Nagios Support Forum

Hi Team,

I have configured the event ID on Nagios, however I have the 41 event ID on Windows event logs but I dont find it to be detected on the NAgios.

Attaching the Nagios agent web GUI snap and windows event log snap, please review the same and let me know what changes I will have to make.

Hi Team,

Can I get an update here plz.

Hi,

I am looking at it. I see the same thing you do.

Looking for the cause and workarounds. Will let you know
when I find something.

Thanks!

Hi

I found it - the "Event Type" pull-down in the Configuration Wizard defaults to "Error",
it needs to be changed to "Any". I will file a bug report.

This command works if you test from the CLI: But this doesn't (and it shouldn't): Neither does this, but it should: Let me know if you are still having issues or if I can close this thread.

Thanks

This solution did work, but for event ID 41 the message was not captured as u have shown me in ur lab results ( can I know the reason for this I have attached the snap) also I have few other queries listed below.

-----------------------First Question:-----------------------
I have a setup where my initial given check command works ( has nagiosXI version - 5.8.4 and windows event log wizard 2.0.2) and it works well --> unsure how was the service created.

-t 'NagiosXI@SONY' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0


And on existing one this command do not work ( has nagiosXI version - 5.8.5 and windows event log wizard 2.0.2) --> Created a service copy and punched in the Arg 1

-t 'AMSTKN@123' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0

-----------------------Second Question:-----------------------
I have SQL related Event ID configured as below, do i need to re-configure them as I did for event ID 41.

-t 'NagiosXI@Strides' -M 'logs' -q 'name=Application,severity=WARNING,event_id=1619,application=MSSQLSERVER,message=*'

-----------------------Third Question-----------------------
What if I have same event ID created for both critical and warning severity --> will this work if I configure them as I did for event ID 41

-----------------------Fourth Question-----------------------

From which wizard or NAgiosXI version is this bug been identified and I need little more info on the bug.

i

My answers below in blue:

This solution did work, but for event ID 41 the message was not captured as u have shown me in ur lab results ( can I know the reason for this I have attached the snap) also I have few other queries listed below.
What Windows OS are you monitoring? What version of Nagios XI are you using?

-----------------------First Question:-----------------------
I have a setup where my initial given check command works ( has nagiosXI version - 5.8.4 and windows event log wizard 2.0.2) and it works well --> unsure how was the service created.

-t 'NagiosXI@SONY' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0


And on existing one this command do not work ( has nagiosXI version - 5.8.5 and windows event log wizard 2.0.2) --> Created a service copy and punched in the Arg 1

-t 'AMSTKN@123' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
What is the error message you are getting from the server running NagiosXI 5.8.5 ?

-----------------------Second Question:-----------------------
I have SQL related Event ID configured as below, do i need to re-configure them as I did for event ID 41.

-t 'NagiosXI@Strides' -M 'logs' -q 'name=Application,severity=WARNING,event_id=1619,application=MSSQLSERVER,message=*'
This should be fine, as long as you are not using severity=CRITICAL, since it doesn't exist in Nagios XI. In my experience you
really don't need to specify the severity if you have an event_id

-----------------------Third Question-----------------------
What if I have same event ID created for both critical and warning severity --> will this work if I configure them as I did for event ID 41
I don't think event id 41 ever gets a severity=WARNING, I believe it is always CRITICAL

-----------------------Fourth Question-----------------------

From which wizard or NAgiosXI version is this bug been identified and I need little more info on the bug.
It has always been this way. If you use the Windows Event Log Config Wizard you will see that "CRITICAL"
is not an option. I have requested it to be added.

Thanks

here is the update:

This solution did work, but for event ID 41 the message was not captured as u have shown me in ur lab results ( can I know the reason for this I have attached the snap) also I have few other queries listed below.
What Windows OS are you monitoring? What version of Nagios XI are you using?

ANS -- ( has nagiosXI version - 5.8.5 and windows event log wizard 2.0.2) , windows 2012 R2 standard

-----------------------First Question:-----------------------
I have a setup where my initial given check command works ( has nagiosXI version - 5.8.4 and windows event log wizard 2.0.2) and it works well --> unsure how was the service created.

-t 'NagiosXI@SONY' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0


And on existing one this command do not work ( has nagiosXI version - 5.8.5 and windows event log wizard 2.0.2) --> Created a service copy and punched in the Arg 1

-t 'AMSTKN@123' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41,application=Kernel-Power,message=rebooted' -c 0
What is the error message you are getting from the server running NagiosXI 5.8.5 ?
ANS -- the snaps i have attached initially to this post, where I have not mentioned the severity on the NCPA Agent GUI, however still the NagiosXI says ok and no errors detected.

HI

I set up Nagios XI and Windows Server 2012R2 systems, and now I see what you see, so it must be the
version of Windows that is limiting the message verbosity coming from the Event Log

[root@localhost ~]# /usr/local/nagios/libexec/check_ncpa.py -H 192.168.23.96 -t 'gjstoken' -P 5693 -M 'logs' -q 'name=System,logged_after=30m,event_id=41' -c 0
CRITICAL: System has 1 logs, Total Count has 1 logs (Time range - last 30 minutes) | 'System'=1;;0; 'Total Count'=1;;0;
System Logs
Time: Computer: Severity: Event ID: Source: Message
-----------------------------------
11/19/21 10:00:42: WIN-ITFHFA2T3LE: UNKNOWN: 41: Microsoft-Windows-Kernel-Power:

[root@localhost ~]#

For you second question please try the settings I am using (above) and see if that detects the event id 41
entry in the System Log.

Please let me know the result.

Thanks