NCPA Windows Event Log

[logisbk]

I'm seeing a similar issue to this: viewtopic.php?t=64444 but there isn't a solution.

I'm testing with the NCPA API Endpoint using the log name Laserfiche-Directory Service-Server/Operational and I'm looking for EventID 22.

./check_ncpa.py -H <hostname> -P 5693 -t '<your token>' -M 'logs' -q 'name=Laserfiche-Directory Service-Server/Operational,logged_after=4w,event_id=22'

It returns: stdout": "OK: Laserfiche-Directory Service-Server/Operational has 0 logs, Total Count has 0 logs (Time range - last 4 weeks)

but I can look at the logs and see EventID 22 within the past 4 weeks.

[ajcoil]

Hello @logisbk,

Thank you for reaching out, and I am sorry to hear you are having issues with the check_ncpa plugin.

Have you attempted to use "%4" in place of the "/" character in your name string?

Windows sees the use of the "/" character as illegal when it comes to naming.


Do keep us updated on what you find!

[logisbk]

Yes, I tried that with the same results

./check_ncpa.py -H <hostname> -P 5693 -t '<your token>' -M 'logs' -q 'name=Laserfiche-Directory Service-Server%4Operational,logged_after=4w,event_id=22'

[ssunga]

Have you tried the following:

• Double-check that the exact log name "Laserfiche-Directory Service-Server/Operational" exists on the target system. Sometimes log names can be slightly different than expected.
• Try running the check without the event_id and logged_after filters to see if it returns any results:

  Code: Select all

  ./check_ncpa.py -H <hostname> -P 5693 -t '<your token>' -M 'logs' -q 'name=Laserfiche-Directory Service-Server%4Operational'

• To isolate whether this is an NCPA issue or a more general problem, you could try querying the same log using PowerShell on the target machine:

  Code: Select all

  Get-WinEvent -LogName "Laserfiche-Directory Service-Server/Operational" -MaxEvents 1

[logisbk]

Yes, the name is correct. If I run it in Powershell it works

Code: Select all

Get-WinEvent -LogName "Laserfiche-Directory Service-Server/Operational" -MaxEvents 1

The result is

Code: Select all

   ProviderName: Laserfiche-Directory Service-Server

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
7/18/2024 2:18:09 AM            19 Information      Audit records trimming for 'xx' finished

If I only use the log name in NCPA API "Laserfiche-Directory Service-Server/Operational" - it returns events that aren't in that log. For example,

Code: Select all

 "Laserfiche-Directory Service-Server/Operational": [
                {
                    "category": "0",
                    "severity": "INFORMATION",
                    "event_id": "9027",
                    "application": "Desktop Window Manager",
                    "computer_name": "<hostname>",
                    "message": "",
                    "time_generated": "07/18/24 07:25:55"
                },

That is under Windows Logs > Application.

I can even put in "Random" for the Log name and it returns the same result as above. Why is it pulling that result if there is no log named that? If it can't find the log name it just returns results from the Windows Application log?

[logisbk]

I have not got the check to work with ANY log that is within a folder. It seems to only work with log names at the root level. You can put in any name you like and it won't error, it will just give you the events from the first log, which is the Application log under Windows Logs.

This leads me to think that the code is doing something similar to the Get-EventLog Powershell command which only gives those root level logs, whereas the Get-WinEvent can get everything.

[bbahn]

Hello @logisbk,

There has been an issue filed here: https://github.com/NagiosEnterprises/ncpa/issues/1185 and this will be resolved at the earliest opportunity. I will also take a look at the accuracy of NCPA's log grabbing. I have made an issue for that here: https://github.com/NagiosEnterprises/ncpa/issues/1186.

What version of Windows and what version of NCPA are you using? I haven't encountered this issue.

[UnicornsandKittens]

I did some Testing and these are my Findings:

Logs are stored at:
C:\Windows\System32\winevt\Logs

Examples:
Intel-GFX-Info%4Application.evtx
Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
Microsoft-Windows-WinRM%4Operational.evtx

Copy the Filename from here as Log Name, without .evtx

At https://localhost:5693/api/logs?name=
%4F is interpreted as O > Check fails (resembles a Hex-Value https://bytetool.web.app/en/ascii/code/0x4f/) Security%4Firewall is changed to SecurityOirewall
%4A is interpreted as J > Check fails (resembles a Hex-Value https://bytetool.web.app/en/ascii/code/0x4a/) Info%4Application is changed to InfoJpplication
%4O seems to be parsed correctly > Check is successful, although it's Location is shown as a Subfolder by the EventLog

[jmichaelson]

Its possible the %4 isn't correct. Can you try with %2F (the forward slash) or %3c (a backslash)?

[logisbk]

@UnicornsandKittens when I used %40 it translates as '@' -- which is consistent with UTF-8

@jmichaelson the %2F does appear to translate correctly, but the correct logs still don't show, it shows the events from the Windows Application log still


The name of the Log File I am testing with is Laserfiche-Directory Service-Server%4Operational.evtx

:5693/api/logs?name=Laserfiche-Directory Service-Server%2FOperational

{
"logs": [
{
"Laserfiche-Directory Service-Server/Operational": [
{
"category": "0",
"severity": "INFORMATION",
"event_id": "9027",
"application": "Desktop Window Manager",