NSClient++ Help (#1) - checkeventlog general inquiry (#759) - Message List
nsclient 0.3.8.75 - Windows 2008
My check:
alias_event_Bwar=CheckEventLog file='C:\Windows\System32\winevt\Logs\JScheduler.evtx' debug=true MaxWarn=1 MaxCrit=1 "filter=severity = 'warning' AND generated gt -15m" truncate=800 unique descriptions "syntax=%message% (%count%)"
Note: I get the same result if I enclose my path to the .evtx file in quotes, as well as if I leave it by name Jscheduler.
The result (also note, there is nothing but warning messages in the JScheduler event log, reporting every 3-5 minutes):
d NSClient++.cpp(1106) Injecting: alias_event_Bwar:
d NSClient++.cpp(1106) Injecting: CheckEventLog: file='C:\Windows\System32\winevt\Logs\JScheduler.evtx', debug=true, MaxWarn=1, MaxCrit=1, filter=severity = 'warning' AND generated gt -15m, truncate=800, unique, descriptions, syntax=%message% (%count%)
d \CheckEventLog.cpp(671) Filter:
d \CheckEventLog.cpp(693) Using: where severity = 'warning' AND generated gt -15m
d \CheckEventLog.cpp(344) Parsing: severity = 'warning' AND generated gt -15m
d \CheckEventLog.cpp(352) Parsing succeeded: {tbd}op:and({tbd}op:=({tbd}:severit
y, {tbd}'warning'), {tbd}op:>({tbd}:generated, {tbd}fun:neg({tbd}fun:convert({tbd} { {tbd}#15, {tbd}'m', } ))))
d \CheckEventLog.cpp(359) Type resolution succeeded: {bool}op:and({bool}op:=({ui:1}:severity, {ui:1}fun:auto_convert({string}'warning')), {bool}op:>({date}:generated, {date}fun:neg({date}fun:convert({tbd} { {tbd}#15, {tbd}'m', } ))))
d \CheckEventLog.cpp(366) Binding succeeded: {bool}op:and({bool}op:=({ui:1}:severity, {ui:1}fun:bound:auto_convert({string}'warning')), {bool}op:>({date}:generated, {date}fun:bound:neg({date}fun:bound:convert({tbd} { {tbd}#15, {tbd}'m', } ))))
d \CheckEventLog.cpp(373) Static evaluation succeeded: {bool}op:and({bool}op:=({ui:1}:severity, {ui:1}#2), {bool}op:>({date}:generated, {date}#1300996606))
d \CheckEventLog.cpp(700) Boot time: 4080
d \CheckEventLog.cpp(484) Attempting to match: Application with 'C:\Windows\System32\winevt\Logs\JScheduler.evtx'
d \CheckEventLog.cpp(484) Attempting to match: Hardware Events with 'C:\Windows\System32\winevt\Logs\JScheduler.evtx'
d \CheckEventLog.cpp(484) Attempting to match: Security with 'C:\Windows\System32\winevt\Logs\JScheduler.evtx'
d \CheckEventLog.cpp(484) Attempting to match: System with 'C:\Windows\System32\winevt\Logs\JScheduler.evtx'
d \CheckEventLog.cpp(793) Evaluation time: 4910210
d NSClient++.cpp(1142) Injected Result: OK 'Eventlog check ok'
d NSClient++.cpp(1143) Injected Performance Result: ''eventlog'=0;1;1; '
d NSClient++.cpp(1142) Injected Result: OK 'Eventlog check ok'
d NSClient++.cpp(1143) Injected Performance Result: ''eventlog'=0;1;1; '
It's as if the check can only read Application, Security, Hardware Events or System logs. Is that the case? If so, is there any way to make it read non-standard Windows event logs?
Thanks in advance!
-
Message #2113
It cannot read arbitrary files. But it can read all registered eventlogs.
In other words all these logs:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog
Michael Medin
mickem03/24/11 21:40:45 (2 years ago)-
Message #2114
Yes, I understood that to be the case from the documentation, however - it does not appear to be doing that. I would paste a screenshot of my registry if it were possible. My list at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\services\eventlog includes:
- Application
- HardwareEvents?
- Internet Explorer
- Jscheduler
- Key Management Service
- Security
- System
- Windows PowerShell?
