How to monitor extended windows eventlogs using Nagios

[ankurvvvv]

Hello,

We in our production environment are using Nagios to monitor various windows alerts.

Now we also want to monitor Exchange server Failover event i.e. 306 via nagios.

the command which we are using currently is as follow which works fine for EventLogs Application, Systems and Security:

./check_nrpe -t 30 -H IPAddress -p 5666 -c CheckEventLog -a file=Application debug=true MaxWarn=1 MaxCrit=1 filter-generated=\<1d "filter=id = 1009" truncate=1000 unique descriptions "syntax=%id%: (%count%)"

Now, instead of events in Application/ Systems and Security log, I want to configure EventLog for Microsoft-Exchange-HighAvailability/Operational event 306, can anyone help me in this to how to configure this events in Nagios?

Thanks

Ankur

[jolson]

No problem, you should be able to change the log you're monitoring with the 'file' specification.

A possible example (may need some tinkering):

Code: Select all

./check_nrpe -t 30 -H IPAddress -p 5666 -c CheckEventLog -a file=Microsoft-Exchange-HighAvailability/Operational debug=true MaxWarn=1 MaxCrit=1 filter-generated=\<1d "filter=id = 306" truncate=1000 unique descriptions "syntax=%id%: (%count%)"

[ankurvvvv]

No problem, you should be able to change the log you're monitoring with the 'file' specification.

A possible example (may need some tinkering):

Code: Select all

./check_nrpe -t 30 -H IPAddress -p 5666 -c CheckEventLog -a file=Microsoft-Exchange-HighAvailability/Operational debug=true MaxWarn=1 MaxCrit=1 filter-generated=\<1d "filter=id = 306" truncate=1000 unique descriptions "syntax=%id%: (%count%)"

I tried this combination, but it did not worked.

Actually I tried many combinations but all failed.

Any more idea are welcome.

Thanks.

[jolson]

Are you receiving any errors from the CLI after running the command I mentioned? If so, what errors?

What other combinations have you tried?

[ankurvvvv]

Are you receiving any errors from the CLI after running the command I mentioned? If so, what errors?

What other combinations have you tried?

The commands/ combinations which I tried are as follow:

./check_nrpe -t 30 -H IPAddress -p 5666 -c CheckEventLog -a file=Microsoft-Exchange-HighAvailability/Operational debug=true MaxWarn=1 MaxCrit=1 filter-generated=\<1d "filter=id = 306" truncate=1000 unique descriptions "syntax=%id%: (%count%)"

./check_nrpe -t 30 -H IPAddress -p 5666 -c CheckEventLog -a filter=new file=all MinWarn=0 MinCrit=0 filter-generated=\<30m filter+eventID=="306" filter+eventType==all filter=all

./check_nrpe -t 30 -H IPAddress -p 5666 -c CheckEventLog -a filter=new file=all MinWarn=0 MinCrit=0 filter == ((source== "HighAvailability") AND (eventtype == "error") OR (eventtype == "warning")) filter-generated=\<30m filter+eventID=="306" filter+eventType==all filter=all

./check_nrpe -t 30 -H IPAddress -p 5666 -c eventlog=System,include,source=HighAvailability,eventtype=error,eventtype=warning,exclude,eventid=15,eventid=16" debug=true MaxWarn=1 MaxCrit=1 filter-generated=\<1d "filter=id = 306" truncate=1000 unique descriptions "syntax=%id%: (%count%)"

And many others...

And the output which I get from above commands is as follow:
Eventlog check ok|'eventlog'=0;1;1;

Output show Status OK, but in the server there are many events with 306 ID's due to automatic Exchange databases failover and output show 0,1,1.

Any suggestion?

Thanks,
Ankur

[Box293]

Turn on debug logging in NSClient++ and restart the service.

Then try executing these commands and check the log to see what logs. (I like using http://tailforwin32.sourceforge.net/ for watching logs on windows servers).

[ankurvvvv]

any other option?

[jdalrymple]

I've fiddled with this a little bit to try and debug your problem. I'm having trouble identifying what "token" to use to tell nsclient I want to query a log besides App/Sys/Sec. This may be one you should reach out to Michael Medin (the developer of NSCP) on. Have you tried that?

https://forums.nsclient.org/

[ankurvvvv]

Thanks

Will update if u get the correct syntax.

Ankur.

[jdalrymple]

We appreciate it - will leave the topic open hoping you get resolve.