Page 1 of 2
NCPA Windows Event Log
Posted: Tue Jul 16, 2024 3:51 pm
by logisbk
I'm seeing a similar issue to this:
viewtopic.php?t=64444 but there isn't a solution.
I'm testing with the NCPA API Endpoint using the log name Laserfiche-Directory Service-Server/Operational and I'm looking for EventID 22.
./check_ncpa.py -H <hostname> -P 5693 -t '<your token>' -M 'logs' -q 'name=Laserfiche-Directory Service-Server/Operational,logged_after=4w,event_id=22'
It returns: stdout": "OK: Laserfiche-Directory Service-Server/Operational has 0 logs, Total Count has 0 logs (Time range - last 4 weeks)
but I can look at the logs and see EventID 22 within the past 4 weeks.
Re: NCPA Windows Event Log
Posted: Tue Jul 16, 2024 5:00 pm
by ajcoil
Hello
@logisbk,
Thank you for reaching out, and I am sorry to hear you are having issues with the check_ncpa plugin.
Have you attempted to use "%4" in place of the "/" character in your name string?
Windows sees the use of the "/" character as illegal when it comes to naming.
Do keep us updated on what you find!
Re: NCPA Windows Event Log
Posted: Wed Jul 17, 2024 2:01 pm
by logisbk
Yes, I tried that with the same results
./check_ncpa.py -H <hostname> -P 5693 -t '<your token>' -M 'logs' -q 'name=Laserfiche-Directory Service-Server%4Operational,logged_after=4w,event_id=22'
Re: NCPA Windows Event Log
Posted: Wed Jul 17, 2024 4:34 pm
by ssunga
Have you tried the following:
- Double-check that the exact log name "Laserfiche-Directory Service-Server/Operational" exists on the target system. Sometimes log names can be slightly different than expected.
- Try running the check without the event_id and logged_after filters to see if it returns any results:
Code: Select all
./check_ncpa.py -H <hostname> -P 5693 -t '<your token>' -M 'logs' -q 'name=Laserfiche-Directory Service-Server%4Operational'
- To isolate whether this is an NCPA issue or a more general problem, you could try querying the same log using PowerShell on the target machine:
Code: Select all
Get-WinEvent -LogName "Laserfiche-Directory Service-Server/Operational" -MaxEvents 1
Re: NCPA Windows Event Log
Posted: Thu Jul 18, 2024 7:36 am
by logisbk
Yes, the name is correct. If I run it in Powershell it works
Code: Select all
Get-WinEvent -LogName "Laserfiche-Directory Service-Server/Operational" -MaxEvents 1
The result is
Code: Select all
ProviderName: Laserfiche-Directory Service-Server
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
7/18/2024 2:18:09 AM 19 Information Audit records trimming for 'xx' finished
If I only use the log name in NCPA API "Laserfiche-Directory Service-Server/Operational" - it returns events that aren't in that log. For example,
Code: Select all
"Laserfiche-Directory Service-Server/Operational": [
{
"category": "0",
"severity": "INFORMATION",
"event_id": "9027",
"application": "Desktop Window Manager",
"computer_name": "<hostname>",
"message": "",
"time_generated": "07/18/24 07:25:55"
},
That is under Windows Logs > Application.
I can even put in "Random" for the Log name and it returns the same result as above. Why is it pulling that result if there is no log named that? If it can't find the log name it just returns results from the Windows Application log?
Re: NCPA Windows Event Log
Posted: Thu Jul 18, 2024 7:46 am
by logisbk
I have not got the check to work with ANY log that is within a folder. It seems to only work with log names at the root level. You can put in any name you like and it won't error, it will just give you the events from the first log, which is the Application log under Windows Logs.
This leads me to think that the code is doing something similar to the Get-EventLog Powershell command which only gives those root level logs, whereas the Get-WinEvent can get everything.
Re: NCPA Windows Event Log
Posted: Fri Jul 19, 2024 11:11 am
by bbahn
Hello @logisbk,
There has been an issue filed here:
https://github.com/NagiosEnterprises/ncpa/issues/1185 and this will be resolved at the earliest opportunity. I will also take a look at the accuracy of NCPA's log grabbing. I have made an issue for that here:
https://github.com/NagiosEnterprises/ncpa/issues/1186.
What version of Windows and what version of NCPA are you using? I haven't encountered this issue.
Re: NCPA Windows Event Log
Posted: Mon Jul 22, 2024 8:15 am
by UnicornsandKittens
I did some Testing and these are my Findings:
Logs are stored at:
C:\Windows\System32\winevt\Logs
Examples:
Intel-GFX-Info%4Application.evtx
Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
Microsoft-Windows-WinRM%4Operational.evtx
Copy the Filename from here as Log Name, without .evtx
At
https://localhost:5693/api/logs?name=
%4F is interpreted as O > Check fails (resembles a Hex-Value
https://bytetool.web.app/en/ascii/code/0x4f/) Security%4Firewall is changed to SecurityOirewall
%4A is interpreted as J > Check fails (resembles a Hex-Value
https://bytetool.web.app/en/ascii/code/0x4a/) Info%4Application is changed to InfoJpplication
%4O seems to be parsed correctly > Check is successful, although it's Location is shown as a Subfolder by the EventLog
Re: NCPA Windows Event Log
Posted: Wed Jul 24, 2024 4:34 pm
by jmichaelson
Its possible the %4 isn't correct. Can you try with %2F (the forward slash) or %3c (a backslash)?
Re: NCPA Windows Event Log
Posted: Fri Jul 26, 2024 8:54 am
by logisbk
@UnicornsandKittens when I used %40 it translates as '@' -- which is consistent with UTF-8
@jmichaelson the %2F does appear to translate correctly, but the correct logs still don't show, it shows the events from the Windows Application log still
The name of the Log File I am testing with is Laserfiche-Directory Service-Server%4Operational.evtx
:5693/api/logs?name=Laserfiche-Directory Service-Server%2FOperational
{
"logs": [
{
"Laserfiche-Directory Service-Server/Operational": [
{
"category": "0",
"severity": "INFORMATION",
"event_id": "9027",
"application": "Desktop Window Manager",