Log Checks

Log Checks

Log checks allow you to query log files or Windows Event logs.

Checking log files can be a system intensive process, especially if you have a large log file that is being checked every five minutes. A better solution is to send the log file data to a central server and analyze the log data there. Nagios Log Server is the perfect solution for this and is strongly recommended over trying to check log files via a plugin or agent.

The sections below provide examples of how to perform log file checks using different methods.


Nagios Plugins

Nagios Plugins includes the check_log plugin. The plugin scans a log file and reports and matches to the query provided. Successive calls to the plugin will only report new pattern matches in the log file, since an copy of the log file from the previous run is saved to old_log_file.


./check_log -F /var/log/messages -O /var/log/messages_old -q 'Error'


(2) < Nov 27 16:09:45 xitest ndo2db: Error: Connection to MySQL database has been lost!


NPCA includes a logs module that currently only works for Windows Event logs. It does not provide any Linux support OR log files that are not part of the Event log system.

Here is an example query that:

./check_ncpa.py -H -t Str0ngT0k3n -M logs -q name=system,severity=warning,severity=error,severity=critical,logged_after=1h


OK: system has 0 logs, Total Count has 0 logs (Time range - last 1 hour) | 'system'=0;;; 'Total Count'=0;;;


The logs module has a lot of arguments available, this allows you to create more granular queries to meet your needs.

NSClient++ via check_nt

NSClient++ via check_nt does not include a log module.

NSClient++ via check_nrpe

NSClient++ includes two log checking methods.

Windows Event Logs

The check_eventlog module is specifically for the Windows Event Logs.

Here is an example query that:


./check_nrpe -H -c check_eventlog -a log=system scan-range=-1h


OK: No entries found|'problem_count'=0;0;0


The check_eventlog module has a lot of arguments available, this allows you to create more granular queries to meet your needs.

Willem D'Haese has a great guide titled "Real-time Eventlog Monitoring with NSClient", please refer to his article for information on Windows Event Log monitoring.



Log Files

The check_logfile module allows you to check file(s) on the system's disk.

The check_logfile module requires the module to be enabled in the nsclient.ini file, execute the following command in an Administrative command prompt:

cd "\Program Files\NSClient++\"
nscp settings --activate-module CheckLogFile --add-defaults
nscp service --restart


This examples shows how you can search a log file for the word Failed in each line. If more than 0 matches are found then it is in a critical state.


./check_nrpe -H -c check_logfile -a file="C:\\Logs\\server.log" filter="line like 'Failed'" top-syntax='${status}: ${count}/${total} matches' 'crit= count > 0'


CRITICAL: 8/17 matches|'count'=8;0;0


Check WMI Plus includes a checkeventlog module. Here is an example check that:


./check_wmi_plus.pl -H -u wmiagent -p Str0ngP@ssw0rd -m checkeventlog -a System -o 1,2 -3 1 -c 1


OK - 0 event(s) of Severity Level: "Error,Warning", were recorded in the last 1 hours from the System Event Log.|'Event Count'=0;1;


You will need to download a third party plugin that provides this functionality, please check out the Nagios Exchange.



Final Thoughts

For any support related questions please visit the Nagios Support Forums at:


Article ID: 787
Created On: Tue, Nov 28, 2017 at 4:44 PM
Last Updated On: Tue, Nov 28, 2017 at 4:44 PM
Authored by: tlea

Online URL: https://support.nagios.com/kb/article/log-checks-787.html