Nagios Support Forum

Posted: **Tue Nov 26, 2013 6:21 pm**

What would be the best way to monitor Windows 2008R2(64bit) Event Logs through NAGISOXI? I already have NSClient++ on all of my servers. I started "Windows Even Log Monitoring Wizzard" but it has docs for 32bit version. Link that points to "additional versions of agent" has 4 year old BETA-64bit version, that doesn't look very promising. Can you give me some idea what I have to do?

Posted: **Wed Nov 27, 2013 11:08 am**

If you would like to use NSClient++ for event log monitoring, you can check out this link:

http://www.nsclient.org/nscp/wiki/Check ... k_eventlog

There is no perfect solution at this time for windows event log monitoring (this includes NSClient++ and NagEventLog). Another option would be to capture all events from one or more logs on the Windows system, and send them as SNMP traps to your Nagios XI server.

Posted: **Wed Nov 27, 2013 11:13 am**

Some additional relevant information on nsclient++

http://blog.medin.name/blog/2012/03/20/ ... -nsclient/
http://blog.medin.name/blog/2012/11/26/ ... ext-files/

Posted: **Wed Nov 27, 2013 1:50 pm**

What's the difference between NSC++ and NSCA client, can they coexist on the same server? NSC++ has "Enable NSCA client (dont enable unless you really use NSCA)" and "Enable WMI Checks" options. Should I enable any of them and use them for monitoring EventLogs?

Posted: **Wed Nov 27, 2013 1:58 pm**

Yes, you can use NSCA with NSClient++. It is used to send passive check results to Nagios XI server. You can read more on NSCA here:

http://assets.nagios.com/downloads/nagi ... ith_XI.pdf

You can modify the NSCA settings in the NSC.ini (or nsclient.ini file, depending on the version of NSClient++ that you are using) on the Windows box, under the [NSCA Agent] section. You will have to restart the NSClient++ service so that changes can take effect.

Posted: **Wed Nov 27, 2013 2:06 pm**

Weird, after I reconfigured NSC++ and enabled NSCA it completely disappeared from my services. It still shows as installed on the system but not in the services.

Posted: **Wed Nov 27, 2013 2:50 pm**

Weird, after I reconfigured NSC++ and enabled NSCA it completely disappeared from my services. It still shows as installed on the system but not in the services.

I am not sure what you did, but just modifying the config file, shouldn't be causing the removal of the NSClient++ service...

Posted: **Wed Nov 27, 2013 5:12 pm**

I had to reinstall NSC++ in order to get service running again. I did installed it with NSCA option and did "Windows Event Monitoring Wizzard" after that and included System and Application log. I have them now listed in NAGIOSXI but status is PENDNING for a long time now, so I am guessing something is not right. Any ideas?

Posted: **Thu Nov 28, 2013 6:05 am**

I've been looking for some time now into this realtime eventlog monitoring function of nscp and it is imo a much better option than nageventlog as it's very easy to update the ini file and distribute it to all nscp clients. I'll save you some time and send you my setup:

Code: Select all

; A set of options to configure the real time checks
[/settings/eventlog/real-time]

; DEBUG - Log missed records (usefull to detect issues with filters) not usefull in production as it is a bit of a resource hog.
debug = false

; REAL TIME CHECKING - Spawns a backgrounnd thread which detects issues and reports them back instantly.
enabled = true

; LOGS TO CHECK - Comma separated list of logs to check
log = application,system

; STARTUP AGE - The initial age to scan when starting NSClient++
startup age = 30m


; A set of filters to use in real-time mode
[/settings/eventlog/real-time/filters]

[/settings/eventlog/real-time/filters/default]

; DESTINATION - The destination for intercepted messages
destination=NSCA

; MAXIMUM AGE - How long before reporting "ok" (if this is set to off no ok will be reported only errors)
maximum age= 3d

; OK MESSAGE - This is the message sent periodically whenever no error is discovered.
ok message= eventlog found no records test default

; SYNTAX - Format string for dates
syntax=%type% %id% %source%: %message% 

[/settings/eventlog/real-time/filters/EVT_Application]
log= application
filter= level IN (error) AND id NOT IN (0,1,3,10,12,13,23,26,33,37,38,58,67,101,103,107,110,274,502,511,1000,1002,1004,1005,1008,1009,1010,1026,1053,1054,1085,1101,1107,1116,1325,1500,1502,1504,1508,1511,1515,1521,1533,1542,2001,2019,2640,2650,3001,3008,3042,3077,3079,3098,3119,3130,3131,3148,3159,4005,4621,5008,5009,5051,5605,5705,6001,6007,6032,6044,6100,7735,7823,8193,8194,8196,10000,10005,10007,10862,10922,11317,12289,12298,12321,13836,14197,15000,16038,16041,16053,16058,16063,16066,16068,16082,16421,17898,21061,35698,35710,35712,35716,35726,37090,37092,37098,37119,37225,42207)
severity= WARNING
ok message= Eventlog found no records test application
maximum age= 3d


[/settings/eventlog/real-time/filters/EVT_System]
log= system
filter= level IN (error) AND source NOT IN ('Schannel') AND id NOT IN (1,4,5,8,10,12,19,27,37,39,50,54,56,137,1006,1009,1030,1041,1060,1066,1069,1111,1196,3621,4192,4224,4250,5051,5722,5723,5774,5783,5805,6161,7000,7001,7009,7011,7016,7022,7023,7024,7026,7031,7032,7034,8003,9022,10005,10006,10009,10010,10016,12294)
severity= WARNING
ok message= Eventlog found no records test system
maximum age= 3d


[/settings/eventlog/real-time/filters/CLU_Cluster_Services_Events]
log= application
filter= id=666 AND source= 'Nagios'
severity= CRITICAL
syntax= %message%
ok message= Eventlog found no records test cluster
maximum age= 3d

The above will send all errors as warnings to the respective passive services excluding the event id's listed. I preferred doing it this way, but you can as well do it the other way around and specify exactly which events you want to send to the passive service.

Posted: **Thu Nov 28, 2013 2:42 pm**

Thanks you for config file provided, but I don't see from your post what's the file name and where it should be located. Is this something that should be added to NSC.ini?

Nagios Support Forum

Windows 2008R2 x64 Event Log monitoring

Windows 2008R2 x64 Event Log monitoring

Re: Windows 2008R2 x64 Event Log monitoring

Re: Windows 2008R2 x64 Event Log monitoring

Re: Windows 2008R2 x64 Event Log monitoring

Re: Windows 2008R2 x64 Event Log monitoring

Re: Windows 2008R2 x64 Event Log monitoring

Re: Windows 2008R2 x64 Event Log monitoring

Re: Windows 2008R2 x64 Event Log monitoring

Re: Windows 2008R2 x64 Event Log monitoring

Re: Windows 2008R2 x64 Event Log monitoring