Hi
My command is always giving me a "ok" even with an error..
I am trying to catch an Siebel Error in the application event viewer.
source: Siebel Application
Category: Siebel Error
Event: 1002
My comand:
./check_nrpe -H $HOSTADDRESS$ -c CheckEventLog -a filter=new file="Application" MaxWarn="1" MaxCrit="1" filter-generated=\>15m filter+eventSource="Siebel Application" filter+eventType==Error filter+message=substr: unique truncate=1000 filter=in filter=all descriptions syntax=%message%
I alway receive:
Eventlog check ok|'eventlog'=0;1;1
Any ideas?
Thanks a lot
Windows EventLog with NSClient
Re: Windows EventLog with NSClient
I tryeid with this:
./check_nrpe -H 172.17.24.176 -c CheckEventLog -a file=application debug=true MaxWarn=1 MaxCrit=1 "filter=id = 1002" filter-generated=\>150m truncate=800 unique descriptions "syntax=%id%: (%count)"
and I receive:
1002: (%count), 1002: (%count), eventlog: 54 > critical|'eventlog'=54;1;1
But I want to check ONLY the 150 min ago, 54 is the complete application log.
./check_nrpe -H 172.17.24.176 -c CheckEventLog -a file=application debug=true MaxWarn=1 MaxCrit=1 "filter=id = 1002" filter-generated=\>150m truncate=800 unique descriptions "syntax=%id%: (%count)"
and I receive:
1002: (%count), 1002: (%count), eventlog: 54 > critical|'eventlog'=54;1;1
But I want to check ONLY the 150 min ago, 54 is the complete application log.
-
slansing
- Posts: 7698
- Joined: Mon Apr 23, 2012 4:28 pm
- Location: Travelling through time and space...
Re: Windows EventLog with NSClient
Make sure you are not looking at the old CheckEventLog documentation on NSclient's site, here is the new version, and the command must be formatted in the same order shown below:
http://www.nsclient.org/nscp/wiki/Check ... k_eventlog
http://www.nsclient.org/nscp/wiki/Check ... k_eventlog
This is the "hardest" in terms of using I guess. Dates are treated as number internally and thus works much like a number. The added value that numbers expose are the ability to translate numbers to dates. This happends by adding a suffix ti a number. For instance 2d is read as 2 days. And 5h is read as 5 hours. The other important aspect of using dates are how negative numbers are used. Normal dates 5d will be interpreted as "<now> + 5 days". But when you add a negation sign (-) before it will be negated (ish). And this is the crux. What actually happens is that -5d is treated as neg(5 days from now) and neg negates the date around "now" so in effect it becomes 5 days ago. This might sound complicated but it not really and you probably don't need to understand it but I think explains why < and > will work.
Thus the effect of this is that you can do: generated > -5d'
Code: Select all
CheckEventLog file=application debug=true MaxWarn=1 MaxCrit=1 "filter=generated > -5d" truncate=800 unique descriptions "syntax=%generated%: (%count%)" CRITICAL:Thursday, May 13, 2010 03:18:46: (11), ...|'eventlog'=276;1;1;