Do you know why it is not reading/parsing all the registered eventlogs?
bbackstrom03/24/11 21:50:07 (2 years ago)-
Message #2115
Your command should in that case be:
CheckEventLog "file=JScheduler" debug=true MaxWarn=1 MaxCrit=1 "filter=severity = 'warning' AND generated gt -15m" truncate=800 unique descriptions "syntax=%message% (%count%)"
There is an option to use "description" as well...
Michael Medin
mickem03/25/11 09:04:22 (2 years ago)-
Message #2117
Changed my command - saved - stopped and restarted nsclient service.
alias_event_Bwar=CheckEventLog "file=JScheduler" debug=true MaxWarn=1 MaxCrit=1 "filter=severity = 'warning' AND generated gt -15m" truncate=800 unique descriptions "syntax=%message% (%count%)"
Still only seems to parse the 4 standard Windows logs?:
d NSClient++.cpp(1106) Injecting: alias_event_Bwar:
d NSClient++.cpp(1106) Injecting: CheckEventLog: file=JScheduler, debug=true, MaxWarn=1, MaxCrit=1, filter=severity = 'warning' AND generated gt-15m, truncate=800, unique, descriptions, syntax=%message% (%count%)
d \CheckEventLog.cpp(671) Filter:
d \CheckEventLog.cpp(693) Using: where severity = 'warning' AND generated gt -15m
d \CheckEventLog.cpp(344) Parsing: severity = 'warning' AND generated gt -15m
d \CheckEventLog.cpp(352) Parsing succeeded: {tbd}op:and({tbd}op:=({tbd}:severity, {tbd}'warning'), {tbd}op:>({tbd}:generated, {tbd}fun:neg({tbd}fun:convert({tbd} { {tbd}#15, {tbd}'m', } ))))
d \CheckEventLog.cpp(359) Type resolution succeeded: {bool}op:and({bool}op:=({ui:1}:severity, {ui:1}fun:auto_convert({string}'warning')), {bool}op:>({date}:generated, {date}fun:neg({date}fun:convert({tbd} { {tbd}#15, {tbd}'m', } ))))
d \CheckEventLog.cpp(366) Binding succeeded: {bool}op:and({bool}op:=({ui:1}:severity, {ui:1}fun:bound:auto_convert({string}'warning')), {bool}op:>({date}:generated, {date}fun:bound:neg({date}fun:bound:convert({tbd} { {tbd}#15, {tbd}'m', } ))))
d \CheckEventLog.cpp(373) Static evaluation succeeded: {bool}op:and({bool}op:=({ui:1}:severity, {ui:1}#2), {bool}op:>({date}:generated, {date}#1301060197))
d \CheckEventLog.cpp(700) Boot time: 4290
d \CheckEventLog.cpp(484) Attempting to match: Application with JScheduler
d \CheckEventLog.cpp(484) Attempting to match: Hardware Events with JScheduler
d \CheckEventLog.cpp(484) Attempting to match: Security with JScheduler
d \CheckEventLog.cpp(484) Attempting to match: System with JScheduler
d \CheckEventLog.cpp(793) Evaluation time: 1930 200
d NSClient++.cpp(1142) Injected Result: OK 'Eventlog check ok'
d NSClient++.cpp(1143) Injected Performance Result: eventlog'=0;1;1; '
d NSClient++.cpp(1142) Injected Result: OK 'Eventlog check ok'
d NSClient++.cpp(1143) Injected Performance Result: eventlog'=0;1;1; '
bbackstrom03/25/11 14:59:44 (2 years ago)-
Message #2118
Interesting.
The attempting to match is trying to find the "long name" of the log file. So that is not really applicable here since you have the short name already.
Could you show me which keys exists below HKLM\SYSTEM\CurrentControlSet?\Services\EventLog?\JScheduler?
Michael Medin
mickem03/26/11 06:38:18 (2 years ago)-
Message #2119
There are 4 keys below JScheduler:
Cusip-Processing
Cusip-Watcher
Job1001
JScheduler
Each of those keys contains 2 parameters:
(Default) REG_SZ (value not set)
EventMessageFile? REG_EXPAND_SZ C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages?.dll
(If this helps...) -Bonnie
Looking at the code now, I see this:std::wstring file = sub_key.get_string(_T("DisplayNameFile?"));
int id = sub_key.get_int(_T("DisplayNameID"));
but the only keys that have these values are the 4 standard Windows event logs - could that be why it doesn't know what to do with non-Windows logs?bbackstrom03/28/11 15:21:43 (2 years ago)
-
-
-
-
