NSClient++ Help (#1) - CheckEventLog and non-standard event log names (#408) - Message List
Greetings,
I've having an issue getting access to certain logs with odd names with SBS2008. I'm seeing the exact 'idiotic' behavior described in the documentation when it cannot find the log file (defaulting to application).
Here is the name of the event log I am trying to access (this is where POP3 Connector failures are logged, which I'm attempting to monitor):
Microsoft-Windows-Small Business Server/Operational?
I've tried using the following values for file:
file="Microsoft-Windows-Small Business Server/Operational?"
file="Microsoft-Windows-Small Business Server%40Operational"
I tried the %40 because that is in the actual name of the .evt on the filesystem.
Regardless, both ways didn't work. Also, debug logs didn't provide any extra info.
Any ideas?
Thanks.
-
Message #1243
I'm having a similar problem, trying to check logs like "Directory Service". I have eventlog checking working for Application and System, but checking logs with spaces in their names is something I haven't been able to get working yet. I've tried quotes to no avail.
janetsullivan06/24/09 19:36:51 (4 years ago) -
Message #1249
Which version is this?
IN "newer" version the name should be looked up properly so it should work. / and \ should not have an impact.
Looking up eventlog names are done in two ways:
- Lookup the string givne DisplayNameFile? and DisplayNameID from:
HKLM : SYSTEM
CurrentControlSet?
Services
EventLog?
*
- Opening the eventlog given its name (if this is not successful Application will be opened instead). The name of the eventlog is given by the key under:
HKLM : SYSTEM
CurrentControlSet?
Services
EventLog?
So if this failes try looking in the registry under HKLM : SYSTEM
CurrentControlSet?
Services
EventLog? and identify the log you want and check what the keyname is and what the DisplayNameFile? and DisplayNameId? is (and let me know)Michael Medin
mickem07/05/09 14:20:46 (4 years ago)-
Message #1258
Ahh, well that explains why NSClient++ isnt' finding the logs I want. There are a bunch of 'special' event logs in SBS 2008 that are simply not referenced in the registry at all.
In the end I will probably just roll my own python wmi-client based script to check these mysterious event logs found only in SBS. I checked a vanilla Windows 2008 Server box, and there are no event logs not found in the registry.
Software versions: Windows Small Business Server 2008 NSClient++ 0.3.6 (x64)
borkins07/07/09 16:45:39 (4 years ago)-
Message #1261
humm, you can try to pspecify the absolut path of the evt file if you want. Another option is to add the log files (this can be done from the computer manager) after which they will be found.
MickeM
mickem07/08/09 08:54:51 (4 years ago)-
Message #1765
Hi, (i dont know if you prefer continuing in old threads or start a new one referring to the old thread?)
I have sort of the same problem here. I use the new 3.8.70 version. I want to check the backup eventlog on a SBS2008 server. That eventlog isn't listed in the registry under HKLM/System/CCS/Eventlog etc, but the file is there in between the default ones (C:\Windows\System32\winevt\logs\Microsoft-Windows-Backup.evtx).
When i try the following command
checkeventlog file="C:\windows\system32\winevt\logs\Microsoft-Windows-Backup.evtx" filter+generated=>1d MaxWarn=1 MaxCrit=5 "filter=source = 'Backup'" truncate=800 unique descriptions "syntax=%strings%: (%count%)"
i get the following messages:
debug:modules\CheckEventLog\CheckEventLog.cpp:671: Filter: + {timeGenerated max 1d } debug:modules\CheckEventLog\CheckEventLog.cpp:693: Using: where source = 'Backup' debug:modules\CheckEventLog\CheckEventLog.cpp:344: Parsing: source = 'Backup' debug:modules\CheckEventLog\CheckEventLog.cpp:352: Parsing succeeded: {tbd}op:=({tbd}:source, {tbd}'Backup') debug:modules\CheckEventLog\CheckEventLog.cpp:359: Type resolution succeeded: {bool}op:=({string}:source, {string}'Backup') debug:modules\CheckEventLog\CheckEventLog.cpp:366: Binding succeeded: {bool}op:=({string}:source, {string}'Backup') debug:modules\CheckEventLog\CheckEventLog.cpp:373: Static evaluation succeeded: {bool}op:=({string}:source, {string}'Backup') debug:modules\CheckEventLog\CheckEventLog.cpp:700: Boot time: 160 debug:modules\CheckEventLog\CheckEventLog.cpp:484: Attempting to match: Toepassing with "C:\windows\system32\winevt\logs\Microsoft-Windows-Backup.evtx debug:modules\CheckEventLog\CheckEventLog.cpp:484: Attempting to match: DFS Replication with "C:\windows\system32\winevt\logs\Microsoft-Windows-Backup.evtx debug:modules\CheckEventLog\CheckEventLog.cpp:484: Attempting to match: Directoryservice with "C:\windows\system32\winevt\logs\Microsoft-Windows-Backup.evtx debug:modules\CheckEventLog\CheckEventLog.cpp:484: Attempting to match: DNS-server with "C:\windows\system32\winevt\logs\Microsoft-Windows-Backup.evtx debug:modules\CheckEventLog\CheckEventLog.cpp:484: Attempting to match: File Replication-service with "C:\windows\system32\winevt\logs\Microsoft-Windows-Backup.evtx debug:modules\CheckEventLog\CheckEventLog.cpp:484: Attempting to match: Hardwaregebeurtenissen with "C:\windows\system32\winevt\logs\Microsoft-Windows-Backup.evtx debug:modules\CheckEventLog\CheckEventLog.cpp:484: Attempting to match: Beveiliging with "C:\windows\system32\winevt\logs\Microsoft-Windows-Backup.evtx debug:modules\CheckEventLog\CheckEventLog.cpp:484: Attempting to match: Systeem with "C:\windows\system32\winevt\logs\Microsoft-Windows-Backup.evtx debug:modules\CheckEventLog\CheckEventLog.cpp:793: Evaluation time: 4830 debug:NSClient++.cpp:1142: Injected Result: OK 'Eventlog check ok' debug:NSClient++.cpp:1143: Injected Performance Result: ''eventlog'=0;1;5; 'What i understand is that it SHOULD be possible to define a specific eventlog by its registry value OR by it's filename...or cant i?
Mark
MarkV7405/21/10 12:32:27 (3 years ago)
-
-
- Lookup the string givne DisplayNameFile? and DisplayNameID from:
HKLM : SYSTEM
