2 questions about NSClient++ & Nagios (Eventlogs)

[Dobi]

I have 2 question about 2 different eventlogs:

1.
If there is an error a log (ID: 3317) will be created with the level “Error”.
If the error is fixed a log (ID: 3317) will be created with the level “Information”.
If the last one has the level “Information” it should be “ok” in nagios, otherwise “critical”.

2.
Parameter 2 (like it’s called in SCOM) in the description is not allowed to have a “$” under “Security ID”, otherwise nagios should show “critical”.
In this case “Member” would be Parameter 2:

Code: Select all

A member was added to a security-enabled global group

Subject:
  Security ID: ...
  Account Name: ...
  Account Domain: ...
  Logon ID: ...

Member:
  Security ID: ...
  Account Name: ...

Group:
  Security ID: ...
  Group Name: ...
  Group Domain: ...

Additional Information:
  ...

Greetings,
Cédric

[sreinhardt]

Could you provide more details as to what you mean. I'm not sure I see what issues you are having as of now.

[Dobi]

Could you provide more details as to what you mean. I'm not sure I see what issues you are having as of now.

Thank you.
(Question 1 has nothing to do with question 2 apart from that both have to do with eventlogs.)

Q.1:
So let’s say there is an event with the ID: 3317 which has the level “Error”, then Nagios has to change the status to “critical”.
If now after that a new event is generated which has also the ID: 3317, but with the level “Information”, then Nagios has to change the status to “Ok”.

So actually if the last event with the ID: 3317 has the level “Error”, Nagios should show “Critical”, but if the last event with the ID: 3317 has the level “Information”, Nagios should show “Ok”.


Q.2:
The “code” below is the description (message) of an eventlog.
If there is no “$”-sign on the line where i made "<--" (those symbols are actually not part of the message, but just there to show the line), then Nagios should change the status to “critical”.

Code: Select all

A member was added to a security-enabled global group

Subject:
  Security ID: ...
  Account Name: ...
  Account Domain: ...
  Logon ID: ...

Member:
  Security ID: ...    <--
  Account Name: ...

Group:
  Security ID: ...
  Group Name: ...
  Group Domain: ...

Additional Information:
  ...

Hope it’s clearer now.

Greetings,
Cédric

[tmcdonald]

I'm still a bit confused. You aren't asking any actual questions here. Are you wanting us to implement some feature? Are you experiencing a bug? Are you having trouble setting up a check properly?

[Dobi]

I'm still a bit confused. You aren't asking any actual questions here. Are you wanting us to implement some feature? Are you experiencing a bug? Are you having trouble setting up a check properly?

Thanks for your time!

I am having trouble setting up a check properly.
The problem is that I know what Nagios (& NSC++) should do when what happened, but I have no Idea how to implement it.

(Question 1)
I know how to set it up so that if an event with the ID: 3317 which has the level “Error” exists, then Nagios shows "Critical". To that point there is no problem at all.
But then, if after this event an other event with the same ID: 3317 but with the level “Information” is generated then Nagios should show again "OK" instead of "Critical".
That I don't know how to do it.

(Question 2)
I know how to make a test if there is a "$" sign in the message of an eventlog.
But what I don't know is how to test if there is a "$" sign only on the line which I marked with "<--" ("Security ID:" under section "Member:"), so other lines should play no role in the test.
I know that there is a filter regexp but I have no idea how to implement it so that Nagios shows "Critical" if there is no "$" sign on that specific row.

Should be sth. like that:

Code: Select all

CheckEventLog file=security debug=true "filter=id=4738 AND regexp=/((?m)^(?<=Member:\n)\s*Security ID:[^$\n]*$)/" truncate=800 unique "syntax=%source% %id%: (%count%)"

Greetings,
Cédric

[sreinhardt]

1) I don't believe this logic is contained within nsclient. From my understanding it ONLY looks for the number of warning, error or critical events and relays that back to nagios. It does not specifically look at informational or send back particular events. You might want to look at event to trap:

http://exchange.nagios.org/directory/Ut ... ap/details

2) Again not sure if nsclient does this, if it does I would suggest implementing just about exactly what you have, looking for member then security id, and finally a $ must be prior to a newline. I would also caution again, that this is likely just looking at total counts within a time period and not sending back the actual events causing this.

Powershell or event to trap would likely be an easier item to manage, but staying with nsclient is your choice. I might also suggest posting up a question for both of these on the nsclient forums and seeing if you get a response.

[Dobi]

1) I don't believe this logic is contained within nsclient. From my understanding it ONLY looks for the number of warning, error or critical events and relays that back to nagios. It does not specifically look at informational or send back particular events. You might want to look at event to trap:

http://exchange.nagios.org/directory/Ut ... ap/details

The problem is that they don't want that I install services apart from nscp on the servers..., so maybe I have to write my own plugin that checks if the last event is of type "Error" or "Information".

2) Again not sure if nsclient does this, if it does I would suggest implementing just about exactly what you have, looking for member then security id, and finally a $ must be prior to a newline. I would also caution again, that this is likely just looking at total counts within a time period and not sending back the actual events causing this.

Powershell or event to trap would likely be an easier item to manage, but staying with nsclient is your choice. I might also suggest posting up a question for both of these on the nsclient forums and seeing if you get a response.

Seems that I got it (question 2) working. Not 100% sure because I've got no such events till now.

Code: Select all

alias_ad2008_usr_acc_change = CheckEventLog file=security debug=true "filter=id=4738 AND message regexp '/(?m)^(?<=Member:[\n])(?:.|\n)*?(Security ID:[^$\n]*$)(?:.|\n)*?(?=Group:[\n])/'" truncate=800 unique "syntax=%source% %id%: (%count%)"

[tmcdonald]

1.) That certainly does complicate things a bit. As sreinhardt pointed out, powershell might be a good solution here.

2.) Let us know how this turns out.