Page 4 of 6
Re: Command to check Windows logs
Posted: Mon Oct 19, 2015 7:04 pm
by jamesc23
Yes our server is still on an old version. I think we're on 2011R1.6. We'll be looking to upgrade our server but it won't be anytime soon as we have other projects to concentrate on which will take a lot of our time.
As for the config in nsclient.in - please see below.
[/settings/eventlog/real-time/filters/default]
destination=NSCA
maximum age= 3d
ok message= Found no records in eventlog last three days.
syntax=%type% %id% %source%: %message%
[/settings/eventlog/real-time/filters/RAID Windows Event]
log = application
filter = id = 3006
severity = WARNING
syntax = %message%
ok message = Found no RAID related eventlogs last three days.
maximum age = 3d
Re: Command to check Windows logs
Posted: Tue Oct 20, 2015 4:19 pm
by lmiltchev
Have you tried generating an event on the Windows server that is compliant with the filter you made as suggested by WillemDH?
Re: Command to check Windows logs
Posted: Tue Oct 20, 2015 7:00 pm
by jamesc23
Yes I have
Re: Command to check Windows logs
Posted: Wed Oct 21, 2015 4:55 pm
by jdalrymple
Your best bet from this point is to see if nscient is even picking up the event. You can look in nsclient.log if you have logging enabled:
Code: Select all
[/settings/log]
file name = nsclient.log
debug = 1
Or if you don't have logging enabled, just kill the service:
Then restart from an elevated command prompt:
Code: Select all
c:\program files\nsclient++\nscp.exe test
Regenerate the event and watch the debug output for further information.
Re: Command to check Windows logs
Posted: Wed Oct 21, 2015 10:52 pm
by jamesc23
Does the below imply that my filter settings are incorrect?
2015-10-22 11:58:15: debug:D:\source\nscp\include\parsers/filter/realtime_helper.hpp:193: Next miss time is in: 86379s
2015-10-22 11:58:21: debug:D:\source\nscp\modules\CheckEventLog\realtime_thread.cpp:86: Reading eventlog messages...
2015-10-22 11:58:21: debug:D:\source\nscp\modules\CheckEventLog\realtime_thread.cpp
Processing: 0000000000542F20
2015-10-22 11:58:42: debug:D:\source\nscp\include\parsers/filter/realtime_helper.hpp:193: Next miss time is in: 86379s
2015-10-22 11:58:55: debug:D:\source\nscp\modules\CheckEventLog\realtime_thread.cpp:86: Reading eventlog messages...
2015-10-22 11:58:55: debug:D:\source\nscp\modules\CheckEventLog\realtime_thread.cpp
Processing: 0000000000542F20
2015-10-22 11:58:55: debug:D:\source\nscp\include\parsers/filter/realtime_helper.hpp:148: No filters matched an event
Re: Command to check Windows logs
Posted: Thu Oct 22, 2015 11:23 am
by jdalrymple
I'm kind of stating the obvious here, so bear with me:
In the config you sent you just have filter = id = 3006. Is that indicative of a drive failure? Can you verify that ID is in your application event log somewhere in the past 3 days?
To answer your question, it does look to me like your realtime log monitor isn't finding anything of interest to tell you about.
Re: Command to check Windows logs
Posted: Thu Oct 22, 2015 12:27 pm
by WillemDH
Try a filter like this pls:
Code: Select all
filter = level IN (error) AND (id IN (3006,3007)
Just as I'm 100 % sure the above syntax works for me in NSClient 0.4.1.105. Generate an error event 3006 with Powershell.
Re: Command to check Windows logs
Posted: Thu Oct 22, 2015 5:02 pm
by tmcdonald
@jamesc23, let us know if JR or Willem's posts were helpful!
Re: Command to check Windows logs
Posted: Sun Oct 25, 2015 7:38 pm
by jamesc23
Ok. I changed the filter according to the suggestion and I'm still getting the no filters matched message. I tried generating Information, Warning and Error messages based on event 3006 and 3007.
I can also verify that the event ID 3006 (read event) are in the application logs. I am assuming that the command nscp.ext test will actually tell me useful information if the event ID is matched?
Please let me know if there's anything else I could try.
Many thanks.
Re: Command to check Windows logs
Posted: Mon Oct 26, 2015 5:05 pm
by lmiltchev
Can you post the "nsclient.log"?
Processing: 0000000000542F20