[NSClient++] Topic #905 - Eventlog severity

Topic #905 - Eventlog severity

sdohmen — Tue, 06 Dec 2011 19:23:08 GMT

For our nagios enviroment we have the nsclient 0.3.9 installed on our windows machines.

We have a couple services that search the eventlog for possible matches. The problem i seem to have is that the severity filter doesn't seem to filter on warnings and/or errors alone.

The filter i use is as follows:

event_id_1074=CheckEventLog file=system debug=true MaxWarn=1 MaxCrit=1 "filter=generated gt -30d AND id IN (1074) AND source IN ('USER32') AND severity IN ('error', 'warning')" truncate=800 unique descriptions "syntax= %severity% %id%: (%count%)"

I tried some other things as well but neither seem to work. Does anyone have a idea how i can solve this?

Reply #2406 to topic #905 - Eventlog severity

sdohmen — Wed, 28 Dec 2011 11:30:11 GMT

So if i understand correctly i have to do this:

event_id_1074=CheckEventLog file=system debug=true MaxWarn=1 MaxCrit=1 "filter=generated gt -30d AND id IN (1074) AND source IN ('USER32') AND type IN ('1', '2', '3')" truncate=800 unique descriptions "syntax= %type% %id%: (%count%)"

Does this work for 2003 and 2008? Since the above pieces are from 2008.

I just checked a 2003 machine and it says type aswell but it has the error, warning type messages and not the numbers like in 2008. I assume i have to mix both of them together then?

[EDIT]

I just tried the above on a windows 2003 server but the severity/type is not working. When i use type it just grabs everything and when i use severity it does filter the informational or success out.

I tried the orginal alias_event_log_new as that one was standard but here is the same problem. I will try it on a 2008 machine later on and report back about this.

Reply #2405 to topic #905 - Eventlog severity

mickem — Wed, 28 Dec 2011 10:15:39 GMT

In that case it is type you want.

Level is mapped to type.
Severity it mapped to the high bit of eventid which would have been seen as a Qualifiers="???" attribute on EventId? in the XML.

Michael Medin

Reply #2404 to topic #905 - Eventlog severity

sdohmen — Wed, 28 Dec 2011 09:07:13 GMT

Here i got 3 xml chunks from error,warning and critical:

Error

Log Name:      Application
Source:        Microsoft-SharePoint Products-SharePoint Foundation
Date:          28-12-2011 10:00:02
Event ID:      8306
Task Category: Claims Authentication
Level:         Error
Keywords:
User:          lan\spfarm
Computer:      DC001.lan
Description:
An exception occurred when trying to issue security token: Could not connect to http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:32843. .
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
    <EventID>8306</EventID>
    <Version>14</Version>
    <Level>2</Level>
    <Task>47</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2011-12-28T09:00:02.759325100Z" />
    <EventRecordID>894361</EventRecordID>
    <Correlation ActivityID="{F7E91E4C-7008-4640-A0F7-2AD4309360F8}" />
    <Execution ProcessID="16976" ThreadID="12320" />
    <Channel>Application</Channel>
    <Computer>DC001.lan</Computer>
    <Security UserID="S-1-5-21-145403777-2590486518-2986895942-1157" />
  </System>
  <EventData>
    <Data Name="string0">Could not connect to http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:32843. </Data>
  </EventData>
</Event>

Warning

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
  <EventID>2138</EventID>
  <Version>14</Version>
  <Level>3</Level>
  <Task>8</Task>
  <Opcode>0</Opcode>
  <Keywords>0x4000000000000000</Keywords>
  <TimeCreated SystemTime="2011-12-28T09:00:02.759325100Z" />
  <EventRecordID>894362</EventRecordID>
  <Correlation ActivityID="{F7E91E4C-7008-4640-A0F7-2AD4309360F8}" />
  <Execution ProcessID="16976" ThreadID="12320" />
  <Channel>Application</Channel>
  <Computer>DC001.lan</Computer>
  <Security UserID="S-1-5-21-145403777-2590486518-2986895942-1157" />
  </System>
- <EventData>
  <Data Name="string0">The Security Token Service is not available. The Security Token Service is not issuing tokens. The service could be malfunctioning or in a bad state. Administrator should try to restart the Security Token Service on the boxes where it is not issuing tokens. If problem persists, further troubleshooting may be available in the KB article. For more information about this rule, see "http://go.microsoft.com/fwlink/?LinkID=160531".</Data>
  </EventData>
  </Event>

Critical

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
  <EventID>6398</EventID>
  <Version>14</Version>
  <Level>1</Level>
  <Task>12</Task>
  <Opcode>0</Opcode>
  <Keywords>0x4000000000000000</Keywords>
  <TimeCreated SystemTime="2011-12-28T09:00:01.636117900Z" />
  <EventRecordID>894360</EventRecordID>
  <Correlation ActivityID="{4844112F-DB1B-4262-88D7-B256C70D336E}" />
  <Execution ProcessID="16976" ThreadID="13344" />
  <Channel>Application</Channel>
  <Computer>DC001.lan</Computer>
  <Security UserID="S-1-5-21-145403777-2590486518-2986895942-1157" />
  </System>
- <EventData>
  <Data Name="string0">Microsoft.SharePoint.Search.Administration.SPSearchJobDefinition</Data>
  <Data Name="string1">c700d433-533f-4c17-9e09-ad8be8d312cd</Data>
  <Data Name="string2">The device is not ready.</Data>
  </EventData>
  </Event>

Reply #2403 to topic #905 - Eventlog severity

mickem — Wed, 21 Dec 2011 08:24:36 GMT

The XML chunk comes from event viewer (so just go to "Manage my computer" -> Eventlog find the vent and click the XML view tab thingy...

So yes that is not depending on version.

The "inject code" and "real-time filter" is new for 0.4.0 but the filter syntax is the same so you can get the same in 0.3.9 (ish).

Michael Medin

Reply #2402 to topic #905 - Eventlog severity

sdohmen — Wed, 21 Dec 2011 08:10:14 GMT

How can i create a xml chunk with the 0.3.9 version? Or is this only possible with the 0.4 build?

I checked the slide and the new layout looks very interesting and loads simpler even.

Reply #2383 to topic #905 - Eventlog severity

mickem — Mon, 12 Dec 2011 10:39:08 GMT

Severity is not severity :) This is (all in all) a bit odd, the API has the same "keys" as I specify but the UI has different once. If you open my pressentation from OSMC 2011 (look under conferance on the wiki) there is a slide where I try to map the keywords towards the XML view in event viewwer.

In general I think it is type or somesuch which is severity. If you give me the xml chunk I could let you know which keywords would filter what...

Michael Medin