Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Check Event Log Help Needed.

https://support.nagios.com/forum/viewtopic.php?t=45841

Page 1 of 1

Check Event Log Help Needed.

Posted: Mon Oct 02, 2017 8:41 pm
by kwhogster
Nagios Core 4.1
Nsclient 4.4.23
Windows 2008 Windows 2012 R2 and Windows 2016 Server

Using this command

Code: Select all

define command{
        command_name check_win_eventlog
        command_line $USER1$/ -H $HOSTADDRESS$ -s $ARG1$ -l $ARG2$ -t $ARG3$
}
Each Servers config file entry

Code: Select all

define service {
        host_name               TGCS020-2016
        service_description     Check System Event Logs
        check_command           check_nrpe!check_eventlog -a file=System scan-range=-59m
        servicegroups           Event Logs
        check_interval          60
        check_period            backup_WIN16
        notification_period     backup_WIN16
        use                     generic-service
        }
define service {
        host_name               TGCS020-2016
        service_description     Check Application Event Logs
        check_command           check_nrpe!check_eventlog -a file=Application scan-range=-59m
        servicegroups           Event Logs
        check_interval          60
        check_period            backup_WIN16
        notification_period     backup_WIN16
        use                     generic-service
        }
I would like to filter out certain event errors I get a lot of warnings that are not to worry about example

Event id 157
WARNING: 4/4 System disk (Disk 2 has been surprise removed.), System disk (Disk 1 has been surprise removed.), System disk (Disk 2 has been surprise removed.), System disk (Disk 1 has been surprise removed.)

I get this on my Veeam Proxy servers and on the Veeam Server itself

I tried this

Code: Select all

check_command           check_nrpe!check_eventlog -a file=System scan-range=-59m "filter=id>157"
But then I get all the informational events showing as critical.

Any idea on how to filter out certain events? am I on the right path?

Thank you,

Tom

Re: Check Event Log Help Needed.

Posted: Tue Oct 03, 2017 10:09 am
by scottwilkerson
I think what you want is something like this

Code: Select all

check_command           check_nrpe!check_eventlog -a file=System scan-range=-59m "filter=level = 'critical' "
https://docs.nsclient.org/reference/win ... non-errors

Re: Check Event Log Help Needed.

Posted: Tue Oct 03, 2017 8:04 pm
by kwhogster
Scott

thanks

Can I filter the event id also? if so you have an example?

Re: Check Event Log Help Needed.

Posted: Tue Oct 03, 2017 8:23 pm
by kwhogster
Scott

check_nrpe -t 50 -H TGCS006-2012R2 -c check_eventlog -a file=System scan-range=-5hr "filter=level = 41"

Does this do what I need

Filter out all informational and critical?

If so and I do this than

check_nrpe -t 50 -H TGCS006-2012R2 -c check_eventlog -a file=System scan-range=-5hr "filter=level = 41 and ID NOT Equal 157 "

I see the ID = 157 but how to exclude it?

Re: Check Event Log Help Needed.

Posted: Wed Oct 04, 2017 4:22 pm
by scottwilkerson
you can do

Code: Select all

check_nrpe -t 50 -H TGCS006-2012R2 -c check_eventlog -a file=System scan-range=-5hr "filter=level = 41 and id IN ('157') "

Re: Check Event Log Help Needed.

Posted: Wed Oct 04, 2017 7:21 pm
by kwhogster

Code: Select all

check_nrpe -t 50 -H TGCS006-2012R2 -c check_eventlog -a file=System scan-range=-5hr "filter=level = 41 and id IN ('157') "
Checked this out and it looks good

How would I add another event id say Event ID 1 Event ID 20 Event ID 10 Event ID 157

Other question

is my Filter=level = 41 correctly setup? I only want to post the errors and warnings only no other types Does the 41 do that?



Thanks

Tom

Re: Check Event Log Help Needed.

Posted: Thu Oct 05, 2017 5:02 pm
by tgriep
I took a look at the examples on the NSClient++ site and the Level is not defined what they really are but there are some examples of what some of them mean.
Take a look here and search for Severity/Level/Error
https://docs.nsclient.org/reference/win ... kEventLog/

Errors and warnings, you would change the level to 2 or 3 in the command.

If you want to add another ID to the command, I think all you would have to do is to add it to the check.

Code: Select all

check_nrpe -t 50 -H TGCS006-2012R2 -c check_eventlog -a file=System scan-range=-5hr "filter=level = 41 and id IN ('157') and id IN ('1') and id IN ('20') and id IN ('10')"

Re: Check Event Log Help Needed.

Posted: Thu Oct 05, 2017 9:34 pm
by kwhogster
I changed all my commands to

filter=level = 23

Will posts results

Thanks

Tom

Re: Check Event Log Help Needed.

Posted: Fri Oct 06, 2017 8:26 am
by tgriep
OK, post your results.

Re: Check Event Log Help Needed.

Posted: Mon Oct 09, 2017 7:21 pm
by kwhogster
Seems to be working

Lets locked this as resolved

Thanks

Tom
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited