check_wmi_plus monitor event id specific application

[brdr]

Hi Support Team,

We have new monitoring request come in for XI. Here is the use case:

Monitor MS windows for DFS Replication log for 2 event IDs (2213 and 4012). This log file is found in Event Viewer under Applications and Services Log. We presently use check_wmi_plus from XI into our windows server and we have a few event IDs we are monitoring from windows system logs but not specific application logs.

Is check_wmi_plus capable of monitoring specific application logs (non system logs)? If so do you have an example?

Many thanks as always,
brdr

[mcapra]

I don't have an example handy, or a lab setup, but the plugin's "help" section indicates you should be able to do this using the ARG1 value for the checkeventlog submode.

Code: Select all

ARG1  Name of the log eg "System" or "Application" or any other Event log as shown in the Windows "Event Viewer". You may also use a comma delimited list to specify multiple event logs. You can also specify event log names using the wildcard character % eg system,app%,%shell%. Default is system

...

to report all errors (1) that got logged in the past 24 hours in the System event log use:
      -a System -3 24

So in theory, you'd just supply Application for the ARG1 value instead of System. So if you're already capturing specific EventIDs, try altering your command to provide Application in ARG1. If you're still a bit unsure what to do or it doesn't seem to be working, please share the full command executed from the CLI of your Nagios XI machine (sanitized of WMI credentials if needed) with the debug flag -d present.

[tgriep]

I found some examples from the check_wmi_plus plugin's web site you may be interested in.

Check the system event log for the last 1 hour for warnings and errors

Code: Select all

check_wmi_plus.pl -H HOST -u USER -p PASS -m checkeventlog

Output : OK - 0 event(s) of at least Severity Level "Error", were recorded in the last 1 hours from the System Event Log.|'Event Count'=0;

Check the Application event log for errors only (hence the -o 2) for the past 4 hours

Code: Select all

check_wmi_plus.pl -H HOST -u USER -p PASS -m checkeventlog -a application -o 2 -3 4

Output : OK - 0 event(s) of at least Severity Level "Warning", were recorded in the last 4 hours from the application Event Log.|'Event Count'=0;

For more examples, take a look here.
http://edcint.co.nz/checkwmiplus/?q=faq ... mmandlines

[brdr]

thx folks. Will try these out this week and circle back with ya'

[ssax]

Sounds good, we'll keep an eye out.

Thank you

[brdr]

Getting back to testing for event detection...

I found this plugin 'check_wmi_eventid_1.4' in Nagios Exchange to use for event checking...

https://exchange.nagios.org/directory/P ... MI/details

I had to make a couple of minor tweaks but this plugin is nice!

If I want to check for informational event id 16028 in application log file with source of MSExchangeTransport over the last day issue command:

./check_wmi_eventid -H dummy_host -u domain/user -p password -e 16028 -w 1 -c 3 -t 3 -m1440 -d -l Application -S MSExchangeTransport

Cheers

[tgriep]

Thanks for posting that you found something that works for you.