Monitor windows eventlogs

[Joakim.hag]

Hi,

I need to monitor our event logs on some of our windows machines. But I can't figure it out.

Code: Select all

/usr/local/nagios/libexec$ ./check_nrpe -H 192.168.26.12
I (0,4,1,90 2013-02-04) seem to be doing fine...

When I try the following command:

Code: Select all

/usr/local/nagios/libexec$ ./check_nrpe -H 192.168.26.12 -p 5666 -c CheckEventLog -a filter=new file="system" MaxWarn=1 MaxCrit=1 filter-generated=\<1h filter-eventType==error filter=in filter=all

The output I'm getting is :

Code: Select all

Exception processing request: Request contained arguments (not currently allowed, check the allow arguments option).

Code: Select all

:/usr/local/nagios/libexec$ ./check_nrpe -H 192.168.26.12 -p 5665 -t 60 -c CheckEventLog -a file=System file=application filter=in MaxWarn=1 MaxCrit=3 "filter+generated=\\<1h" "filter-eventType==warning" filter=all
CHECK_NRPE: Socket timeout after 60 seconds.

In my nsclient.ini file I have the following:

Code: Select all

; Undocumented section
[/modules]

; COMMAND ALLOW NASTY META CHARS - This option determines whether or not the we will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow nasty characters = 1

; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow arguments = 1

; PORT NUMBER - Port to use for NRPE.
port = 5666

; CheckDisk - CheckDisk can check various file and disk related things. The current version has commands to check Size of hard drives and directories.
CheckDisk = 1

; Event log Checker. - Check for errors and warnings in the event log. This is only supported through NRPE so if you plan to use only NSClient this wont help you at all.
CheckEventLog = 1

; Check External Scripts - A simple wrapper to run external scripts and batch files.
CheckExternalScripts = 1

; Undocumented key
CheckExternalScripts.dll = enabled

; Helper function - Various helper function to extend other checks. This is also only supported through NRPE.
CheckHelpers = 1

; Check NSCP - Checkes the state of the agent
CheckNSCP = 1

; CheckSystem - Various system related checks, such as CPU load, process state, service state memory usage and PDH counters.
CheckSystem = 1

; CheckWMI - CheckWMI can check various file and disk related things. The current version has commands to check Size of hard drives and directories.
CheckWMI = 1

; NRPE server - A simple server that listens for incoming NRPE connection and handles them.
NRPEServer = 1

; NSCAClient - Passive check support over NSCA.
NSCAClient = 1

; NSClient server - A simple server that listens for incoming NSClient (check_nt) connection and handles them. Although NRPE is the preferred method NSClient is fully supported and can be used for simplicity or for compatibility.
NSClientServer = 1

I have tried to restart the NSclient but no luck.

Many thanks in advance! /Joakim

[Joakim.hag]

This is what I have in my nsclient.log

Code: Select all

2013-04-17 11:11:54: e:..\..\..\..\trunk\modules\NRPEServer\handler_impl.cpp:15: Request contained arguments (not currently allowed, check the allow arguments option).

[Joakim.hag]

This happens when I run "nscp settings --generate --add-defaults --load-all"

Code: Select all

C:\Program Files\NSClient++>nscp settings --generate --add-defaults --load-all
e rvice\NSClient++.cpp:347  Failed to register plugin: Could not load library: 126: Det gÕr inte att hitta den angivna modulen.
: C:\Program Files\NSClient++\\modules\allow arguments in file: allow argumentse rvice\NSClient++.cpp:347  Failed to register plugin: Could not load library: 126: Det gÕr inte att hitta den angivna modulen.
: C:\Program Files\NSClient++\\modules\allow nasty characters in file: allow nas
ty characters
e rvice\NSClient++.cpp:347  Failed to register plugin: Could not load library: 14001: Det gÕr inte att starta programmet eftersom dess sida vid sida-konfiguration õr felaktig. Kontrollera hõndelseloggen eller anvõnd kommandoradsverktyget sxstrace.exe f÷r mer information.
: C:\Program Files\NSClient++\\modules\DotnetPlugins.dll in file: DotnetPlugins
e rvice\NSClient++.cpp:347  Failed to register plugin: Could not load library: 126: Det gÕr inte att hitta den angivna modulen.
: C:\Program Files\NSClient++\\modules\PythonScript.dll in file: PythonScript
e rvice\NSClient++.cpp:347  Failed to register plugin: Could not load library: 126: Det gÕr inte att hitta den angivna modulen.
: C:\Program Files\NSClient++\\modules\5666 in file: 5666
e rvice\NSClient++.cpp:563  Exception raised: 'Could not load library: 126: Det gÕr inte att hitta den angivna modulen.
: C:\Program Files\NSClient++\\modules\allow arguments.dll' in module: allow arguments
e rvice\NSClient++.cpp:563  Exception raised: 'Could not load library: 126: Det gÕr inte att hitta den angivna modulen.
: C:\Program Files\NSClient++\\modules\allow nasty characters.dll' in module: allow nasty characters
e rvice\NSClient++.cpp:563  Exception raised: 'Could not load library: 126: Det gÕr inte att hitta den angivna modulen.
: C:\Program Files\NSClient++\\modules\5666.dll' in module: 5666
e service\commands.hpp:95   Adding duplicate command: CheckTaskSchedValue
e service\commands.hpp:95   Adding duplicate command: CheckTaskSchedAdding default values

