NSClient++ Help (#1) - CheckEventLog for Events that 'have not happened' (#262) - Message List

CheckEventLog for Events that 'have not happened'

Hi,

Not sure if I can do this but.... I am trying to check the event log for events that have not happened!

specifically this is the Antivirus not updating its virus defs (the event log has entries when it does update), when the Antivirus has not run (the event log does an entrie when it has run. I can do the positives (e.g. when a virus is found in the last 7 days) below filter=new file=Application truncate=1023 MaxWarn=1 MaxCrit=2 filter=in filter+eventType==warning filter+eventID==16 filter+generated=<7d

but how would I do the negatives? Thanks Ben

Ben Shade
10/06/08 21:14:36 (5 years ago)
Tree View Flat View (newer first) Flat View (older first)
  • Message #813

    The idea behind "max" is that there is also a "min" so you ought to be able to do a MinWarn=1 MinCrit=1 and thus when it is below 1 you get a warning... (but not sure I have done that recently though so... :)

    MickeM

    mickem
    10/07/08 07:09:37 (5 years ago)
    • Message #815

      Not sure it's working....If I do 

      filter=new file=Application truncate=1023 MaxWarn=1 MaxCrit=1 filter=in filter+eventType==info filter+eventID==2 filter+generated=<7d filter+eventSource=substr:Symantec filter+eventSource=substr:AntiVirus filter+message=substr:Complete

      I get 

      Symantec AntiVirus, : 1 > critical

      This is right but If I do (using Min) 

      filter=new file=Application truncate=1023 MinWarn=1 MinCrit=1 filter=in filter+eventType==info filter+eventID==2 filter+generated=<7d filter+eventSource=substr:Symantec filter+eventSource=substr:AntiVirus filter+message=substr:Complete

      I get 

      Symantec AntiVirus, : 1 < critical

      It does this whatever I set the min values too.

      which I don't think is correct...is it a bug or am I doing something wrong? Thanks

      Ben Shade
      10/07/08 15:02:55 (5 years ago)
      • Message #816

        I am moving today so I'll look into it in a few days...

        MickeM

        mickem
        10/07/08 15:56:05 (5 years ago)
        • Message #817

          ;0 Thanks ;) Have a good move.

          Ben Shade
          10/07/08 23:23:23 (5 years ago)
      • Message #846

        I think this is what you are looking for: 

        CheckEventLog filter=new file=Application truncate=1023 MinWarn=0 MinCrit=0 filter=in filter+eventType==info filter+generated=<1d filter+eventSource=substr:SecurityCenter
OK:SecurityCenter|'eventlog'=1;0;0;
CheckEventLog filter=new file=Application truncate=1023 MinWarn=0 MinCrit=0 filter=in filter+eventType==info filter+generated=<1d filter+eventSource=substr:SecurityCenterr
CRITICAL:eventlog: 0 < critical|'eventlog'=0;0;0;

        Let me know if it works out...

        MickeM

        mickem
        10/21/08 07:35:08 (5 years ago)
Tree View Flat View (newer first) Flat View (older first)

Subscriptions