Trying to monitor application Events on a windows server with ncpa, but the event is showing different numbers in both sides, then the alert never going on
Windows Event Info:
Log Name: Application
Source: MSExchangeTransport
Event ID: 5016
Level: Error
Computer: XCH2.xxxx.com
NCPA WebPage Logs
NCPA Info:
"category": "4",
"severity": "ERROR",
"event_id": "267160",
"application": "MSExchangeTransport",
"computer_name": "XCH2.xxxx.com",
any idea?
Events Monitor with ncpa shows different event number
Re: Events Monitor with ncpa shows different event number
What exact options are you selecting for the check? Please send the full check command so that we can guide you further.
What NCPA version is the remote system running?
What NCPA version is the remote system running?
Re: Events Monitor with ncpa shows different event number
The command
check_ncpa.py -H $HOSTADDRESS$ -t 'token -P 5693 -M 'logs' -q 'name=Application,logged_after=30m,severity=ERROR,event_id=5016' -c 0
The windows Server
Windows 2012Server
6.2.9200
The ncpa
./check_ncpa.py -V
check_ncpa.py, Version 1.2.4
The client
Version 2.3.1
check_ncpa.py -H $HOSTADDRESS$ -t 'token -P 5693 -M 'logs' -q 'name=Application,logged_after=30m,severity=ERROR,event_id=5016' -c 0
The windows Server
Windows 2012Server
6.2.9200
The ncpa
./check_ncpa.py -V
check_ncpa.py, Version 1.2.4
The client
Version 2.3.1
Re: Events Monitor with ncpa shows different event number
I labbed this up and I'm unable to replicate it.
Please SSH into the XI server, run this command, and send the full output:
- Change X.X.X.X and token
EDITED: Fixed the command
Please SSH into the XI server, run this command, and send the full output:
- Change X.X.X.X and token
Code: Select all
/usr/local/nagios/libexec/check_ncpa.py -H X.X.X.X -t 'token' -P 5693 -M 'logs' -q 'name=Application,logged_after=30m,severity=ERROR,event_id=5016' -c 0 -vRe: Events Monitor with ncpa shows different event number
/check_ncpa.py -H xxxxxx.supreme.com -t 'xxxxx' -P 5693 -M 'logs' -q 'name=Application,logged_after=30m,severity=ERROR,event_id=5016' -c 0 -v
Connecting to: https://xxxxxx.supreme.com:5693/api/log ... nt_id=5016
File returned contained:
{
"returncode": 0,
"stdout": "OK: Application has 0 logs, Total Count has 0 logs (Time range - last 30 minutes) | 'Application'=0;;0; 'Total Count'=0;;0;\nApplication Logs\nTime: Computer: Severity: Event ID: Source: Message\n-----------------------------------\n"
}
OK: Application has 0 logs, Total Count has 0 logs (Time range - last 30 minutes) | 'Application'=0;;0; 'Total Count'=0;;0;
Application Logs
Time: Computer: Severity: Event ID: Source: Message
Connecting to: https://xxxxxx.supreme.com:5693/api/log ... nt_id=5016
File returned contained:
{
"returncode": 0,
"stdout": "OK: Application has 0 logs, Total Count has 0 logs (Time range - last 30 minutes) | 'Application'=0;;0; 'Total Count'=0;;0;\nApplication Logs\nTime: Computer: Severity: Event ID: Source: Message\n-----------------------------------\n"
}
OK: Application has 0 logs, Total Count has 0 logs (Time range - last 30 minutes) | 'Application'=0;;0; 'Total Count'=0;;0;
Application Logs
Time: Computer: Severity: Event ID: Source: Message
Re: Events Monitor with ncpa shows different event number
More info
If I go to the server like https://servername.domain.com:5693/api/ ... pplication I see Logs from some minutes ago.
