Nagios Support Forum

slansing wrote:This page will explain the warning and critical thresholds for this check and what is required to be met before they are triggered, hope it helps!:

http://www.nsclient.org/nscp/wiki/Check ... k_eventlog

./check_nrpe -H -c CheckEventLog -a file=application MaxWarn=1 MaxCrit=1 "filter=generated gt -2h AND severity NOT IN ('success', 'informational') AND source ='Application Error'"

./check_nrpe -H -c CheckEventLog -a file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated < 1h AND source ='Application Error' AND id ='1000' AND strings like 'xxxxzzzzz.exe'"

generated (when the event was generated)

This is the "hardest" in terms of using I guess. Dates are treated as number internally and thus works much like a number. The added value that numbers expose are the ability to translate numbers to dates. This happends by adding a suffix ti a number. For instance 2d is read as 2 days. And 5h is read as 5 hours. The other important aspect of using dates are how negative numbers are used. Normal dates 5d will be interpreted as "<now> + 5 days". But when you add a negation sign (-) before it will be negated (ish). And this is the crux. What actually happens is that -5d is treated as neg(5 days from now) and neg negates the date around "now" so in effect it becomes 5 days ago. This might sound complicated but it not really and you probably don't need to understand it but I think explains why < and > will work.

Thus the effect of this is that you can do: generated > -5d'

CheckEventLog file=application debug=true MaxWarn=1 MaxCrit=1 "filter=generated > -5d" truncate=800 unique descriptions "syntax=%generated%: (%count%)"
CRITICAL:Thursday, May 13, 2010 03:18:46: (11), ...|'eventlog'=276;1;1;

"filter=generated > -1h"

slansing wrote:

generated (when the event was generated)

This is the "hardest" in terms of using I guess. Dates are treated as number internally and thus works much like a number. The added value that numbers expose are the ability to translate numbers to dates. This happends by adding a suffix ti a number. For instance 2d is read as 2 days. And 5h is read as 5 hours. The other important aspect of using dates are how negative numbers are used. Normal dates 5d will be interpreted as "<now> + 5 days". But when you add a negation sign (-) before it will be negated (ish). And this is the crux. What actually happens is that -5d is treated as neg(5 days from now) and neg negates the date around "now" so in effect it becomes 5 days ago. This might sound complicated but it not really and you probably don't need to understand it but I think explains why < and > will work.

Thus the effect of this is that you can do: generated > -5d'

CheckEventLog file=application debug=true MaxWarn=1 MaxCrit=1 "filter=generated > -5d" truncate=800 unique descriptions "syntax=%generated%: (%count%)"
CRITICAL:Thursday, May 13, 2010 03:18:46: (11), ...|'eventlog'=276;1;1;

Have you tried using:

Code: Select all

"filter=generated > -1h"

Joakim.hag wrote:

slansing wrote:

generated (when the event was generated)

This is the "hardest" in terms of using I guess. Dates are treated as number internally and thus works much like a number. The added value that numbers expose are the ability to translate numbers to dates. This happends by adding a suffix ti a number. For instance 2d is read as 2 days. And 5h is read as 5 hours. The other important aspect of using dates are how negative numbers are used. Normal dates 5d will be interpreted as "<now> + 5 days". But when you add a negation sign (-) before it will be negated (ish). And this is the crux. What actually happens is that -5d is treated as neg(5 days from now) and neg negates the date around "now" so in effect it becomes 5 days ago. This might sound complicated but it not really and you probably don't need to understand it but I think explains why < and > will work.

Thus the effect of this is that you can do: generated > -5d'

CheckEventLog file=application debug=true MaxWarn=1 MaxCrit=1 "filter=generated > -5d" truncate=800 unique descriptions "syntax=%generated%: (%count%)"
CRITICAL:Thursday, May 13, 2010 03:18:46: (11), ...|'eventlog'=276;1;1;

Have you tried using:

Code: Select all

"filter=generated > -1h"

Thanks slansing, I will put a parallel check with that option. Thank you. Will report back how it goes. /Joakim

/usr/local/nagios/libexec$ ./check_nrpe -H 192.168.2.128 -c CheckEventLog -a file=application file=system MaxCrit=1 "filter=generated > -1h AND source ='Application Error' AND id ='1000' AND strings like 'xxzz.exe'"

Application Error(error, 1000, success)[xxzz.exe, 2.0.0.116, 481f6084, ole32.dll, 6.1.7601.17514, 4ce7b96f, c0000005, 0004a1f0, a64, 01ce40c71e8ece46, C:\Program Files (x86)\\\xxzz.exe, C:\Windows\syswow64\ole32.dll, 8753ce8e-acd9-11e2-8350-00155d020b28, ], eventlog: 1 > critical|'eventlog'=1;0;1

define service{
        use                      local-service         ; Name of service template to use
        host_name                xxzz HK
        service_description      Check Event log HQServer2
        check_command            check_event_HQ!-c CheckEventLog -a file=application file=system MaxCrit=1 "filter=generated > -1h AND source ='Application Error' AND id ='1000' AND strings like 'xxzz.exe'"

define command{
        command_name    check_event_HQ
        command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666
}

slansing wrote:You need to add a argument definition here:

Code: Select all

define command{
        command_name    check_event_HQ
        command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666
}

Like so, be sure to add this via the commands section in the CCM not on the command line as it will not write.:

Code: Select all

define command{
        command_name    check_event_HQ
        command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 $ARG1$
}