Page 1 of 1
How to monitor for a Event ID
Posted: Thu May 07, 2015 6:45 am
by maddev
I am looking to monitor the occurrences of few system events on windows servers; Say whenever a event ID 1074 is logged I need someone to be notified and so on.
I have nsclient++ installed on windows machines and use Nagios XI 2014. Any Idea on how to achieve this ?
Re: How to monitor for a Event ID
Posted: Thu May 07, 2015 10:23 am
by jdalrymple
You have to have "CheckEventLog = 1" in your modules section of nsclient.ini
Then after that it's just a matter of fiddling with the filters to make them work to suit your needs.
Code: Select all
[jdalrymple@localhost libexec]$ ./check_nrpe -H <windows-IP> -c checkeventlog -a warn=1 crit=2 filter="id=1074"
OK: No entries found|'count'=0;1;2
Re: How to monitor for a Event ID
Posted: Thu May 07, 2015 10:50 am
by ssax
What version of NSClient++ are you using?
Make sure that you have these options set in your nsclient.ini:
Code: Select all
[/settings/NRPE/server]
allow arguments=1
allow nasty meta chars=1
Restart your nsclient service.
You should be able to use CheckEventLog:
From command line:
Code: Select all
./check_nrpe -H YOURHOST -p 5666 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -5m AND id='1074'"
Adding the service in XI CCM:
Code: Select all
Check command: check_nrpe
$ARG1$: CheckEventLog
$ARG2$: -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -5m AND id='1074'"
Re: How to monitor for a Event ID
Posted: Fri May 08, 2015 2:46 am
by maddev
Hi I am getting the below output when I execute in command line
Code: Select all
./check_nrpe -H 10.161.232.51 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -5m AND id='1074'"
Eventlog check ok|'eventlog'=0;1;1
But testing check comman through XI CCM console throws below error
Code: Select all
COMMAND: /usr/local/nagios/libexec/check_nrpe -H 10.161.232.51 -t 30 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated \> -5m AND id=\'1074\'"
OUTPUT: Parsing failed: generated \> -5m AND id=\'1074\'
Also, Can't we do this using check_nt ? without changing the nsclient.ini file
Re: How to monitor for a Event ID
Posted: Fri May 08, 2015 10:38 am
by ssax
Paste in the exact $ARG2$ that I put in:
Code: Select all
-a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -5m AND id='1074'"
Don't worry if the test fails.
Re: How to monitor for a Event ID
Posted: Fri May 08, 2015 12:41 pm
by maddev
Here's the output
Code: Select all
COMMAND: /usr/local/nagios/libexec/check_nrpe -H <hostIP> -t 30 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated \> -5m AND id=\'1074\'"
OUTPUT: Parsing failed: generated \> -5m AND id=\'1074\'
Re: How to monitor for a Event ID
Posted: Fri May 08, 2015 12:44 pm
by scottwilkerson
Commands that have a log to escaping often will not work properly through the "test Command" button in the GUI, because of the required escaping to prevent XSS via the webUI.
However this will not affect the actual running of the command if you enter it as ssax suggested.