Nagios Support Forum

Hello,

I am using Nagios Core and monitoring Windows Servers running NSClient++. Everything seems to be running ok but I am receiving critical alert messages about system uptime, for example: "warning: EventLog: The sytem uptime is 27725115 seconds. (1), eventlog: 1 critical." I have tried clearing out the Windows System Event log which seems to help briefly but the messages come back.

How do I fix these messages?

Thank you in advanced for your assistance.

It means you have not rebooted that system in ~320 days (27725115 seconds). You will need to increase the warning/critical thresholds for that uptime check or else just reboot the server to reset the timer to 0.

Whistleeeeee

Thats a long time for a Windows server without a reboot ... just proves it's a pretty robust OS

Thank you for the replies. I will see about adjusting the threshold as we have some servers that cannot be rebooted regularly. Which plugin would it be for? The alert shows as part of the Event Log check.

Thanks Again.

Which plugin would it be for? The alert shows as part of the Event Log check.

How is the check defined in the nsclient.ini?

Here is what is in the nsclient.ini for those options, which are set as the defaults:

; alias_event_log - Alias for alias_event_log. To configure this item add a section called: /settings/external scripts/alias/alias_event_log
alias_event_log = CheckEventLog file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -2d AND severity NOT IN ('success', 'informational') AND source != 'SideBySide'" truncate=800 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"

; alias_up - Alias for alias_up. To configure this item add a section called: /settings/external scripts/alias/alias_up
alias_up = checkUpTime MinWarn=1d MinWarn=1h

Based on your command there, its not an uptime issue, but an issue with the critical threshold for number of events that are not "success or informational and are not from SideBySide" in your logs within the time window that its viewing. Since you have 1 or more, you get a critical message. The parts you should consider changing are highlighted.

; alias_event_log - Alias for alias_event_log. To configure this item add a section called: /settings/external scripts/alias/alias_event_log
alias_event_log = CheckEventLog file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -2d AND severity NOT IN ('success', 'informational') AND source != 'SideBySide'" truncate=800 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"

Thank you for responding. I tested using a value of 3 for your highlighted suggestions and the alert stopped (although it still shows up as a warning). Where can I find out more about this setting? Will I miss any alerts if I set the value too high?

You could try looking at the nsclient man pages, but it all depends on if they are back in a decent state from the reorg of the site. All those values are doing in this instance, is setting a threshold for when you should see a warning or critical response. Specifically how many events that are found you are willing to allow prior to getting a warning or critical. If you have critical at 5 and warning at 3, that seems like a pretty reasonable amount to me, but it 100% depends on your system, your applications, and your expectations of when to be alerted. So I can speculate on what I would do with limited information, but only so far. Yes you could loose alerts depending on what you set the threshold to, but 1 is almost definitely too low, just like 100 is almost definitely too high.

http://nsclient.org/nscp/wiki/CheckEven ... k_eventlog

Towards the middle of that first table. Setting it too high will obviously cause it to rarely if ever trigger, but really it's a threshold like any other and depends on your environment. If you ride along at just 2 log entries for a while you will just miss the mark. I would also recommend setting the warn/crit values to different things, unless you specifically want to force a critical and never see warnings.