If I run your command with the number I see from the ncpa logs it works, the issue is the number in the ncpa logs is different than the real windows Event
"logs": [
{
"Application": [
{
"category": "4",
"severity": "ERROR",
"event_id": "267160",
"application": "MSExchangeTransport",
"computer_name": "servername.domain.com",
"message": "The Active Directory topology service could not discover any route to connector CN=RightFax Exchange Connector servername,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN= International,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=sdomain,DC=com in the routing tables with the timestamp 6/24/2021 6:27:52 PM. This connector will not be used.\r\n",
"time_generated": "06/24/21 14:27:53"
},
./check_ncpa.py -H servername.supreme.com -t 'token' -P 5693 -M 'logs' -q 'name=Application,logged_after=30m,severity=ERROR,event_id=267160' -c 0 -v
Connecting to: https://servername.supreme.com:5693/api ... _id=267160
File returned contained:
{
"returncode": 2,
"stdout": "CRITICAL: Application has 4 logs, Total Count has 4 logs (Time range - last 30 minutes) | 'Application'=4;;0; 'Total Count'=4;;0;\nApplication Logs\nTime: Computer: Severity: Event ID: Source: Message\n-----------------------------------\n06/24/21 14:27:53: servername.supreme.com: ERROR: 267160: MSExchangeTransport: The Active Directory topology service could not discover any route to connector CN=RightFax Exchange Connector
If I go to the server like https://servername.domain.com:5693/api/ ... pplication I see Logs from some minutes ago.
If I run your command with the number I see from the ncpa logs it works, the issue is the number in the ncpa logs is different than the real windows Event
"logs": [
{
"Application": [
{
"category": "4",
"severity": "ERROR",
"event_id": "267160",
"application": "MSExchangeTransport",
"computer_name": "servername.domain.com",
"message": "The Active Directory topology service could not discover any route to connector CN=RightFax Exchange Connector servername,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN= International,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=sdomain,DC=com in the routing tables with the timestamp 6/24/2021 6:27:52 PM. This connector will not be used.\r\n",
"time_generated": "06/24/21 14:27:53"
},
./check_ncpa.py -H servername.supreme.com -t 'token' -P 5693 -M 'logs' -q 'name=Application,logged_after=30m,severity=ERROR,event_id=267160' -c 0 -v
Connecting to: https://servername.supreme.com:5693/api ... _id=267160
File returned contained:
{
"returncode": 2,
"stdout": "CRITICAL: Application has 4 logs, Total Count has 4 logs (Time range - last 30 minutes) | 'Application'=4;;0; 'Total Count'=4;;0;\nApplication Logs\nTime: Computer: Severity: Event ID: Source: Message\n-----------------------------------\n06/24/21 14:27:53: servername.supreme.com: ERROR: 267160: MSExchangeTransport: The Active Directory topology service could not discover any route to connector CN=RightFax Exchange Connector
Re: Events Monitor with ncpa shows different event number
When I originally labbed this up I wasn't sure if you were talking about that interface so I checked there as well and it matched what mine was showing. See page 6 of this guide:
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
I just labbed it up again and confirmed that the numbers match on my 2012R2 system using NCPA 2.3.1.
Please note that the Tail Event Logs functionality in the web UI will ONLY show events received since you opened the window. NCPA will use whatever your logged_after is set to, which in this case is 30 minutes back. If you login to the system and count the event log entries in there (not using the NCPA web interface) do the counts match?
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
I just labbed it up again and confirmed that the numbers match on my 2012R2 system using NCPA 2.3.1.
Please note that the Tail Event Logs functionality in the web UI will ONLY show events received since you opened the window. NCPA will use whatever your logged_after is set to, which in this case is 30 minutes back. If you login to the system and count the event log entries in there (not using the NCPA web interface) do the counts match?
Re: Events Monitor with ncpa shows different event number
Hi
We are not using LDAP integration with nagios, Do we need it to use Monitor events with ncpa?
I understand the event logs is showing the last 30 minutes, my events count is always zero in the nagios side because the Event number is not matching the windows side
We are not using LDAP integration with nagios, Do we need it to use Monitor events with ncpa?
I understand the event logs is showing the last 30 minutes, my events count is always zero in the nagios side because the Event number is not matching the windows side
Re: Events Monitor with ncpa shows different event number
Sorry about that, I posted the wrong link by mistake.
Please create a ticket for this and include a link back to this forum thread so we can get a remote session setup so I can analyze it further:
https://support.nagios.com/tickets/
Please create a ticket for this and include a link back to this forum thread so we can get a remote session setup so I can analyze it further:
https://support.nagios.com/tickets/