Monitor windows eventlogs

[slansing]

This page will explain the warning and critical thresholds for this check and what is required to be met before they are triggered, hope it helps!:

http://www.nsclient.org/nscp/wiki/Check ... k_eventlog

[Joakim.hag]

This page will explain the warning and critical thresholds for this check and what is required to be met before they are triggered, hope it helps!:

http://www.nsclient.org/nscp/wiki/Check ... k_eventlog

Thanks, but I cant work it out.

This is what I have now:

Code: Select all

./check_nrpe -H -c CheckEventLog -a file=application MaxWarn=1 MaxCrit=1 "filter=generated gt -2h AND severity NOT IN ('success', 'informational') AND source ='Application Error'"

This command always returns the result ok. Even dough the application fails.

What I need is it to tell me when there is a application failure on the server not older then 2 hours.
Thanks /Joakim

EDIT:
I have now made some progress and this reports back the error I'm after. But I cant get the generated option to work. I need it to search within the last hour, but I cant get it to work. It looks like it searches for more than one hour.

Code: Select all

./check_nrpe -H -c CheckEventLog -a file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated < 1h AND source ='Application Error' AND id ='1000' AND strings like 'xxxxzzzzz.exe'"

/Joakim

[slansing]

generated (when the event was generated)

This is the "hardest" in terms of using I guess. Dates are treated as number internally and thus works much like a number. The added value that numbers expose are the ability to translate numbers to dates. This happends by adding a suffix ti a number. For instance 2d is read as 2 days. And 5h is read as 5 hours. The other important aspect of using dates are how negative numbers are used. Normal dates 5d will be interpreted as "<now> + 5 days". But when you add a negation sign (-) before it will be negated (ish). And this is the crux. What actually happens is that -5d is treated as neg(5 days from now) and neg negates the date around "now" so in effect it becomes 5 days ago. This might sound complicated but it not really and you probably don't need to understand it but I think explains why < and > will work.

Thus the effect of this is that you can do: generated > -5d'

CheckEventLog file=application debug=true MaxWarn=1 MaxCrit=1 "filter=generated > -5d" truncate=800 unique descriptions "syntax=%generated%: (%count%)"
CRITICAL:Thursday, May 13, 2010 03:18:46: (11), ...|'eventlog'=276;1;1;

Have you tried using:

Code: Select all

"filter=generated > -1h"

[Joakim.hag]

generated (when the event was generated)

This is the "hardest" in terms of using I guess. Dates are treated as number internally and thus works much like a number. The added value that numbers expose are the ability to translate numbers to dates. This happends by adding a suffix ti a number. For instance 2d is read as 2 days. And 5h is read as 5 hours. The other important aspect of using dates are how negative numbers are used. Normal dates 5d will be interpreted as "<now> + 5 days". But when you add a negation sign (-) before it will be negated (ish). And this is the crux. What actually happens is that -5d is treated as neg(5 days from now) and neg negates the date around "now" so in effect it becomes 5 days ago. This might sound complicated but it not really and you probably don't need to understand it but I think explains why < and > will work.

Thus the effect of this is that you can do: generated > -5d'

CheckEventLog file=application debug=true MaxWarn=1 MaxCrit=1 "filter=generated > -5d" truncate=800 unique descriptions "syntax=%generated%: (%count%)"
CRITICAL:Thursday, May 13, 2010 03:18:46: (11), ...|'eventlog'=276;1;1;

Have you tried using:

Code: Select all

"filter=generated > -1h"

Thanks slansing, I will put a parallel check with that option. Thank you. Will report back how it goes. /Joakim

[Joakim.hag]

generated (when the event was generated)

This is the "hardest" in terms of using I guess. Dates are treated as number internally and thus works much like a number. The added value that numbers expose are the ability to translate numbers to dates. This happends by adding a suffix ti a number. For instance 2d is read as 2 days. And 5h is read as 5 hours. The other important aspect of using dates are how negative numbers are used. Normal dates 5d will be interpreted as "<now> + 5 days". But when you add a negation sign (-) before it will be negated (ish). And this is the crux. What actually happens is that -5d is treated as neg(5 days from now) and neg negates the date around "now" so in effect it becomes 5 days ago. This might sound complicated but it not really and you probably don't need to understand it but I think explains why < and > will work.

Thus the effect of this is that you can do: generated > -5d'

CheckEventLog file=application debug=true MaxWarn=1 MaxCrit=1 "filter=generated > -5d" truncate=800 unique descriptions "syntax=%generated%: (%count%)"
CRITICAL:Thursday, May 13, 2010 03:18:46: (11), ...|'eventlog'=276;1;1;

Have you tried using:

Code: Select all

"filter=generated > -1h"

Thanks slansing, I will put a parallel check with that option. Thank you. Will report back how it goes. /Joakim

When I run below command

Code: Select all

/usr/local/nagios/libexec$ ./check_nrpe -H 192.168.2.128 -c CheckEventLog -a file=application file=system MaxCrit=1 "filter=generated > -1h AND source ='Application Error' AND id ='1000' AND strings like 'xxzz.exe'"

Result.

Code: Select all

Application Error(error, 1000, success)[xxzz.exe, 2.0.0.116, 481f6084, ole32.dll, 6.1.7601.17514, 4ce7b96f, c0000005, 0004a1f0, a64, 01ce40c71e8ece46, C:\Program Files (x86)\\\xxzz.exe, C:\Windows\syswow64\ole32.dll, 8753ce8e-acd9-11e2-8350-00155d020b28, ], eventlog: 1 > critical|'eventlog'=1;0;1

It might be some problem with my definitions. Because Nagios don't alert me when the application fails. But when I run it from the command line I get result critical.

Service def

Code: Select all

define service{
        use                      local-service         ; Name of service template to use
        host_name                xxzz HK
        service_description      Check Event log HQServer2
        check_command            check_event_HQ!-c CheckEventLog -a file=application file=system MaxCrit=1 "filter=generated > -1h AND source ='Application Error' AND id ='1000' AND strings like 'xxzz.exe'"

Command def

Code: Select all

define command{
        command_name    check_event_HQ
        command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666
}

[slansing]

You need to add a argument definition here:

Code: Select all

define command{
        command_name    check_event_HQ
        command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666
}

Like so, be sure to add this via the commands section in the CCM not on the command line as it will not write.:

Code: Select all

define command{
        command_name    check_event_HQ
        command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 $ARG1$
}

[Joakim.hag]

You need to add a argument definition here:

Code: Select all

define command{
        command_name    check_event_HQ
        command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666
}

Like so, be sure to add this via the commands section in the CCM not on the command line as it will not write.:

Code: Select all

define command{
        command_name    check_event_HQ
        command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 $ARG1$
}

Thank you! You have solved it! /Joakim