check_xi_service_wmiplus, checkeventlog - exclude?

[vornado]

Good morning, all.

Is there a way to exclude system log critical errors by one or more specified providers with this command?:

check_xi_service_wmiplus!'vornado/userid'!'PaSsW0rd'!checkeventlog!-a 'System' -o 1 -3 1 -w '5' -c '6'!!!!

For example, we don't wish to see errors from provider Schannel.

Thanks.

Steve

[mcapra]

From the help documentation of the 1.64 release of check_wmi_plus:

Code: Select all

checkeventlog  
   ARG1  Name of the log eg "System" or "Application" or any other Event log as shown in the Windows "Event Viewer". You may also use a comma delimited list to specify multiple event logs. You can also specify event log names using the wildcard character % eg system,app%,%shell%. Default is system
   ARG2  A comma delimited list of severity numbers. If not specfied this defaults to 1. If only one level is specified, all severity levels less than and equal to it are included. If more than one is specified then only those levels are included. To include only a single level, put a comma before the severity number eg ,3.
   
       The severity levels available are:  
       5 = Security Audit Failure.
       4 = Security Audit Success
       3 = Information
       2 = Warning
       1 = Error
   
   ARG3  Number of past hours to check for events. Default is 1
   ARG4  Comma delimited list of ini file sections to get extra settings from. Default value is eventdefault.
      ie use the eventdefault section settings from the ini file. The ini file contains regular expression based inclusion
      and exclusion rules to accurately define the events you want to or don't want to see. Event inclusions and exlusions rules are ANDed together. See the events.ini file for details.
   ARG5  The Include/Exclude mode. Defaults to 'any', which includes event log records that match any of the match criteria. PRO users can additionally specify 'includeall' which will only include event log records that match all the match criteria.
   WARN/CRIT   can be used as described below.
      $field_lists{'checkeventlog'}.

   Examples:  
      to report all errors (1) that got logged in the past 24 hours in the System event log use:
      
      -a System -3 24
      
      to report all errors (1) that got logged in the past 24 hours in any event log use:
      
      -a % -3 24

      to report all warnings (2) and errors (1) that got logged in the past 4 hours in the Application event log use:
      
      -a application -o 2 -3 4 OR -a application -o 1,2 -3 4
      
      to report all information (3) and errors (1) that got logged in the past 4 hours in the Application event log use:
      
      -a application -o 1,3 -3 4
      
      to report only Security Audit Failure (5) events that got logged in the past 4 hours in any event log use:
      
      -a % -o ,5 -3 4

      to report your custom mix of event log messages from the system event log use (the names passed to this argument are ini sections defined in an ini file eg event.ini):
      
      -4 eventinc_1,eventinc_2,eventinc_3,eventexclude_1

The events.ini file mentioned near the bottom allows you to include/exclude on SourceName:

Code: Select all

# INCLUDE SPECIFICATIONS
# is=REGEX  <- apply this REGEX to the SourceName field and include any records that match (is stands for Include SourceName)

# EXCLUDE SPECIFICATIONS
# es=REGEX  <- apply this REGEX to the SourceName field and exclude any records that match (es stands for Exclude SourceName)

I *think* you could just add your specific SourceName you'd like to exclude to the eventdefault block of the default events.ini, but I'm making a lot of assumptions about how check_wmi_plus is implemented in XI

[mbellerue]

Thanks for jumping in, Matt!

Steve, did Matt's answer help you out, or are you still unable to exclude by provider?

[vornado]

I added the name of the source provider to the es= line in the .ini file on our dev server. if the production server reports the errors and the dev server doesn't, then I know it's working. You can close the ticket. Thanks for your help.

Steve

[scottwilkerson]

I added the name of the source provider to the es= line in the .ini file on our dev server. if the production server reports the errors and the dev server doesn't, then I know it's working. You can close the ticket. Thanks for your help.

Steve

Great!

Locking thread