEventID Monitoring
If it's not possible to have the script return critical upon finding the specific Event entry, then you could use the Negate plugin in Nagios XI.
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
- Posts: 222
- Joined: Thu Jul 06, 2017 8:55 am
Re: WindowsEventID Monitoring
Hi Team,
i have seen somewhere the below entries . How to understand this
CheckEventLog -a file=System MaxWarn=1 MaxCrit=1 "filter=generated gt -15m AND severity NOT IN ('success', 'informational') AND id='4320' and source='netbt'" truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
i have seen somewhere the below entries . How to understand this
CheckEventLog -a file=System MaxWarn=1 MaxCrit=1 "filter=generated gt -15m AND severity NOT IN ('success', 'informational') AND id='4320' and source='netbt'" truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
Re: WindowsEventID Monitoring
I'm not familiar with this particular plugin, but I can piece together parts of it.
Checking the System event logCheckEventLog -a file=System
Warn and Crit settingsMaxWarn=1 MaxCrit=1
Looking for logs generated more than 15 minutes ago? This seems odd. I would think you would want lt for less than, but I don't know the plugin."filter=generated gt -15m
Filter continued, looking for logs where the severity is not success or informational.AND severity NOT IN ('success', 'informational')
Filter continued, looking for logs where the ID is 4320, and the source is an application called netbt.AND id='4320' and source='netbt'"
I'm not really sure about the rest of this.truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
- Posts: 222
- Joined: Thu Jul 06, 2017 8:55 am
Re: WindowsEventID Monitoring
Still i am bit confusion, Is there any document to monitor the EventID with simple steps, If you could provide really appropriate.
Small doubt, while installing the nsclient we only check the check where check_nt, Inorder to work check_nrpe in nsclient do we need check check_nrpe while installing??
If need to check we already installed nsclient how to activate that check_nrpe in nsclient??...
Small doubt, while installing the nsclient we only check the check where check_nt, Inorder to work check_nrpe in nsclient do we need check check_nrpe while installing??
If need to check we already installed nsclient how to activate that check_nrpe in nsclient??...
Re: WindowsEventID Monitoring
I can point you to the NSClient documentation for Windows Event Logs.
https://docs.nsclient.org/reference/win ... kEventLog/
Regarding enabling NRPE on Windows with NSClient, you have to modify the NSClient configuration file. Under the Modules section, find NRPEServer = false and change the setting to true. If it's still not working after you restart the NSClient service, then check your firewall settings to make sure that the port is open.
https://docs.nsclient.org/reference/win ... kEventLog/
Regarding enabling NRPE on Windows with NSClient, you have to modify the NSClient configuration file. Under the Modules section, find NRPEServer = false and change the setting to true. If it's still not working after you restart the NSClient service, then check your firewall settings to make sure that the port is open.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
- Posts: 222
- Joined: Thu Jul 06, 2017 8:55 am
Re: WindowsEventID Monitoring
Hi Team,
Thanks for the help, I am really bothering about this query but still i am getting some errors while i am trying. I am using nsclient in windows and i enabled nrpe too.
I am using below command to monitor the event ID 7023, Find the attachment for the both nsclient file/
root@ip-XXXx:/usr/local/nagios/libexec# ./check_nrpe -H XXXX -p 5666 -c check_eventlog -a "scan-range=-1500m" "file=System" "warn=count>0" "crit=none" "filter=(id='7023' AND source='Service Control Manager') AND level in('error', 'warning')"
Exception processing request: Request command contained illegal metachars!
To resolve that exception processing request error i have done somechanges in nsclient as below, but still i am getting the error
allow arguments = 1
allow_nasty_meta_chars = 1
Thanks for the help, I am really bothering about this query but still i am getting some errors while i am trying. I am using nsclient in windows and i enabled nrpe too.
I am using below command to monitor the event ID 7023, Find the attachment for the both nsclient file/
root@ip-XXXx:/usr/local/nagios/libexec# ./check_nrpe -H XXXX -p 5666 -c check_eventlog -a "scan-range=-1500m" "file=System" "warn=count>0" "crit=none" "filter=(id='7023' AND source='Service Control Manager') AND level in('error', 'warning')"
Exception processing request: Request command contained illegal metachars!
To resolve that exception processing request error i have done somechanges in nsclient as below, but still i am getting the error
allow arguments = 1
allow_nasty_meta_chars = 1
You do not have the required permissions to view the files attached to this post.