Monitoring Windows Event Logs

[centwisit]

Hmm, still no. I currently have this:

Code: Select all

define command{
     command_name     check_eventlog
     command_line        $USER1$/check_nrpe -H $HOSTNAME$ -p 5666 -c CheckEventLog -a filter file=system MaxWarn=1 MaxCrit=1 "filter+generated=<2h AND filter+severity=error" unique descriptions "syntax=%severity%: %source%: %id%: %message% (%count%)"
}

But have tried the following as well without success:
filter+severity==error
filter+severity=='error'
filter+severity=="error"
filter+severity=='Error'
filter+severity=="Error"
filter+severity='error'
filter+severity="error"
filter+severity='Error'
filter+severity="Error"

In my Status Information section I'm getting informational and success events as well as errors:

Code: Select all

informational: Service Control Manager: 7035: The WinHTTP Web Proxy Auto-Discovery Service service was successfully sent a start control. (6), 
informational: Service Control Manager: 7036: The WinHTTP Web Proxy Auto-Discovery Service service entered the running state. (8), 
success: WinHttpAutoProxySvc: 12503: The WinHTTP Web Proxy Auto-Discovery Service has been idle for 15 minutes, it will be shut down. (1), 
success: WinHttpAutoProxySvc: 12517: The WinHTTP Web Proxy Auto-Discovery Service suspended operation. (1), 
eventlog: 16 > critical 

[abrist]

Are you only receiving logs from the last 2 hours? (as specified by "filter+generated=<2")

[centwisit]

Yes, I only receive logs within the last 2 hours.

[slansing]

This has got to be a syntax issue with how the command is being directed at that event log. Now it's just down to fine tuning the filters, ID's, and syntax positioning, this is going to be fairly specific to your set up of course.

[centwisit]

Might it be a NSClient issue? I currently have v3.9 installed.

[slansing]

I do not believe it is a problem with NSClient++, since you are able to get valid output from the plugin if you format it a certain way. Version 3.9 is by far the most stable version, and almost all of the additions to this module were added at 3.9's release. My recommendation would be to walk through the extensive documentation on this check's module, and start from the ground up with each portion of the command you are writing, this way you can identify in what portion an error or problem could occur. Beyond this point it is quite limited as to what we can help with as most of it is specific to your system. Though we will do our best to help you through.

[centwisit]

Ok, makes sense. I'm gonna set aside the vent log monitoring for a bit. Will update this thread with anything I find.

[lmiltchev]

Sure. Keep us posted.

[centwisit]

Yay, got it figured!

Used the following:

Code: Select all

define command{
     command_name     check_eventlog
     command_line        $USER1$/check_nrpe -H $HOSTNAME$ -p 5666 -c CheckEventLog -a filter file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -1h AND severity NOT IN ('success', 'informational','warning')" truncate=800 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
}

[slansing]

Horray! Thanks for letting us know what the resolution was!