Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Monitoring and filtering windows event logs

https://support.nagios.com/forum/viewtopic.php?t=40342

Page 1 of 1

Monitoring and filtering windows event logs

Posted: Thu Sep 22, 2016 1:05 am
by Morello
Hi,

I am trying to monitor and filter windows event logs, i specificly need these below;

1. Events in the last hour
2. Security Related

I am trying this command but it does not give me any entry. Should i need more filtering here?

Code: Select all

check_nrpe -H IPAdress -p Portnumber -c CheckEventLog -a file=security MaxCrit=1 "filter=generated > -1h AND "
OK: No entries found|'count'=0;0;1
But when i used this below, i got some results. Is this correct usage?

Code: Select all

[root@ieiotlvm02 ~]# /usr/lib64/nagios/plugins/check_nrpe -H IP -p Port-c CheckEventLog -a file=security MaxCrit=1 "filter=generated > -2d"
Microsoft-Windows-Security-Auditing, Special privileges assigned to new logon.  Subject:  Security ID: S-1-5-18  Account Name: SYSTEM  Account Domain: NT AUTHORITY  Logon ID: 0x3E7  Privileges: SeAssignPrimaryTokenPrivilege   SeTcbPrivilege   SeSecurityPrivilege   SeTakeOwnershipPrivilege   SeLoadDriverPrivilege   SeBackupPrivilege   SeRestorePrivilege   SeDebugPrivilege   SeAuditPrivilege   SeSystemEnvironmentPrivilege   SeImpersonatePrivilege, Microsoft-Windows-Security-Auditing, An account was successfully logged on.  Subject:  Security ID: S-1-5-18  Account Name: X-2$  Account Domain: WORKGROUP  Logon ID: 0x3E7  Logon Type:  5  Impersonation Level: Impersonation  New Logon:  Security ID: S-1-5-18  Account Name: SYSTEM  Account Domain: NT AUTHORITY  Logon ID: 0x3E7  Logon GUID: {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID: 0x1d4  Process Name: C:\Windows\System32\services.exe  Network Information:  Workstation Name:  Source Network Address: -  Source Port: -  Detailed Au

Re: Monitoring and filtering windows event logs

Posted: Thu Sep 22, 2016 12:04 pm
by mcapra
How you configure the command is slightly different between NSClient++ versions. Can you share the output of:

Code: Select all

check_nrpe -H IPAddress

This worked for me against 0.4.4:

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H 192.168.67.99 -t 30 -c check_eventlog -a "file=security" "filter=written lt -2d"

Re: Monitoring and filtering windows event logs

Posted: Fri Sep 23, 2016 1:29 am
by Morello
Hi,

Here is the outputs,

Code: Select all

[root@localhost ~]# /usr/lib64/nagios/plugins/check_nrpe -H IP
I (0.4.4.19 2015-12-08) seem to be doing fine...

[root@localhost ~]# /usr/lib64/nagios/plugins/check_nrpe -H IP -t 30 -c check_eventlog -a "file=security" "filter=written lt -2d"
OK: No entries found|'count'=0;0;5
Thanks,
BR

Re: Monitoring and filtering windows event logs

Posted: Fri Sep 23, 2016 1:23 pm
by mcapra
Is seeing 0 security entries in the event log in the past 2 days an expected result?

Re: Monitoring and filtering windows event logs

Posted: Mon Sep 26, 2016 12:51 am
by Morello
No, it is not expected result because when i tried my old command like this below, i can see security events generated for the last 1 hour...

[root@host ~]# /usr/lib64/nagios/plugins/check_nrpe -H X.X.X.X -p XXXX -c CheckEventLog -a file=security MaxCrit=1 "filter=generated > -1h"
Microsoft-Windows-Security-Auditing, Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege, Microsoft-Windows-Security-Auditing, An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: X-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 5 Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Au

Thanks.

Re: Monitoring and filtering windows event logs

Posted: Mon Sep 26, 2016 2:29 pm
by tgriep
Can you provide more details on that you are looking for?
Are you looking to get an alert on the number of events in the security log in the last hour, day, etc...
There may be some examples on the NSClient.org file but the following link has some details on filtering.
http://docs.nsclient.org/0.4.2/referenc ... log.filter

Re: Monitoring and filtering windows event logs

Posted: Thu Sep 29, 2016 7:29 am
by Morello
Actually i was looking for the security logs themselved for the last 1 hour.

BR,
Utku

Re: Monitoring and filtering windows event logs

Posted: Thu Sep 29, 2016 4:25 pm
by mcapra
I'm a bit confused. The CheckEventLog function of NSClient++ wasn't really designed for just grabbing every single event on a Windows machine over a time period.

If you're interested in examining the last hours worth of event logs, what's stopping you from using something like Nagios Log Server? Could you shed a little more light on your use case?
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited