NSClient++ Help (#1) - NSClient++ 0.3.9 + CheckEventLog + Windows 2008 + Filter --> problems (#975) - Message List
NSClient++ 0.3.9 + CheckEventLog + Windows 2008 + Filter --> problems
Hi,
I'm trying to create a NSClient++ filter for catching error and warning messages from the Windows Event Log. I've created such kind of filter but suddenly noticed that some unwanted message are passing through.
I'm using NSClient++ 0.3.9.x and Windows 2008.
Here is my alias string from NSC.ini (I tried to make it very simple to show the exact problem):
alias_tg=CheckEventLog file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -1d AND severity IN ('warning') AND id=6013" truncate=800 unique descriptions "syntax=%severity%: %source%: %id%: %message% (%count%)"
This is a copy of the event from the Event Log:
Log Name: System
Source: EventLog
Date: 5/14/2012 12:00:00 PM
Event ID: 6013
Task Category: None
Level: Information
Keywords: Classic
User: N/A
The system uptime is 4144453 seconds.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="EventLog" />
<EventID Qualifiers="32768">6013</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-05-14T19:00:00.000Z" />
<Channel>System</Channel>
<Security />
</System>
<EventData>
<Data>4144453</Data>
<Data>60</Data>
</EventData>
</Event>
This suppose to be 'Informational' event. I'm using the filter with explicit 'warning' severity, however, when I run the command I'm getting the positive result:
check_nrpe -H MY_HOST -p 5666 -t 60 -c alias_tg warning: EventLog: 6013: The system uptime is 4144453 seconds. (1), eventlog: 1 > critical|'eventlog'=1;1;1
Am I doing something wrong?
graved
05/15/12 19:28:34 (12 months ago)
-
Message #2618
Additional info from the log file:
2012-06-01 10:44:43: debug:NSClient++.cpp:1144: Injecting: CheckEventLog: file=system, MaxWarn=1, MaxCrit=1, filter=generated gt -1d AND severity IN ('warning') AND id=6013, truncate=800, unique, descriptions, syntax=%severity%: %source%: %id%: %message% (%count%) 2012-06-01 10:44:43: debug:modules\CheckEventLog\CheckEventLog.cpp:724: Filter: 2012-06-01 10:44:43: debug:modules\CheckEventLog\CheckEventLog.cpp:746: Using: where generated gt -1d AND severity IN ('warning') AND id=6013 2012-06-01 10:44:43: debug:modules\CheckEventLog\CheckEventLog.cpp:463: Parsing: generated gt -1d AND severity IN ('warning') AND id=6013 2012-06-01 10:44:43: debug:modules\CheckEventLog\CheckEventLog.cpp:471: Parsing succeeded: {tbd}op:and({tbd}op:and({tbd}op:>({tbd}:generated, {tbd}fun:neg({tbd}fun:convert({tbd} { {tbd}#1, {tbd}'d', } ))), {tbd}op:in({tbd}:severity, {tbd} { {tbd}'warning', } )), {tbd}op:=({tbd}:id, {tbd}#6013)) 2012-06-01 10:44:43: debug:modules\CheckEventLog\CheckEventLog.cpp:478: Type resolution succeeded: {bool}op:and({bool}op:and({bool}op:>({date}:generated, {date}fun:neg({date}fun:convert({tbd} { {tbd}#1, {tbd}'d', } ))), {bool}op:in({ui:1}:severity, {ui:1} { {ui:1}fun:auto_convert({string}'warning'), } )), {bool}op:=({int}:id, {int}#6013)) 2012-06-01 10:44:43: debug:modules\CheckEventLog\CheckEventLog.cpp:485: Binding succeeded: {bool}op:and({bool}op:and({bool}op:>({date}:generated, {date}fun:bound:neg({date}fun:bound:convert({tbd} { {tbd}#1, {tbd}'d', } ))), {bool}op:in({ui:1}:severity, {ui:1} { {ui:1}fun:bound:auto_convert({string}'warning'), } )), {bool}op:=({int}:id, {int}#6013)) 2012-06-01 10:44:43: debug:modules\CheckEventLog\CheckEventLog.cpp:492: Static evaluation succeeded: {bool}op:and({bool}op:and({bool}op:>({date}:generated, {date}#1338486283), {bool}op:in({ui:1}:severity, {ui:1} { {ui:1}fun:bound:auto_convert({string}'warning'), } )), {bool}op:=({int}:id, {int}#6013)) 2012-06-01 10:44:43: debug:modules\CheckEventLog\CheckEventLog.cpp:753: Boot time: 70 2012-06-01 10:44:43: debug:modules\CheckEventLog\CheckEventLog.cpp:537: Attempting to match: Application with system 2012-06-01 10:44:43: debug:modules\CheckEventLog\CheckEventLog.cpp:537: Attempting to match: DFS Replication with system 2012-06-01 10:44:43: debug:modules\CheckEventLog\CheckEventLog.cpp:537: Attempting to match: Hardware Events with system 2012-06-01 10:44:43: debug:modules\CheckEventLog\CheckEventLog.cpp:537: Attempting to match: Security with system 2012-06-01 10:44:43: debug:modules\CheckEventLog\CheckEventLog.cpp:537: Attempting to match: System with system 2012-06-01 10:44:46: debug:modules\CheckEventLog\CheckEventLog.cpp:846: Evaluation time: 27510 2012-06-01 10:44:46: debug:NSClient++.cpp:1180: Injected Result: CRITICAL 'warning: EventLog: 6013: The system uptime is 5613252 seconds. (1), eventlog: 1 > critical' 2012-06-01 10:44:46: debug:NSClient++.cpp:1181: Injected Performance Result: ''eventlog'=1;1;1' 2012-06-01 10:44:46: debug:NSClient++.cpp:1180: Injected Result: CRITICAL 'warning: EventLog: 6013: The system uptime is 5613252 seconds. (1), eventlog: 1 > critical' 2012-06-01 10:44:46: debug:NSClient++.cpp:1181: Injected Performance Result: ''eventlog'=1;1;1'graved06/01/12 19:51:43 (12 months ago) -
Message #2625
My guess is you are expecting:
Level: Information
To not be matched by filter:
severity IN ('warning')And this is if you ask me the worst thing about event log. There are TWO(2) severities. Before they were called "type" and "severity" now they are called "level" and "Qualifiers".
IN short:
- Level = type
- Qualifier = severity
So try adding type not in instead when matching for a "sensible" severity.
I posted about this a bit on my blog a while back http://blog.medin.name/2012/03/20/real-time-event-log-monitoring-with-nsclient/
Michael Medin
mickem06/08/12 07:42:40 (12 months ago)
