event log monitor agent deployment

[nanz28v]

Hi we want to use Nagios to monitor event log on Windows servers. Can the Nagios agent do this alone or we need another client? If so how do I enable that feature?

If we do need another client, how do we mass push it through SCCM? Thank you.

[slansing]

There are a number of ways to do this, you could use nsclient to monitor the event logs, or use the nag event log monitor:

https://nsclient.org/nscp/wiki/CheckEve ... k_eventlog
http://exchange.nagios.org/directory/Ad ... og/details

If you need help with either let us know though they are pretty well documented.

[nanz28v]

Thank you. So what is "NSCP-0.4.1.90-Win32.msi"?

Also, is this correct to my understanding that we need to install NSClient++ for both monitoring server items, as well as event log? If we only need this single client installation on servers then this is what we want.

[slansing]

If you are going to use NSClient++ to monitor the event logs then yes, that is all you will need to install. You quoted the file name of the current NSClient version's MSI installer.

[nanz28v]

Thank you for your reply. I know this might be a little over the limit but since I'm a Linux newbie I just want to try my luck:

Is there anyway you guys can give me a sample setup for the event log monitor script? I went over the link in your previous post and I have no clue what it does since I'm so new to Linux. If you are allowed to answer then please do so, otherwise no hard feelings. Thanks.

[slansing]

Well, we can't really just create one as it will be specific to what you are trying to check on that system, there are a number of threads you can find through the search function of these forums which deal with setting up windows event log checks and nsclient, they should have some good example definitions to work off of. I believe there are also some examples on the nsclient++ site.

[nanz28v]

I searched the forum and found only outdated resources. I also tried a few solutions and they did not work. I added windows event log monitoring items in monitoring wizard and found "No check results for service yet..." for all 4 items. Is there any config to go from this launching point foward to continue troubleshooting? Thank you.

[sreinhardt]

In case you did not, I would highly suggest searching using the advanced search instead of the normal one. We are working on it, but google does some funny things with the normal search that are not necessarily relevant.

[WillemDH]

Nanz,

You need something like this in your ini file.

Code: Select all

[/settings/eventlog/real-time/filters/EVT_Application] 
log= application_
filter=  level IN (error) AND (id NOT IN (5605) OR source NOT IN (WMI)) AND (id NOT IN (5606) OR source NOT IN (Test))
severity= WARNING
ok message= Eventlog found no records in application
maximum age= 3d

The above will sent all all error level events except (events with source WMI and ID 5605) and (events with source Test and id 5606).
You can adjust the filter anyway you want.

You can find the documentation of real-time eventlog filters here: http://docs.nsclient.org/reference/Chec ... me/filters

Of course you will need to setup NSCA first. There is plenty of documentation about how to do this.

Grtz

Willem

[scottwilkerson]

Thanks @Willem !