Hi Team,
I have configured the event ID on Nagios, however I have the 41 event ID on Windows event logs but I dont find it to be detected on the NAgios.
Attaching the Nagios agent web GUI snap and windows event log snap, please review the same and let me know what changes I will have to make.
Event ID shows ok
-
sneha.irali
- Posts: 141
- Joined: Fri Jan 15, 2021 3:56 am
Event ID shows ok
You do not have the required permissions to view the files attached to this post.
-
sneha.irali
- Posts: 141
- Joined: Fri Jan 15, 2021 3:56 am
Re: Event ID shows ok although the event viewer has captured
Hi Team,
Can I get an update here plz.
Can I get an update here plz.
Re: Event ID shows ok
Hi,
I am looking at it. I see the same thing you do.
Looking for the cause and workarounds. Will let you know
when I find something.
Thanks!
I am looking at it. I see the same thing you do.
Looking for the cause and workarounds. Will let you know
when I find something.
Thanks!
Re: Event ID shows ok
Hi
I found it - the "Event Type" pull-down in the Configuration Wizard defaults to "Error",
it needs to be changed to "Any". I will file a bug report.
This command works if you test from the CLI:
But this doesn't (and it shouldn't):
Neither does this, but it should:
Let me know if you are still having issues or if I can close this thread.
Thanks
I found it - the "Event Type" pull-down in the Configuration Wizard defaults to "Error",
it needs to be changed to "Any". I will file a bug report.
This command works if you test from the CLI:
Code: Select all
[root@gs-rhel8-23-84 libexec]# /usr/local/nagios/libexec/check_ncpa.py -H 192.168.23.87 -t 'gjstoken' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41' -c 0
CRITICAL: System has 1 logs, Total Count has 1 logs (Time range - last 30 minutes) | 'System'=1;;0; 'Total Count'=1;;0;
System Logs
Time: Computer: Severity: Event ID: Source: Message
-----------------------------------
11/15/21 10:39:43: WIN-0V5RL4OT9C4: UNKNOWN: 41: Microsoft-Windows-Kernel-Power: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Code: Select all
/usr/local/nagios/libexec/check_ncpa.py -H 192.168.23.87 -t 'gjstoken' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,severity=ERROR,event_id=41' -c 0
OK: System has 0 logs, Total Count has 0 logs (Time range - last 30 minutes) | 'System'=0;;0; 'Total Count'=0;;0;
System Logs
Time: Computer: Severity: Event ID: Source: Message
-----------------------------------
Code: Select all
[root@gs-rhel8-23-84 libexec]# /usr/local/nagios/libexec/check_ncpa.py -H 192.168.23.87 -t 'gjstoken' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,severity=UNKNOWN,event_id=41' -c 0
OK: System has 0 logs, Total Count has 0 logs (Time range - last 30 minutes) | 'System'=0;;0; 'Total Count'=0;;0;
System Logs
Time: Computer: Severity: Event ID: Source: Message
-----------------------------------
Thanks
-
sneha.irali
- Posts: 141
- Joined: Fri Jan 15, 2021 3:56 am
Re: Event ID shows ok
This solution did work, but for event ID 41 the message was not captured as u have shown me in ur lab results ( can I know the reason for this I have attached the snap) also I have few other queries listed below.
-----------------------First Question:-----------------------
I have a setup where my initial given check command works ( has nagiosXI version - 5.8.4 and windows event log wizard 2.0.2) and it works well --> unsure how was the service created.
-t 'NagiosXI@SONY' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
And on existing one this command do not work ( has nagiosXI version - 5.8.5 and windows event log wizard 2.0.2) --> Created a service copy and punched in the Arg 1
-t 'AMSTKN@123' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
-----------------------Second Question:-----------------------
I have SQL related Event ID configured as below, do i need to re-configure them as I did for event ID 41.
