Windows 2008R2 x64 Event Log monitoring

[msfhr]

What would be the best way to monitor Windows 2008R2(64bit) Event Logs through NAGISOXI? I already have NSClient++ on all of my servers. I started "Windows Even Log Monitoring Wizzard" but it has docs for 32bit version. Link that points to "additional versions of agent" has 4 year old BETA-64bit version, that doesn't look very promising. Can you give me some idea what I have to do?

[lmiltchev]

If you would like to use NSClient++ for event log monitoring, you can check out this link:

http://www.nsclient.org/nscp/wiki/Check ... k_eventlog

There is no perfect solution at this time for windows event log monitoring (this includes NSClient++ and NagEventLog). Another option would be to capture all events from one or more logs on the Windows system, and send them as SNMP traps to your Nagios XI server.

[tmcdonald]

Some additional relevant information on nsclient++

http://blog.medin.name/blog/2012/03/20/ ... -nsclient/
http://blog.medin.name/blog/2012/11/26/ ... ext-files/

[msfhr]

What's the difference between NSC++ and NSCA client, can they coexist on the same server? NSC++ has "Enable NSCA client (dont enable unless you really use NSCA)" and "Enable WMI Checks" options. Should I enable any of them and use them for monitoring EventLogs?

[lmiltchev]

Yes, you can use NSCA with NSClient++. It is used to send passive check results to Nagios XI server. You can read more on NSCA here:

http://assets.nagios.com/downloads/nagi ... ith_XI.pdf

You can modify the NSCA settings in the NSC.ini (or nsclient.ini file, depending on the version of NSClient++ that you are using) on the Windows box, under the [NSCA Agent] section. You will have to restart the NSClient++ service so that changes can take effect.

[msfhr]

Weird, after I reconfigured NSC++ and enabled NSCA it completely disappeared from my services. It still shows as installed on the system but not in the services.

[lmiltchev]

Weird, after I reconfigured NSC++ and enabled NSCA it completely disappeared from my services. It still shows as installed on the system but not in the services.

I am not sure what you did, but just modifying the config file, shouldn't be causing the removal of the NSClient++ service...

[msfhr]

I had to reinstall NSC++ in order to get service running again. I did installed it with NSCA option and did "Windows Event Monitoring Wizzard" after that and included System and Application log. I have them now listed in NAGIOSXI but status is PENDNING for a long time now, so I am guessing something is not right. Any ideas?

[WillemDH]

I've been looking for some time now into this realtime eventlog monitoring function of nscp and it is imo a much better option than nageventlog as it's very easy to update the ini file and distribute it to all nscp clients. I'll save you some time and send you my setup:

Code: Select all

; A set of options to configure the real time checks
[/settings/eventlog/real-time]

; DEBUG - Log missed records (usefull to detect issues with filters) not usefull in production as it is a bit of a resource hog.
debug = false

; REAL TIME CHECKING - Spawns a backgrounnd thread which detects issues and reports them back instantly.
enabled = true

; LOGS TO CHECK - Comma separated list of logs to check
log = application,system

; STARTUP AGE - The initial age to scan when starting NSClient++
startup age = 30m


; A set of filters to use in real-time mode
[/settings/eventlog/real-time/filters]

[/settings/eventlog/real-time/filters/default]

; DESTINATION - The destination for intercepted messages
destination=NSCA

; MAXIMUM AGE - How long before reporting "ok" (if this is set to off no ok will be reported only errors)
maximum age= 3d

; OK MESSAGE - This is the message sent periodically whenever no error is discovered.
ok message= eventlog found no records test default

; SYNTAX - Format string for dates
syntax=%type% %id% %source%: %message% 

[/settings/eventlog/real-time/filters/EVT_Application]
log= application
filter= level IN (error) AND id NOT IN (0,1,3,10,12,13,23,26,33,37,38,58,67,101,103,107,110,274,502,511,1000,1002,1004,1005,1008,1009,1010,1026,1053,1054,1085,1101,1107,1116,1325,1500,1502,1504,1508,1511,1515,1521,1533,1542,2001,2019,2640,2650,3001,3008,3042,3077,3079,3098,3119,3130,3131,3148,3159,4005,4621,5008,5009,5051,5605,5705,6001,6007,6032,6044,6100,7735,7823,8193,8194,8196,10000,10005,10007,10862,10922,11317,12289,12298,12321,13836,14197,15000,16038,16041,16053,16058,16063,16066,16068,16082,16421,17898,21061,35698,35710,35712,35716,35726,37090,37092,37098,37119,37225,42207)
severity= WARNING
ok message= Eventlog found no records test application
maximum age= 3d


[/settings/eventlog/real-time/filters/EVT_System]
log= system
filter= level IN (error) AND source NOT IN ('Schannel') AND id NOT IN (1,4,5,8,10,12,19,27,37,39,50,54,56,137,1006,1009,1030,1041,1060,1066,1069,1111,1196,3621,4192,4224,4250,5051,5722,5723,5774,5783,5805,6161,7000,7001,7009,7011,7016,7022,7023,7024,7026,7031,7032,7034,8003,9022,10005,10006,10009,10010,10016,12294)
severity= WARNING
ok message= Eventlog found no records test system
maximum age= 3d


[/settings/eventlog/real-time/filters/CLU_Cluster_Services_Events]
log= application
filter= id=666 AND source= 'Nagios'
severity= CRITICAL
syntax= %message%
ok message= Eventlog found no records test cluster
maximum age= 3d

The above will send all errors as warnings to the respective passive services excluding the event id's listed. I preferred doing it this way, but you can as well do it the other way around and specify exactly which events you want to send to the passive service.

[msfhr]

Thanks you for config file provided, but I don't see from your post what's the file name and where it should be located. Is this something that should be added to NSC.ini?