NSClient++ Help (#1) - CheckEventLog filtering out by message string (#691) - Message List
I'm enjoying using the new syntax for CheckEventLog thanks. Unfortunately I'm stuck trying to monitor some MYSQL events.
I'm trying the following:
alias_CheckEventLog_MSSQL=CheckEventLog file=application debug=true MaxWarn=1 MaxCrit=1 "filter=source like 'MSSQL' AND generated gt -30m AND severity NOT IN ('success', 'informational') AND message NOT LIKE 'Overdue FTP Manager Jobs'" truncate=800 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"
Granted, the documentation doesn't say it's possible to do "NOT LIKE", but is there some way I can do this?
If I run the check_nrpe command from the command line on the Nagios server like sot:
$ /usr/local/nagios/etc/objects$ /usr/local/nagios/libexec/check_nrpe \
-H 10.37.1.5 -c alias_CheckEventLog_MSSQL
I get:
(6), eventlog: 6 > critical|'eventlog'=6;1;1; State: 1 DB_NAME: Acme-AppStatusReport?
Which is nearly right, but it's still picking up the messages I want to filter out.
The content of the message in the error log is:
Error: 1000000 Severity: 16 State: 1 DB_NAME: Acme-AppStatusReport? Check 1 - Overdue FTP Manager Jobs
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
---
I've worked around this by using the old syntax, but if it's possible to use the new syntax that would be nice as it's more intuitive.
Using the old syntax: Event_MSSQL=inject CheckEventLog filter=new file=application MaxWarn=1 MaxCrit=2 filter+generated=<30m filter+eventSource=substr:MSSQL filter-message=substr:Overdue filter+eventType==error truncate=64 descriptions "syntax=%severity%: %source%: %message% (%count%)"
thanks in advance,
Jim
-
Message #1985
p.s. Sorry I forgot to mention, I'm using NSClient++ 0.3.8.76 2010-05-27 64-bit.
averyjim10/28/10 12:22:49 (3 years ago) -
Message #1997
Hey,
i've got the same problems here... Iam using the 0.3.8.76 too (32 & 64bit versions)
i found out that you just can filter messages with the complete text from your eventlog.
Example: This Works: 'Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted'
This doesnst work: 'Windows cannot determine the user or computer name.'
If you want to filter out a message with dynamic fields (like hostnames or something) or messages with line breaks, you have no chance with the new syntax.
Anybody knows a solution for this?
PS: I've already tried using wildcards like * or % still doesnt work...
ReVoL11/22/10 09:35:08 (2 years ago) -
Message #2013
Just a headsup that I am looking into it.
The grammar says so you can "NOT" anything. but there is indeed no "not like" operator.
SO the quick fix ought to be the slightly arcane:
source like 'MSSQL' AND generated gt -30m AND severity NOT IN ('success', 'informational') AND NOT message LIKE 'Overdue FTP Manager Jobs'Which of course is NOT really the same thing but maybe close enough for you to work with?
I shall see if I cant add a proper operator for not like though. Also regexp and such are in the pipe but it is a bit of a bother to play with the grammar so might take me a while.
Michael Medin
mickem12/14/10 07:12:11 (2 years ago)-
Message #2016
Next nightly build (out in a day or so) will fix this issue. Two things are (BTW) wrong here:
- like is small letter (like) not capital ones (LIKE).
This I fixed by adding a check for "rest" when parsing so now your expression will yield:
CheckEventLog file=Application "filter=generated gt -600m AND message LIKE 'Click2Run'" ... WARNING:Parsing failed: AND message LIKE 'Click2Run'
- A new operator "not like" has been added beeing the reverse of like and used like so:
CheckEventLog file=Application "filter=generated gt -600m AND message not like 'Click2Run'" ...
All in all you can do the following
CheckEventLog file=Application "filter=generated gt -600m" "syntax=%message%" MaxWarn=1 descriptions CurrentSoftGridPrereq: Click2Run ... machine; skipping installation..., eventlog: 3 > warning|'eventlog'=3;1;0
CheckEventLog file=Application "filter=generated gt -600m AND message like 'Click2Run'" "syntax=%message%" MaxWarn=1 descriptions CurrentSoftGridPrereq: Click2Run... machine; skipping installation..., eventlog: 2 > warning|'eventlog'=2;1;0
CheckEventLog file=Application "filter=generated gt -600m AND message not like 'Click2Run'" "syntax=%message%" MaxWarn=1 descriptions C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted., eventlog: 1 > warning|'eventlog'=1;1;0
CheckEventLog file=Application "filter=generated gt -600m AND message LIKE 'Click2Run'" "syntax=%message%" MaxWarn=1 descriptions WARNING:Parsing failed: AND message LIKE 'Click2Run'
Michael Medin
mickem12/14/10 21:29:47 (2 years ago) - like is small letter (like) not capital ones (LIKE).
This I fixed by adding a check for "rest" when parsing so now your expression will yield:
-
