Page 1 of 1
How to monitor Windows Event Logs
Posted: Tue Oct 13, 2015 5:52 pm
by Nagiosuser01999
Hi All
I have been asked is it possible to monitor if someone stops, pauses or deletes windows event logs.
I have tried to setup NagEventLog however I haven't had any luck.
In the Monitoring Wizard I can see that there is a windows event log. Looks like someone has installed this already.
I select that , then add the ip or host name in I wish to monitor , In this case I'm testing this on my workstation.
I have followed the document on configuring NSCA on the Nagios XI Server
I have installed the NagEventLog on my desktop and can confirm that it is talking to Nagios.
when I perform a test I see nothing at all?
I'm not too sure what is going on.
I'm I suppose to add a command?
Re: How to monitor Windows Event Logs
Posted: Tue Oct 13, 2015 7:07 pm
by jdalrymple
Your problem seems to be all over the map:
Nagiosuser01999 wrote:is it possible to monitor if someone stops, pauses or deletes windows event logs
Typically when people ask about Windows event log monitoring they're looking to be alerted if a specific ID or message pops up in one of the system logs. Your description sounds more to me like you want to know if the service is started/stopped/deleted which would be more of a service check. You could just use the WMI or Windows Server wizard to monitor for the service "EventLog"
Nagiosuser01999 wrote:In the Monitoring Wizard I can see that there is a windows event log. Looks like someone has installed this already.
This would be the more standard method of monitoring event log where you're searching for specific event log contents. Is that what you wish to do? If so it's well documented:
https://assets.nagios.com/downloads/nag ... entLog.pdf
Nagiosuser01999 wrote:I have installed the NagEventLog on my desktop and can confirm that it is talking to Nagios.
How can you confirm? Have you looked for results in unconfigured objects?
Re: How to monitor Windows Event Logs
Posted: Tue Oct 13, 2015 8:53 pm
by Nagiosuser01999
Thanks for you reply
If I run the 'Test NSCA daemon' I get the message NSCA send succeeded.
Also I can see that port 5667 is listening on Nagios , So there is no firewall issues going on.
Ok so if you are using NSCA you are wanting to monitor for a specific event ID or message.
And if I’m monitoring the Windows Event Log service I would see if the service is stopped or paused.
What I would like to do is monitor the Windows Event Log service which seems straight forward however I would like to also monitor the event ID’s of windows event logs being cleared/deleted.
I have followed the EventLog.pdf However when I generate a test event log I have no data show up in nagios under that host
Re: How to monitor Windows Event Logs
Posted: Wed Oct 14, 2015 4:32 pm
by jdalrymple
Nagiosuser01999 wrote:If I run the 'Test NSCA daemon' I get the message NSCA send succeeded.
This has me a bit confused, mostly I guess just because I'm unfamiliar with that button. Is that something that is part of the NagEventLog product?
Nagiosuser01999 wrote:Also I can see that port 5667 is listening on Nagios , So there is no firewall issues going on.
Seeing that port 5667 is not indicative that there are no firewall issues:
Code: Select all
[root@nagioshost ~]# ss -an | grep 5667
LISTEN 0 64 :::5667 :::*
[root@nagioshost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:f3:24:9e brd ff:ff:ff:ff:ff:ff
inet 10.0.2.70/24 brd 10.0.2.255 scope global eth0
inet6 fe80::20c:29ff:fef3:249e/64 scope link
valid_lft forever preferred_lft forever
Code: Select all
[root@anotherhost ~]# nmap 10.0.2.70
Starting Nmap 5.51 ( http://nmap.org ) at 2015-10-14 16:32 CDT
Nmap scan report for 10.0.2.70
Host is up (0.00011s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:F3:24:9E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.34 seconds
Nagiosuser01999 wrote:if I’m monitoring the Windows Event Log service I would see if the service is stopped or paused
This isn't done with event log monitoring, this is basic monitoring of a service. Handle this with a wizard as I described above.
Nagiosuser01999 wrote:I would like to also monitor the event ID’s of windows event logs being cleared/deleted
I've never heard of this, nor do I even know how I'd go about it. It seems like you'd have to duplicate then diff the event log.
Re: How to monitor Windows Event Logs
Posted: Wed Oct 14, 2015 5:20 pm
by Nagiosuser01999
That's correct jdalrymple NagEventLog dose have a test button.
I have setup a Check_WM_Service to monitor eventlog. I have tested this and this seems to be working.
I Think I'm suppose to use NagEventLog application to monitor specific event log's , I'm not having much luck with getting this to work.
I will go through the documentation again and see how I go
Re: How to monitor Windows Event Logs
Posted: Thu Oct 15, 2015 10:48 am
by jdalrymple
Note that by default debugging in NSCA is disabled:
Code: Select all
# DEBUGGING OPTION
# This option determines whether or not debugging
# messages are logged to the syslog facility.
# Values: 0 = debugging off, 1 = debugging on
debug=0
Enabling that then watching /var/log/messages will likely prove very beneficial to you.