NSClient++ Help (#1) - Problem with CheckEventLog (#309) - Message List
Hi,
I'm trying to get CheckEventLog working to pick out events of a certain ID that have occurred in the past 24 hours. So my command looks like:
CheckEventLog file=application MaxWarn=1 MaxCrit=1 filter+eventID==34114 filter+generated=<1d
This returns no events, even though I know there has been one in the last 24 hours. If I take the 'filter+generated=<1d' off the end, I get plenty of matches, so I know it's finding the right events.
What have I got wrong?
Thanks.
-
Message #930
Whoops, my bad. I had the wrong EventID :(
Related question though - how do I check for one of two eventIDs? ie. I want the filter to pick up events where the ID is either 34113 or 34114.
nmercer12/18/08 06:32:13 (5 years ago)-
Message #931
depending on if you use filter=in or filter=out .
So firt off that:
Filter in/out
There are two basic ways to filter:
- in When you filter in it means all records matching your filter will be returned (the "simplest way")
- out When you filter out it means all records matching your filter will be discarded.
So:
filter=in filter+eventType==warning ... filter=out filter-eventType==warning
Will both have the same effect as the first one filters "in" and matches all warnings and the second one filters out and discards all warnings. There is one very fundamental difference though the first one will only return the warnings where as the second one will return all entries and all warnings.
Then you just have several "filter-rules"... In this case I would do:
filter=in filter-generated=>1d filter+eventID==1 filter+eventID==2 filter+eventID==3
This would throw away all "old" items. keep ONLY eventid=1,2 or 3. throw away everything else
MickeM
anonymous12/18/08 07:12:20 (5 years ago)-
Message #939
Thanks for that - think I've now got it working right.
However if I run a command direct from the shell, I get a reponse such as:
check_nrpe -H 192.168.190.20 -c CheckEventLog -a filter=new file=application MaxWarn=1 MaxCrit=1 filter=in filter-generated=\>1d filter+eventID==34113
Backup Exec, eventlog: 1 > critical|'eventlog'=1;1;1;
If I set this up as a command in Nagios, it shows as a state of WARNING and the Status Information is always (null).
I've been also playing with the CheckServiceState command, and it returns a response like:
OK: All services are running
Which then appears in Nagios correctly.
Is there something wrong in my CheckEventLog command thats making it return results Nagios doesn't understand?
anonymous12/20/08 02:55:36 (5 years ago)-
Message #940
Were I you I would also add the following:
truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
Thus you end up with:
filter=in filter-generated=>1d filter+eventID==1 filter+eventID==2 filter+eventID==3 truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
here truncate is important! (if you get a longer "response" the message will not pass through as NRPE has a limitation. The other ones will give you a nice "output". be-ware that descriptions will make things "a bit slow" but unless you have a lot of hits not overly so.
MickeM
mickem12/20/08 07:34:00 (5 years ago)-
Message #1055
Doesn't seem to work so well for me :
# ./check_nrpe -H 192.168.1.1 -c CheckEventLog -a filter=in file=application MaxWarn=1 MaxCrit=1 filter=in filter-generated=\>1d filter+eventID==250 truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
RESULT:
success: MR_MONITOR: Controller ID: 0 VD is now PARTIALLY DEGRADED VD 0. (1), eventlog: 1 > critical|'eventlog'=1;1;1;
That seems to work GREAT!
But if I do :
./check_nrpe -H 192.168.1.1 -c CheckEventLog -a filter=in file=application MaxWarn=1 MaxCrit=1 filter=in filter-generated=\>1d filter+eventID==250 filter+eventID==87 truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
RESULT :
Eventlog check ok|'eventlog'=0;1;1;
It seems I can't monitor multiple eventid's (in this case 87 and 250), can someone help?
MeKKeR66602/06/09 12:25:41 (4 years ago)-
Message #1056
that is strange...
MickeM
mickem02/06/09 12:33:57 (4 years ago) -
Message #1057
Wait this is actually expected behavior when I think about it...
(or apparently not expected behavior as neither you nor me did not expect it, but they way it is designed :)
Anyways there are 3 "Kinds" of rules: -, + and .
- - means if we hit discard (rules is false)
- - means if we miss disregard and match all other rules.
.
- + means if we miss discard (rules is false)
- + means if we hit disregard and match all other rules. and this is the part i am not sure about might be so good.
.
- . means if we hit add the "line" as matched and continue checking all other rules.
- . means if we miss continue matching all other rules.
.
So:
- - (in this context: filter=in) means: discard when matched.
- + (in this context: filter=in) means: discard when not matched.
- . (in this context: filter=in) means: add if we hit.
I dont know it this is the expected behavior it always confuses me a bit and maybe I should just make the ocs *a lot* mor clear on this.
Just to summarize replace the +:es with .:s and it will work as expected...
Michael Medin
mickem02/06/09 13:10:38 (4 years ago)-
Message #1059
That seems to fix the problem for me! :)
./check_nrpe -H 192.168.1.1 -c CheckEventLog -a filter=in file=application MaxWarn=1 MaxCrit=1 filter=in filter-generated='<24h' filter.eventID==1085 filter.eventID==250 truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
Result : success: MR_MONITOR: Controller ID: 0 VD is now PARTIALLY DEGRADED VD 0. (1), error: Userenv: The Group Policy client-side extension Folder Redirection failed to execute. Please look for any errors reported earlier by that extension. (35), eventlog: 36 > critical|'eventlog'=36;1;1;
This time I took 250 and 1085 (I know these Events happend <24hrs).
When I think about it after your suggestion, it's indeed very logical.
Problem solved :)
MeKKeR66602/06/09 23:14:39 (4 years ago)
-
-
-
Message #1076
If I set this up as a command in Nagios, it shows as a state of WARNING and the Status Information is always (null).
Hi,
I have the same problem after upgrade my Opsview 2.14 server (Nagios 2.0) to 3.0.
All other services are working fine but checkeventlog is working only in a terminal.
Did you solve this issue ?
Tanks.
Regards.
Yansolo02/13/09 17:46:17 (4 years ago)-
Message #1205
If I set this up as a command in Nagios, it shows as a state of WARNING and the Status Information is always (null).
Hi,
I have the same problem after upgrade my Opsview 2.14 server (Nagios 2.0) to 3.0.
All other services are working fine but checkeventlog is working only in a terminal.
Did you solve this issue ?
Tanks.
Regards.
Hi,
I have the same problem. CheckEventLog works fine with command line but doesn't work with nagios (Warning).
Thanks
al05/19/09 12:50:25 (4 years ago)-
Message #1206
Not sure I follow the conversation here the above problems were not related to working in console vs service.
COuld you maybe explain your problem more?
MickeM
mickem05/21/09 23:04:53 (4 years ago) -
Message #1237
I had null warning when putting CheckEventLog in commands definition, too. It's all fine after I put quotes around the time expression:
e.g. (in Nagios definition) filter-generated='>3d'
Tony
trogman06/19/09 00:00:00 (4 years ago)
-
-
-
-
