Page 1 of 1
monitor event logs under "applications and services logs"
Posted: Mon Feb 29, 2016 7:59 am
by luffywallis
Hi all;
i'm trying to track events on applications and services logs/Microsoft/Windows/Diagnosis-PLA/Operational. i know that it's not possible using check_wmi_eventid, and my only solution is to use check_nrpe checkeventlog. i'm confused on how to point to the specific location, since all the examples that i found on net point to basic locations (application, system....). Thank you
Re: monitor event logs under "applications and services logs
Posted: Mon Feb 29, 2016 9:48 am
by eloyd
I'm going to put a big plug in here for Nagios Log Server. You can monitor all your Windows event logs and application logs by sending them to the Nagios Log Server, and then search for strings and patterns there, then alert through Nagios from Log Server. Plus, for a small size installation, it's free!
Re: monitor event logs under "applications and services logs
Posted: Mon Feb 29, 2016 2:11 pm
by ssax
What version of NSClient++ are you running?
Re: monitor event logs under "applications and services logs
Posted: Mon Feb 29, 2016 2:15 pm
by ssax
Here is what worked for me on the latest version of NSClient++:
Code: Select all
/usr/local/nagios/libexec/check_nrpe -H X.X.X.X -c checkeventlog -a file=YOURLOGNAME MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'informational'"
Re: monitor event logs under "applications and services logs
Posted: Mon Feb 29, 2016 2:19 pm
by ssax
I right clicked on the even log and view the properties to get the full name, yours would be:
Code: Select all
/usr/local/nagios/libexec/check_nrpe -H X.X.X.X -c checkeventlog -a file=Microsoft-Windows-Diagnosis-PLA/Operational MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'informational'"
Re: monitor event logs under "applications and services logs
Posted: Tue Mar 01, 2016 11:33 am
by luffywallis
ssax wrote:I right clicked on the even log and view the properties to get the full name, yours would be:
Code: Select all
/usr/local/nagios/libexec/check_nrpe -H X.X.X.X -c checkeventlog -a file=Microsoft-Windows-Diagnosis-PLA/Operational MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'informational'"
thank you ssax, that worked for me
i just want to ask about the messages received by mail in nagios notification: i want to add the details of the event log in the received mail. i tried the solution described here :
http://serverfault.com/questions/410020 ... tification
(config changed in /etc/nagios/misccommands.cfg), i rebooted the nagios server, but that didn't work...any hint?
Re: monitor event logs under "applications and services logs
Posted: Tue Mar 01, 2016 4:05 pm
by rkennedy
Can you post your notify-service-by-email definition for us to look at?
Re: monitor event logs under "applications and services logs
Posted: Wed Mar 02, 2016 5:39 am
by luffywallis
rkennedy wrote:Can you post your notify-service-by-email definition for us to look at?
Okay, sorry i was wrong, i'm using centreon, so i had to change it through centreon interface.after doing that LONGSERVICEOUTPUT has been added. this is the definition of notify-by-email:
Code: Select all
/usr/bin/printf "%b" "***** centreon Notification *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $DATE$ Additional Info : $SERVICEOUTPUT$\n Description: $LONGSERVICEOUTPUT$" | /bin/mail -s "** $NOTIFICATIONTYPE$ alert - $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
but even with this, i'm not getting what i want. in fact, when i type the command directly in the server, this is what i got:
Code: Select all
./check_nrpe -H hostname -c checkeventlog -a file=Microsoft-Windows-Diagnosis-PLA/Operational MaxWarn=1 MaxCrit=1 "filter=generated > -1m AND severity = 'informational' AND id=2031" unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
information: Microsoft-Windows-Diagnosis-PLA: Performance counter \ServiceModelOperation 4.0.0.0(xxxxxxxxxxxx|xxxx|)\Calls Duration has tripped its alert threshold. The counter value of 4.000038 is over the limit value of 1.000000. 1.000000 is the alert threshold value. (%count%)|'count'=6;1;1
but in the email notification, this is what i got:
Code: Select all
***** centreon Notification *****
Notification Type: PROBLEM
Service: eventlog_service
Host: hostname
Address: hostname
State: CRITICAL
Date/Time: 02-03-2016 Additional Info : information: Microsoft-Windows-Diagnosis-PLA: Performance counter \ServiceModelOperation 4.0.0.0(xxxxxxxxxxxx|xxxx
Description:
how to get this information " The counter value of 4.000038 is over the limit value of 1.000000. 1.000000 is the alert threshold value. (%count%)|'count'=6;1;1" into the mail notification?
Re: monitor event logs under "applications and services logs
Posted: Wed Mar 02, 2016 3:40 pm
by tmcdonald
I'm sorry, but we do not support Centreon or other competing software. You will need to visit their forums for support.