Nagios Support Forum

Hello,

I'm getting the error below from the nsclient log on windows 2008 when running local command to monitor a windows event from the event log.

command:
./check_nrpe -H %HOST ADDRESS% -p 5666 -c checkEventLog -a file=system MaxWarn=1 MaxCrit=4 filter.eventID==35 filter.written==\<2d filter.severity==information filter.eventSource=Time-Service truncate=1022 filter=in filter=all descriptions

log:
2014-07-30 13:52:51: error:c:\source\nscp\branches\stable\modules\checkeventlog\eventlog_record.hpp:134: Could not extract DLL for eventsource: WinRM: SYSTEM\CurrentControlSet\Services\EventLog\system\WinRM.EventMessageFile -- Failed to get value: 2: The system cannot find the file specified.
2014-07-30 13:52:51: error:modules\NRPEListener\NRPEListener.cpp:325: NRPESocketException: To much data cant create return packet (truncate datat)


Thanks.

Ok I got the following command to work. However, it tells me everything is ok even though I see the event in the event viewer. The event id below gets written to the event log when a windows service has entered a running state so I know there are a lot of them in the event log. But the command tells me everything is ok.

./check_nrpe -H IP ADDRESS -p 5666 -c CheckEventLog -a filter=new file="system" MaxWarn=10 MaxCrit=10 filter-written=\>2d filter-eventID=="7036" filter-eventType==information filter=in filter=all

Thanks.

Can you show us the event as seen in windows, s that we can compare them to your filter?

Are you sure your syntax is correct? Did you follow the examples, posted here:

http://www.nsclient.org/nscp/wiki/Check ... #ideventid

It seems like you have "filter-", where you should have "filter=", you have "==", "\>"...

I got it working with the command from the link provided.
i just have to figure out how to check what's written in the event log in the last ten minutes only.

Thank you!

You might try the scan-range flag as defined here: http://docs.nsclient.org/reference/Chec ... scan-range

Ok. I got the command to work locally from the Nagios host. However, when I set everything up in the UI, the service check is sending me a critical notification for every entry in the event log (system) Please below.

Local UI Please advise on why it is sending a critical error other than the specified event id (2019).

Here's what I get from the UI...
informational: Service Control Manager: 7036: The Application Experience service entered the running state. (1), eventlog: 1 > critical

Thanks in advanced.

Earlier in this post
http://support.nagios.com/forum/viewtop ... 10#p107190

you were looking for events with an ID of 7036 and now that is what is reporting, are you sure you have applied the configuration since making the changes?

I deleted the previous command and added a new one today. I also applied the configuration so many times already.

tgfde wrote: arg5 = 'srv'
arg6 = '2019'

Are you quoting the arguments both in the command definition and in the ARGn fields? If so, they are probably being double-quoted in the final command giving you something like:
which would normally cause a SQL error, but I don't like making assumptions.