NSClient++ Help (#1) - NSCient++ 0.4.0.183 problem with filter=source and filter=id (#1029) - Message List

NSCient++ 0.4.0.183 problem with filter=source and filter=id

Hi all,

I've got strange behavior with new NSClient++ 0.4.0.183-x64 My check command with id: 

check_nrpe -H IP -c CheckEventLog -a file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -10d AND id=37" truncate=800 unique descriptions "syntax=%generated%: %severity%: %source%: %id%: %message% (%count%)"

Result: 

Friday, August 10, 2012 11:00:40: success: Microsoft-Windows-Time-Service: 37: The time provider NtpClient is currently receiving valid time data from time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.22:123). (1), eventlog: 1 > critical|'eventlog'=1;1;1

But same with source Time-Service: 

check_nrpe -H IP -c CheckEventLog -a file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -10d AND source='Time-Service'" truncate=800 unique descriptions "syntax=%generated%: %severity%: %source%: %id%: %message% (%count%)"
Eventlog check ok|'eventlog'=0;1;1

Same problem with NLB source (id 29): 

check_nrpe -H IP -c CheckEventLog -a file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -10d AND id=29" truncate=800 unique descriptions "syntax=%generated%: %severity%: %source%: %id%: %message% (%count%)"
Saturday, August 04, 2012 05:16:00: success: Microsoft-Windows-NLB: 29: NLB cluster [192.168.17.155]: Host 2 converged with host(s): 2. It is now an active member of the NLB cluster and will start load balancing traffic as the default host. The default host is the host with the lowest host priority. It handles all traffic that isn't covered by any of the defined port rules. (2), eventlog: 2 > critical|'eventlog'=2;1;1

Same with source NLB: 

check_nrpe -H IP -c CheckEventLog -a file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -10d AND source='NLB'" truncate=800 unique descriptions "syntax=%generated%: %severity%: %source%: %id%: %message% (%count%)"
Eventlog check ok|'eventlog'=0;1;1

However it works fine with source='EventLog?' and id=6013 or source='MsiInstaller?' and id=1034 or source='Service Control Manager' and id=7036

Thanks

kolyan007
08/10/12 01:32:06 (10 months ago)
Tree View Flat View (newer first) Flat View (older first)
  • Message #2723

    Not really sure if I follow you correctly...

    First example:

    • Syntax is: %generated%: %severity%: %source%: %id%: %message% (%count%)
    • Your message is: Friday, August 10, 2012 11:00:40: success: Microsoft-Windows-Time-Service: 37:...

    So:

    • Generated = Friday, August 10, 2012 11:00:40
    • Severity = success
    • Source = Microsoft-Windows-Time-Service

    But in your query then you try to use:

    • source = Time-Service

    So getting no result seems valid right?

    Same for the other example: source is: Microsoft-Windows-NLB and you try to match NLB

    If you want to do substring matching you can use the "like" or "regexp" (providing you turn the query into a regexp) but I would probably for source use the correct string instead.

    mickem
    08/10/12 06:55:07 (10 months ago)
    • Message #2725

      Got it, thanks for clarification. It's happen because Nagios return Source as Microsoft-Windows-Time-Service, but OS shows it as Time-Service. So it's better to use source like

      Cheers

      kolyan007
      08/12/12 03:45:50 (9 months ago)
      • Message #2791

        Hi Mickem,

        Could you clarify why Windows Eventlog and NRPE replies are not equal? For example:

        # /usr/local/nagios/libexec/check_nrpe -H IP -c CheckEventlog? -a file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -1d AND id=6013" truncate=800 unique descriptions "syntax=%source%: %severity%: %generated%: %id%: %message% (%count%)" EventLog?: warning: Wednesday, September 19, 2012 12:00:04: 6013: The system uptime is 3405509 seconds. (1), eventlog: 1 > critical|'eventlog'=1;1;1

        But in Windows EventLog? it's information, NOT WARNING:

        http://imageshack.us/a/img571/3461/eventlogid6013.JPG

        And vice-versa: # /usr/local/nagios/libexec/check_nrpe -H IP -c CheckEventlog? -a file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -1d AND id=1530 AND source NOT like 'EventLog?'" truncate=800 unique descriptions "syntax=%source%: %severity%: %generated%: %id%: %message% (%count%)" Microsoft-Windows-User Profiles Service: success: Wednesday, September 19, 2012 14:47:21: 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. ...|'eventlog'=1;1;1

        But in Windows EventLog? it's warning:

        http://imageshack.us/a/img210/5295/eventlogid1530.jpg

        Thanks

        kolyan007
        09/19/12 06:37:23 (8 months ago)
Tree View Flat View (newer first) Flat View (older first)

Subscriptions