[NSClient++] Topic #991 - Eventlog Filter 0.4.2 http://nsclient.org/nscp/discussion/topic/991 <p> Eventlog Filter 0.4.2 </p> en-us NSClient++ /trac/nswide.png http://nsclient.org/nscp/discussion/topic/991 Trac 1.0beta1 - DiscussionPlugin j.nissen Mon, 11 Jun 2012 14:01:33 GMT Topic #991 - Eventlog Filter 0.4.2 http://nsclient.org/nscp/discussion/topic/991#topic http://nsclient.org/nscp/discussion/topic/991#topic <p> Hello, </p> <p> I have a little problem with the new Filter . </p> <p> I want to transmit all Eventlog Entry with Type( Level ) Error to Icinga in State Critical. </p> <p> Can anyone send me the Filter ? </p> <p> <a href="/nscp/settings/eventlog/real-time/filters/eventlog">settings/eventlog/real-time/filters/eventlog</a> filter=??????? severity = CRITCAL </p> <p> Thanks </p> <p> Jörg </p> Topic j.nissen Tue, 19 Jun 2012 06:13:12 GMT Reply #2648 to topic #991 - Eventlog Filter 0.4.2 http://nsclient.org/nscp/discussion/message/2648#message2648 http://nsclient.org/nscp/discussion/message/2648#message2648 <p> Hello, </p> <p> thanks -- it´s works fine... </p> <p> greatings from Germany </p> <p> Jörg </p> Message mickem Mon, 18 Jun 2012 20:57:57 GMT Reply #2644 to topic #991 - Eventlog Filter 0.4.2 http://nsclient.org/nscp/discussion/message/2644#message2644 http://nsclient.org/nscp/discussion/message/2644#message2644 <p> Sorry... feelt almost stupid... </p> <p> it should be ...type = 'error'... </p> <p> The error is a string not a variable :) </p> <p> <em> Michael Medin </em></p> Message mickem Mon, 18 Jun 2012 06:47:51 GMT Reply #2643 to topic #991 - Eventlog Filter 0.4.2 http://nsclient.org/nscp/discussion/message/2643#message2643 http://nsclient.org/nscp/discussion/message/2643#message2643 <p> Sorry forgot, will try to check this (and the auto-lc) tonight... hopefully some new tomorrow... </p> Message j.nissen Mon, 18 Jun 2012 06:38:17 GMT Reply #2642 to topic #991 - Eventlog Filter 0.4.2 http://nsclient.org/nscp/discussion/message/2642#message2642 http://nsclient.org/nscp/discussion/message/2642#message2642 <p> Hello, </p> <p> has you look at this ? </p> <p> thanks, </p> <p> Jörg </p> Message mickem Wed, 13 Jun 2012 09:57:35 GMT Reply #2636 to topic #991 - Eventlog Filter 0.4.2 http://nsclient.org/nscp/discussion/message/2636#message2636 http://nsclient.org/nscp/discussion/message/2636#message2636 <p> Well, the error is with the filter: </p> <pre class="wiki">e og\CheckEventLog.cpp:152 Error validating filter: Invalid types: Variable not found: error </pre><p> Means the filter (I should probably add so it displays with cone) was not parsed. NOt sure why I can look into this when I get back home... </p> Message j.nissen Wed, 13 Jun 2012 09:18:17 GMT Reply #2635 to topic #991 - Eventlog Filter 0.4.2 http://nsclient.org/nscp/discussion/message/2635#message2635 http://nsclient.org/nscp/discussion/message/2635#message2635 <p> Hello, </p> <p> yes, Thread 529 ist known. </p> <p> My problem stay alive :-( No filter Match... </p> <p> nsclient.ini </p> <pre class="wiki"> [/modules] CheckDisk = 1 CheckEventLog = 1 CheckExternalScripts = 1 CheckHelpers = 1 CheckSystem = 1 CheckWMI = 1 NRPEServer = 1 NSCAClient = 1 NSClientServer = 1 [/settings/default] allowed hosts = XXX.XXX.XXX.XXX cache allowed hosts = true password = certificate = ${certificate-path}/nrpe_dh_512.pem timeout = 30 use ssl = true [/settings/NRPE/server] allow arguments = true allow nasty characters = true port = 5666 [/settings/NSCA/client] channel = NSCA hostname = nissen3 [/settings/NSCA/client/targets/default] address = nsca://XXX.XXX.XXX.XXX:5667 encryption = des timeout = 30 [/settings/NSClient/server] performance data = true port = 12489 [/settings/check/system/windows] default = true default buffer length = 1h [/settings/check/system/windows/service mapping] [/settings/crash] archive = true archive folder = ${shared-path}/crash-dumps restart = true restart target = NSClientpp submit = false submit url = http://crash.nsclient.org/submit [/settings/eventlog] buffer size = 131072 debug = true lookup names = true syntax = [/settings/eventlog/real-time] destination=NSCA debug = true enable active = true enabled = true log = application maximum age = 5m startup age = 30m [/settings/eventlog/real-time/filters/errors] filter=type = error severity = CRITICAL syntax=The end is neigh: %message% ok message = Seems we are doing ok command=my_eventlog_check [/settings/external scripts] allow arguments = true allow nasty characters = true script path = timeout = 60 [/settings/external scripts/alias] [/settings/external scripts/scripts] [/settings/external scripts/wrapped scripts] [/settings/external scripts/wrappings] bat = scripts\\%SCRIPT% %ARGS% ps1 = cmd /c echo scripts\\%SCRIPT% %ARGS%; exit($lastexitcode) | powershell.exe -command - vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS% [/settings/log] date format = %Y-%m-%d %H:%M:%S file name = ${exe-path}/nsclient.log level = debug [/settings/log/file] max size = 0 [/settings/shared session] enabled = false [/settings/targets] </pre><p> test command </p> <pre class="wiki">nscp eventlog --exec insert-eventlog --source "Application Error" --id 1000 --level error --category 0 </pre><p> Debug information </p> <pre class="wiki">System.dll as ) d rvice\NSClient++.cpp:830 addPlugin(C:/Program Files/NSClient++//modules/Check WMI.dll as ) d rvice\NSClient++.cpp:830 addPlugin(C:/Program Files/NSClient++//modules/NRPES erver.dll as ) d rvice\NSClient++.cpp:830 addPlugin(C:/Program Files/NSClient++//modules/NSCAC lient.dll as ) d rvice\NSClient++.cpp:830 addPlugin(C:/Program Files/NSClient++//modules/NSCli entServer.dll as ) d rvice\NSClient++.cpp:807 Loading plugin: CheckDisk d rvice\NSClient++.cpp:807 Loading plugin: Event log Checker. d rvice\NSClient++.cpp:807 Loading plugin: Check External Scripts e og\CheckEventLog.cpp:152 Error validating filter: Invalid types: Variable not found: error d rvice\NSClient++.cpp:807 Loading plugin: Helper function d eventlog_wrapper.cpp:80 Attempting to match: Anwendung with application d rvice\NSClient++.cpp:807 Loading plugin: CheckSystem d eventlog_wrapper.cpp:80 Attempting to match: Hardware-Ereignisse with applic ation d rvice\NSClient++.cpp:807 Loading plugin: CheckWMI d tem\PDHCollector.cpp:91 Loading counters... d eventlog_wrapper.cpp:80 Attempting to match: Microsoft Office Alerts with ap plication d rvice\NSClient++.cpp:807 Loading plugin: NRPE server d tem\PDHCollector.cpp:94 Loading counter: memory commit limit = \4\30 d eventlog_wrapper.cpp:80 Attempting to match: Sicherheit with application e erver\NRPEServer.cpp:125 Certificate key not found: C:/Program Files/NSClient ++//security/certificate_key.pem d eventlog_wrapper.cpp:80 Attempting to match: System with application d erver\NRPEServer.cpp:130 Allowed hosts definition: XXX.XXX.XXX.XXX(255.255.255. 255) d tem\PDHCollector.cpp:103 Counter status: -1073738823: Der angegebene Leistung sindikator wurde nicht gefunden. d tem\PDHCollector.cpp:94 Loading counter: cpu = \238(_total)\6 d tem\PDHCollector.cpp:94 Loading counter: memory commit bytes = \4\26 d tem\PDHCollector.cpp:103 Counter status: -1073738823: Der angegebene Leistung sindikator wurde nicht gefunden. d tem\PDHCollector.cpp:94 Loading counter: uptime = \2\674 d tem\PDHCollector.cpp:103 Counter status: -1073738823: Der angegebene Leistung sindikator wurde nicht gefunden. d de\socket/server.hpp:81 Using SSL: ssl: none, cert: C:/Program Files/NSClien t++//security/nrpe_dh_512.pem (PEM), C:/Program Files/NSClient++//security/certi ficate_key.pem, dh: C:/Program Files/NSClient++//security/nrpe_dh_512.pem, ciphe rs: ADH, ca: C:/Program Files/NSClient++//security/ca.pem d de\socket/server.hpp:97 Attempting to bind to: :5666 d de\socket/server.hpp:107 Bound to: :5666 d rvice\NSClient++.cpp:807 Loading plugin: NSCAClient d rvice\NSClient++.cpp:807 Loading plugin: NSClient server d r\NSClientServer.cpp:136 Allowed hosts definition: XXX.XXX.XXX.XXX(255.255.255. 255) d de\socket/server.hpp:97 Attempting to bind to: :12489 d de\socket/server.hpp:107 Bound to: :12489 d rvice\NSClient++.cpp:604 NSClient++ - 0,4,1,3 2012-06-08 Started! l ce\simple_client.hpp:32 Enter command to inject or exit to terminate... d og\CheckEventLog.cpp:125 No filter matched: error Application Error: Name der Berichtskennung: %13n Moduls: %12%11: 0x%10%5, Zeitstempel: 0x%6 </pre> Message mickem Mon, 11 Jun 2012 14:12:50 GMT Reply #2627 to topic #991 - Eventlog Filter 0.4.2 http://nsclient.org/nscp/discussion/message/2627#message2627 http://nsclient.org/nscp/discussion/message/2627#message2627 <p> If you check <a class="closed ticket" href="/nscp/ticket/529" title="enhancement: add alert severity to real-time event log monitoring (closed: fixed)">#529</a> it has good information on how to do something a bit more advanced but should hopefully be a good starting point. </p> <p> As it seems the syntax I have now is "ok" I shall start writing some documentations about it hopefully this or next week... </p> <p> But some short presudo configuration for you: </p> <pre class="wiki">[settings/eventlog/real-time] enabled=true [/settings/eventlog/real-time/filters/errors] filter=type = error severity = CRITICAL destination=NSCA syntax=The end is neigh: %message% ok message = Seems we are doing ok command=my_eventlog_check </pre><p> In addition to this you also need to configure NSCAClient (again pseudo configuration as I don't recall the syntax off the top of my head): </p> <pre class="wiki">[/settings/NSCA/client/targets/default] address=192.168.0.1:5667 encryption=aes password=very-very-secret </pre><p> <em> Michael Medin </em></p> Message