-t 'NagiosXI@Strides' -M 'logs' -q 'name=Application,severity=WARNING,event_id=1619,application=MSSQLSERVER,message=*'
-----------------------Third Question-----------------------
What if I have same event ID created for both critical and warning severity --> will this work if I configure them as I did for event ID 41
-----------------------Fourth Question-----------------------
From which wizard or NAgiosXI version is this bug been identified and I need little more info on the bug.
-----------------------First Question:-----------------------
I have a setup where my initial given check command works ( has nagiosXI version - 5.8.4 and windows event log wizard 2.0.2) and it works well --> unsure how was the service created.
-t 'NagiosXI@SONY' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
And on existing one this command do not work ( has nagiosXI version - 5.8.5 and windows event log wizard 2.0.2) --> Created a service copy and punched in the Arg 1
-t 'AMSTKN@123' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
-----------------------Second Question:-----------------------
I have SQL related Event ID configured as below, do i need to re-configure them as I did for event ID 41.
-t 'NagiosXI@Strides' -M 'logs' -q 'name=Application,severity=WARNING,event_id=1619,application=MSSQLSERVER,message=*'
-----------------------Third Question-----------------------
What if I have same event ID created for both critical and warning severity --> will this work if I configure them as I did for event ID 41
-----------------------Fourth Question-----------------------
From which wizard or NAgiosXI version is this bug been identified and I need little more info on the bug.
You do not have the required permissions to view the files attached to this post.
Re: Event ID shows ok
i
My answers below in blue:
This solution did work, but for event ID 41 the message was not captured as u have shown me in ur lab results ( can I know the reason for this I have attached the snap) also I have few other queries listed below.
What Windows OS are you monitoring? What version of Nagios XI are you using?
-----------------------First Question:-----------------------
I have a setup where my initial given check command works ( has nagiosXI version - 5.8.4 and windows event log wizard 2.0.2) and it works well --> unsure how was the service created.
-t 'NagiosXI@SONY' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
And on existing one this command do not work ( has nagiosXI version - 5.8.5 and windows event log wizard 2.0.2) --> Created a service copy and punched in the Arg 1
-t 'AMSTKN@123' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
What is the error message you are getting from the server running NagiosXI 5.8.5 ?
-----------------------Second Question:-----------------------
I have SQL related Event ID configured as below, do i need to re-configure them as I did for event ID 41.
-t 'NagiosXI@Strides' -M 'logs' -q 'name=Application,severity=WARNING,event_id=1619,application=MSSQLSERVER,message=*'
This should be fine, as long as you are not using severity=CRITICAL, since it doesn't exist in Nagios XI. In my experience you
really don't need to specify the severity if you have an event_id
-----------------------Third Question-----------------------
What if I have same event ID created for both critical and warning severity --> will this work if I configure them as I did for event ID 41
I don't think event id 41 ever gets a severity=WARNING, I believe it is always CRITICAL
-----------------------Fourth Question-----------------------
From which wizard or NAgiosXI version is this bug been identified and I need little more info on the bug.
It has always been this way. If you use the Windows Event Log Config Wizard you will see that "CRITICAL"
is not an option. I have requested it to be added.
Thanks
My answers below in blue:
This solution did work, but for event ID 41 the message was not captured as u have shown me in ur lab results ( can I know the reason for this I have attached the snap) also I have few other queries listed below.
What Windows OS are you monitoring? What version of Nagios XI are you using?
-----------------------First Question:-----------------------
I have a setup where my initial given check command works ( has nagiosXI version - 5.8.4 and windows event log wizard 2.0.2) and it works well --> unsure how was the service created.
-t 'NagiosXI@SONY' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
And on existing one this command do not work ( has nagiosXI version - 5.8.5 and windows event log wizard 2.0.2) --> Created a service copy and punched in the Arg 1
-t 'AMSTKN@123' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
What is the error message you are getting from the server running NagiosXI 5.8.5 ?
-----------------------Second Question:-----------------------
I have SQL related Event ID configured as below, do i need to re-configure them as I did for event ID 41.
