NSClient++ Help (#1) - CheckEventLog (#503) - Message List

CheckEventLog

Maybe I am not understanding this properly some clarification would be greatly appreciated.

When I run this command from my Nagios server: check_nrpe -H <IP> -p 5666 -c CheckEventLog -a filter=new file=System MaxWarn=1 MaxCrit=2 filter-generated=\<5h filter-eventID==57 filter-eventType==warning filter=in filter=all

I get: Eventlog check ok|'eventlog'=0;1;2;

But in my event log I see two System logs showing warning with event ID 57 that occurred 2 hrs ago.

The nsc.ini file on the windows box has the following:

alias_event_log=CheckEventLog file=application file=system filter=new filter=out MaxWarn=1 MaxCrit=1 filter-generated=>2d filter-severity==success filter-severity==informational filter-severity==warning truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"

I'm confused in regards to making the filter match. I want to be able to catch new IDs as they get logged. Any help would be greatly appreciated.

marti
02/11/10 20:15:38 (3 years ago)
Tree View Flat View (newer first) Flat View (older first)
  • Message #1562

    Now I usually need to think here but... If I am not totally lost filter=in means you want to filter everything to be included. Thus filter=in without rules mean you wont get anything right?

    You rules:

    • filter-generated=>2d says remove anything older then 2 days (nothing minus something is still nothing)
    • filter-severity==success says remove all successes (nothing minus something is still nothing)

    ...

    Thus you start with nothing and after removing a lot of things you end up with nothing. I think you want filter=out (ie. remove the ones I dont want).

    Michael Medin

    mickem
    02/12/10 08:22:24 (3 years ago)
    • Message #1568

      I believe the explanation confuses me a bit here. I looked at your examples and they look straight forward but I cannot get them to work in my setup. Perhaps another example would help?

      Say we have an event which I know will show up in the windows System log that I want Nagios to alert us on.

      Type Date Time Source Category Event Error 2/16/2010 2:12:23 TermServDevices? None 1111

      What command would I need to add specifically to the nsc.ini and what check_nrpe command can I use to ensure that it is working?

      marti2
      02/17/10 21:09:52 (3 years ago)
      • Message #1572

        Something like this would do the trick just fine...

        $USER1$/check_nrpe -t 60 -H $HOSTADDRESS$ -c CheckEventLog -a file=application file=system MaxWarn=$ARG1$ MaxCrit=$ARG2$ filter-generated=">1d" filter+eventType==error

        What Mick is trying to say is that you filter out everything (filter=out) and then try to exclude all events older then 2 days (filter-generated=>2d)

        Changing 'filter-generated=>2d' to 'filter+generated<=2d' should work...

        mike2k
        02/18/10 08:09:45 (3 years ago)
        • Message #1584

          Thank you. That cleared things up a bit. I did the following and this seems to be working but I want to make sure I am understanding this proper.

          In the NSC.ini file on the windows box I have the following:

          check_eventlog=inject CheckEventLog System warn.require.eventType=error warn.require.eventType=warning critical.require.eventType=error critical.exclude.eventType=info truncate=1024 descriptions

          alias_event_log=CheckEventLog file=system filter=new filter=in MaxWarn=1 MaxCrit=1 filter+generated=<2d filter-severity==success filter+severity==informational filter+severity==warning truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"

          The System log showed 2 error events on the following dates:

          |Type..|Date.......|Time...|Source............|Category|Event|
          |Error...|2/16/2010|1:30:49|TermServDevices?|None.......|1111..|
          |Error...|2/16/2010|2:12:23|TermServDevices?|None.......|1111..|

          From the Nagios server I ran the following command looking for event ID 1111 in the System log that is filtering in logs generated in the last 2 days of event type error:

          [marti@host]./check_nrpe -H IP -p 5666 -c CheckEventLog -a file=system filter+eventID==1111 MaxWarn=1 MaxCrit=1 filter+generated=\<2d filter+eventType==error

          TermServDevices?, TermServDevices?, eventlog: 2 > critical|'eventlog'=2;1;1;

          The result was what I was looking. I then tried another event ID. The System log showed 1 error event on the following date:

          |Type..|Date.......|Time...|Source......................|Category|Event|
          |Error...|2/17/2010|1:18:53|Service Control Manager|None.......|7022..|

          From the Nagios server I ran the following command looking for event ID 7022 in the System log that is filtering in logs generated in the last 2 days of event type error:

          [marti@host]./check_nrpe -H IP -p 5666 -c CheckEventLog -a file=system filter+eventID==7022 MaxWarn=1 MaxCrit=1 filter+generated=\<2d filter+eventType==error

          Service Control Manager, eventlog: 1 > critical|'eventlog'=1;1;1;

          And another changing the critical value from 1 to 2

          [marti@host]./check_nrpe -H IP -p 5666 -c CheckEventLog -a file=system filter+eventID==7022 MaxWarn=1 MaxCrit=2 filter+generated=\<2d filter+eventType==error

          Service Control Manager, eventlog: 1 > warning|'eventlog'=1;1;2;

          To further understand my question now is in the interpretation of the command listed in NSC.ini:

          alias_event_log=CheckEventLog file=system filter=new filter=in MaxWarn=1 MaxCrit=1 filter+generated=<2d filter-severity==success filter+severity==informational filter+severity==warning truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"

          My understanding is that this command will dictate the area of matches in the logs on the windows client for any external query to nscpp. Breaking it down I've told it to match only System logs for newly included logs that are less than 2 days old that are informational and warning but discard any success. Note that I do not filter for error logs even though the events I am looking for are of type error.

          I tried adding filter-severity==error but it had no effect in the above three tests which tells me that the other command listed below is in effect for the event type expressions.

          check_eventlog=inject CheckEventLog System warn.require.eventType=error warn.require.eventType=warning critical.require.eventType=error critical.exclude.eventType=info truncate=1024 descriptions

          What then is the alias doing? I apologize for the rambling but I want to show the thought process in order to further my understanding.

          marti2
          02/18/10 19:49:22 (3 years ago)
  • Message #1597

    Marti - smae problem I had. In the install there is a nagios pdf file that goes over the setup that is really good.

    on Nagios Server - no command file entries in Services: check_nrpe!alias_event_log

    If you edit the nsc.ini - make sure you stop and restart the nsclientpp service

    david.bruce
    02/22/10 21:22:31 (3 years ago)
Tree View Flat View (newer first) Flat View (older first)

Subscriptions