Page 1 of 2
Monitoring Windows Event Logs
Posted: Tue Jan 17, 2012 4:30 am
by aap
Hi,
Does anybody have any experience of using Nagios to monitor windows event logs? We are currently using the Windows Event log Config wizard but unable to get any information from the configured servers.
Currently getting "OK: No data received yet" on all the logs and nothing is reported.
Any idea and suggestions are welcome.
Re: Monitoring Windows Event Logs
Posted: Tue Jan 17, 2012 6:27 am
by SDohmen
I am not sure if you have done this but we do it as follows:
On the server which needs to be monitored we install NSClient++.
In the nsc.ini from the client we add something like:
Code: Select all
event_id_1=CheckEventLog file=system debug=true MaxWarn=1 MaxCrit=1 "filter=generated gt -30d AND id IN (1) AND source IN ('Microsoft-Windows-Kernel-General','Microsoft-Windows-WHEA-Logger','Microsoft-Windows-DiskDiagnostic','Microsoft-Windows-CorruptedFileRecovery-Client') AND type IN ('warning', 'error')" truncate=800 unique descriptions "syntax=%id%: (%count%)"
event_id_2=CheckEventLog file=system debug=true MaxWarn=1 MaxCrit=1 "filter=generated gt -30d AND id IN (2) AND source IN ('Microsoft-Windows-CorruptedFileRecovery-Client','dmboot') AND type IN ('warning', 'error')" truncate=800 unique descriptions "syntax=%id%: (%count%)"
Then we add a service which uses check_nrpe with event_id_# as argument.
I hope this helps.
Re: Monitoring Windows Event Logs
Posted: Tue Jan 17, 2012 10:02 am
by aap
We are using the plugin that requires the NagEventLog addon agent. It requires us to configure NSCA.
Do you know if we also require the NSClient ?
Re: Monitoring Windows Event Logs
Posted: Tue Jan 17, 2012 12:37 pm
by lmiltchev
Re: Monitoring Windows Event Logs
Posted: Wed Jan 18, 2012 2:04 am
by SDohmen
aap wrote:We are using the plugin that requires the NagEventLog addon agent. It requires us to configure NSCA.
Do you know if we also require the NSClient ?
NSCA is a part of the nsclient++ package as well but i believe there is a seperate nsca package also. The downside on NSCA however is that the checks are passive and not active which we prefer in our environment. Both should be fine however for logging the eventlogs.
Re: Monitoring Windows Event Logs
Posted: Wed Jan 18, 2012 4:33 am
by aap
@lmiltchev Yes I am using this one. Installation is fine however; I get the "No check results for service yet... " message even when an error log is generated. I can successfully send a test log from the monitored server but the Nagios server does not seem to be picking it up.
I have done everything as listed in the install document but to no avail.
Any ideas where I'm going wrong? My implentation is on Centos6 and Nagios XI 2011R1.8
Re: Monitoring Windows Event Logs
Posted: Wed Jan 18, 2012 10:51 am
by scottwilkerson
Lets check
Admin -> Monitoring Config -> Unconfigured Objects to make sure they aren't showing up under a different hostname.
If that is empty, lets do the following from the Nagios XI server to see if we can spot any errors from NSCA or xinetd
Re: Monitoring Windows Event Logs
Posted: Wed Jan 18, 2012 11:06 am
by aap
Hi,
Think I spotted something. Here goes...
nsca[4274]: Received invalid packet type/version from client - possibly due to client using wrong password or crypto algorithm?
xinetd[24853]: EXIT: nsca status=0 pid=4274 duration=1(sec)
Any ideas?
Re: Monitoring Windows Event Logs
Posted: Wed Jan 18, 2012 11:13 am
by scottwilkerson
Yep, make sure in Admin -> Check Transfers -> Inbound Transfers -> NSCA Tab
you select the same encryption method and use the same password as on the Windows machine when you click the NSCA Daemons button on the Nagios EventLog Service Control Manager
Re: Monitoring Windows Event Logs
Posted: Fri Jan 20, 2012 9:49 am
by aap
Hi,
All is working fine now. The issue was related to the configuration of the agent. Configured with the FQDN of the server matching the Nagios server and ensured that the encryption algorithm was the same(not sure why this changed) and all is working OK.
Thanks