Page 1 of 2
Windows Event log id monitoring
Posted: Fri Nov 18, 2016 2:15 pm
by Naveed
Hi,
I am monitoring windows event log ids from nagios XI.
Is there any way to monitor more than one event id in one service, my few services are dependent on 2 different event id. Whenever those 2 ids observed in logs than I need to restart my services.
For one event id I am using below command and its working fine.
check_nrpe!CheckEventLog!-a file=application MaxWarn=1 MaxCrit=2 "filter=generated > -10m AND id='10100'"!!!!!!
Please guide.
Thanks
Re: Windows Event log id monitoring
Posted: Fri Nov 18, 2016 2:38 pm
by rkennedy
I don't think this is going to be possible, you'll need to set up individual checks for each event ID you'd like to monitor.
Re: Windows Event log id monitoring
Posted: Mon Nov 28, 2016 6:53 am
by Naveed
Thanks
Re: Windows Event log id monitoring
Posted: Mon Nov 28, 2016 3:57 pm
by rkennedy
No problem - did you have further questions or are we good to mark this thread as resolved?
Re: Windows Event log id monitoring
Posted: Mon Nov 28, 2016 6:16 pm
by ruffsense
write a powershell script. Something like this.
Code: Select all
function check_eventid()
{
$date=(Get-Date).AddMinutes(-10)
get-eventlog -logname system -after $date | ?{$_.eventid -eq "16" -or $_.eventid -eq "35"} | select EventID,EntryType,Message
}
change the 16 and 35 in de evenid you want to find.
Re: Windows Event log id monitoring
Posted: Tue Nov 29, 2016 5:25 pm
by avandemore
Re: Windows Event log id monitoring
Posted: Fri Dec 02, 2016 1:12 pm
by Naveed
Thank you very much!
function check_eventid()
{
$date=(Get-Date).AddMinutes(-10)
get-eventlog -logname system -after $date | ?{$_.eventid -eq "16" -or $_.eventid -eq "35"} | select EventID,EntryType,Message
}
Will above function check either 16 or 35 "or" it will check both ids at the same time?
will and operator work for this function?
Re: Windows Event log id monitoring
Posted: Fri Dec 02, 2016 1:29 pm
by rkennedy
it will check for either/or ID at the same time.
The and function will not work because an eventid is only going to have one variable since they are unique to the issue.
Re: Windows Event log id monitoring
Posted: Sun Dec 04, 2016 5:12 pm
by ruffsense
Here you go.
Code: Select all
function check_eventid()
{
$time = "$($args[0])"
$event = "$($args[1])"
$eventid1 = "$($args[2])"
$eventid2 = "$($args[3])"
$date=(Get-Date).AddMinutes(-$time)
$log = get-eventlog -logname $event -after $date | ?{$_.eventid -eq "$eventid1" -or $_.eventid -eq "$eventid2"}
if ($log) {
$log | ForEach-Object{echo "CRITICAL status – EventID = $($_.EventID), $($_.TimeGenerated)"}
#echo "CRITICAL status – $($log | % { echo "EventID ="$_.EventID,"," "TimeGenerated ="$_.TimeGenerated})"
exit 2 #returns critical status
}
else
{
echo "OK status – There are no events with your eventID"
exit 0 #Return OK status
}
}
how to run: check_eventid 10 system 1 19
10=time in minutes
system=is which log
1=eventid
19=eventid
goodluck
Re: Windows Event log id monitoring
Posted: Mon Dec 05, 2016 4:20 pm
by ssax
Just as an FYI, you can can monitor multiple event IDs in one service but it will do an OR so it would alert if either is present (but not both):
Code: Select all
check_nrpe!CheckEventLog!-a file=application MaxWarn=1 MaxCrit=2 "filter=generated > -10m AND id IN (8224,17137)"!!!!!!
Do you need to restart it only if both are present OR restart it if either message is present?
Thank you