-t 'NagiosXI@Strides' -M 'logs' -q 'name=Application,severity=WARNING,event_id=1619,application=MSSQLSERVER,message=*'
This should be fine, as long as you are not using severity=CRITICAL, since it doesn't exist in Nagios XI. In my experience you
really don't need to specify the severity if you have an event_id
-----------------------Third Question-----------------------
What if I have same event ID created for both critical and warning severity --> will this work if I configure them as I did for event ID 41
I don't think event id 41 ever gets a severity=WARNING, I believe it is always CRITICAL
-----------------------Fourth Question-----------------------
From which wizard or NAgiosXI version is this bug been identified and I need little more info on the bug.
It has always been this way. If you use the Windows Event Log Config Wizard you will see that "CRITICAL"
is not an option. I have requested it to be added.
Thanks
-
sneha.irali
- Posts: 141
- Joined: Fri Jan 15, 2021 3:56 am
Re: Event ID shows ok
here is the update:
This solution did work, but for event ID 41 the message was not captured as u have shown me in ur lab results ( can I know the reason for this I have attached the snap) also I have few other queries listed below.
What Windows OS are you monitoring? What version of Nagios XI are you using?
ANS -- ( has nagiosXI version - 5.8.5 and windows event log wizard 2.0.2) , windows 2012 R2 standard
-----------------------First Question:-----------------------
I have a setup where my initial given check command works ( has nagiosXI version - 5.8.4 and windows event log wizard 2.0.2) and it works well --> unsure how was the service created.
-t 'NagiosXI@SONY' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
And on existing one this command do not work ( has nagiosXI version - 5.8.5 and windows event log wizard 2.0.2) --> Created a service copy and punched in the Arg 1
-t 'AMSTKN@123' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
What is the error message you are getting from the server running NagiosXI 5.8.5 ?
ANS -- the snaps i have attached initially to this post, where I have not mentioned the severity on the NCPA Agent GUI, however still the NagiosXI says ok and no errors detected.
This solution did work, but for event ID 41 the message was not captured as u have shown me in ur lab results ( can I know the reason for this I have attached the snap) also I have few other queries listed below.
What Windows OS are you monitoring? What version of Nagios XI are you using?
ANS -- ( has nagiosXI version - 5.8.5 and windows event log wizard 2.0.2) , windows 2012 R2 standard
-----------------------First Question:-----------------------
I have a setup where my initial given check command works ( has nagiosXI version - 5.8.4 and windows event log wizard 2.0.2) and it works well --> unsure how was the service created.
-t 'NagiosXI@SONY' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
And on existing one this command do not work ( has nagiosXI version - 5.8.5 and windows event log wizard 2.0.2) --> Created a service copy and punched in the Arg 1
-t 'AMSTKN@123' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
What is the error message you are getting from the server running NagiosXI 5.8.5 ?
ANS -- the snaps i have attached initially to this post, where I have not mentioned the severity on the NCPA Agent GUI, however still the NagiosXI says ok and no errors detected.
Re: Event ID shows ok
HI
I set up Nagios XI and Windows Server 2012R2 systems, and now I see what you see, so it must be the
version of Windows that is limiting the message verbosity coming from the Event Log
For you second question please try the settings I am using (above) and see if that detects the event id 41
entry in the System Log.
Please let me know the result.
Thanks
I set up Nagios XI and Windows Server 2012R2 systems, and now I see what you see, so it must be the
version of Windows that is limiting the message verbosity coming from the Event Log
[root@localhost ~]# /usr/local/nagios/libexec/check_ncpa.py -H 192.168.23.96 -t 'gjstoken' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41' -c 0
CRITICAL: System has 1 logs, Total Count has 1 logs (Time range - last 30 minutes) | 'System'=1;;0; 'Total Count'=1;;0;
System Logs
Time: Computer: Severity: Event ID: Source: Message
-----------------------------------
11/19/21 10:00:42: WIN-ITFHFA2T3LE: UNKNOWN: 41: Microsoft-Windows-Kernel-Power:
[root@localhost ~]#
For you second question please try the settings I am using (above) and see if that detects the event id 41
entry in the System Log.
Please let me know the result.
Thanks