Sorry about the Swedish.

/Joakim

[abrist]

What version of nsclient are you running?

Code: Select all

 check the allow arguments option

You probably need to set the following options in your nsclient ini file:

Code: Select all

allow_arguments = 1
allow_nasty_meta_chars = 1

[Joakim.hag]

What version of nsclient are you running?

Code: Select all

 check the allow arguments option

NSCP-0.4.1.90-x64

You probably need to set the following options in your nsclient ini file:

Code: Select all

allow_arguments = 1
allow_nasty_meta_chars = 1

okey, I will try that, I have already defined them, but without the underscores.

[sreinhardt]

Great, let us know what happens! The underscores are definitely needed.

[Joakim.hag]

Great, let us know what happens! The underscores are definitely needed.

No difference.

/usr/local/nagios/libexec$ ./check_nrpe -H 192.168.26.12 -p 5666 -c CheckEventLog -a file=System file=application filter=in MaxWarn=1 MaxCrit=3 "filter+generated=\\<1h" "filter-eventType==warning" filter=all
Request contained arguments (not currently allowed, check the allow arguments option).

nsclient.ini

Code: Select all

; Section for NRPE (NRPEListener.dll) (check_nrpe) protocol options.
[/settings/NRPE/server]

; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow_arguments = true (should it be true or 1)

; COMMAND ALLOW NASTY META CHARS - This option determines whether or not the we will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow_nasty_characters = true (should it be true or 1)

; PORT NUMBER - Port to use for NRPE.
port = 5666

I also tried to downgrade the nsclient to NSCP-0.4.0.183 and run the command "nscp settings --generate ini --add-defaults --load-all" but no difference.

What if I make a fresh install of nsclient. What do I have to do?

Enable allow_nasty_characters and allow_arguments.
To I have to add anything in the modules folder?

I bet it something easy I'm forgetting here... Thanks /Joakim

[Joakim.hag]

What if I make a fresh install of nsclient. What do I have to do?

Enable allow_nasty_characters and allow_arguments.
To I have to add anything in the modules folder?

I bet it something easy I'm forgetting here... Thanks /Joakim

This is what I have done.
Reinstalled the latest NSClient
Added the following in the ini file without the underscores. With the underscores I get "Exception processing request: Request contained arguments (not currently allowed, check the allow arguments option)."

Code: Select all

; Section for NRPE (NRPEServer.dll) (check_nrpe) protocol options.
[/settings/NRPE/server]

; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow arguments = true

; COMMAND ALLOW NASTY META CHARS - This option determines whether or not the we will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow nasty characters = true

; PORT NUMBER - Port to use for NRPE.
port = 5666

;# USE SSL SOCKET
; This option controls if SSL should be used on the socket.
use_ssl=1

also added the modules in the ini-file. (dont know if its necessary)
CheckSystem.dll
CheckDisk.dll
CheckExternalScripts.dll
FileLogger.dll
NRPEListener.dll

Now when I run the following command:

Code: Select all

./check_nrpe -H 192.168.26.12 -p 5666 -c CheckEventLog -a file=System file=application filter=in MaxWarn=1 MaxCrit=3 "filter+generated=\\<1h" "filter-eventType==warning" filter=all
Unknown argument: filter+generated

So I guess my command is wrong.

I have a program witch is constantly crashing and I need to monitor it. How to I to it?

Thanks /Joakim

[scottwilkerson]

I'm not 100% familiar with this command but did you see somewhere filter+generated was a valid command?

Also, this doesn't look correct either

Code: Select all

""filter-eventType==warning""

I would guess

Code: Select all

filter-eventType=warning

[Joakim.hag]

Hi I think I have solved the problem.

I made this command:

Code: Select all

check_nrpe -H 192.168.2.128 -c CheckEventLog -a file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated lt -2d AND severity NOT IN ('success', 'informational')" "filter=source = 'XZServer.exe'"

And it's working. Will this notify me when there is a problem with the program XZSerer.exe?

Thank you for your help /Joakim