NSClient++ Help (#1) - Check eventlog, more than one eventId (#102) - Message List

Now this is a bit "Off the top of my head" but how I "though" when I designed the filters, so could be I am wrong here:

(lines wrapped to make it simpler to read)
command[check_example]=inject checkEventLog file=System filter=new filter=all MaxCrit=1 MaxWarn=1
filter-generated=>3d filter-eventType==error filter-eventType==info
filter.eventID==1 filter.eventID==14 filter.eventID==1003 filter.eventID==1007
truncate=200 syntax=%id%+%generated%+%source%+%strings%

First line: some "meta stuff" Second one: srop everything you dont want, ie. old records, errors and then warnings. Then "allow" (but dont require) anything we do need (eventID:s) (notice the use of . and not +, the . means "if nothing else says remove then keep this one, where as the + says "keep this stop checking other things" in this case (as they are the last ones) it wont matter, but if you reorder them (ie. have the - ones last it will matter), but it is generally faster to drop "first" and keep afterwards (since you usually get more rejects then hits)

I probably should add a "filter-eventType=!warning" (unless there already is one so you can more easily exclude all event types of a specific kind, now I think this will work as is, but I need to verify this)

Hope this helps to clearify it a bit, and I also hope this is how it works, maybe I am wrong here :)

MickeM

Thank you for your rapid help MickeM, but it doesn't work.

It shows me Every ID of the last 3 days. the problem is, like you said, the "." says "keep this and go on".

What I need is something like .ID==1 .ID==14 .ID==1003 .ID==1007 "AND NOW STOP SEARCHING" ;-)

Hope, you have an Idea

that is what it "should" do... so unless it found a "hit" earlier... in your "example" you had a lot of +:es that will break things for you so "my" version should work (i hope) you had:

...filter+eventType==warning filter+generated=<3d filter+eventID==1...

which essentialy means: give me all warnings, and/or all "new" entries, and/or all eventid... etc... so use the . and - operator.

The "+" is for when you want *all* matching a rule (for instance:)

filter+eventType==error filter.generated=<3d filter.eventID==1

will give you anything "new" matching event id 1 *and* all errors (regardless of age/eventid)

but:

filter.eventType==error filter-generated=>3d filter.eventID==1

Will give you all errors (unless "old") and all records regarding event id 1 (unless "old").

and:

filter-eventType==error filter-generated=>3d filter.eventID==1

Will give you all eventid 1 unless old and/or errors.

Unfortunetly there is no propper "expression parser" so you cant do "advanced" stuff really (in a simple way) also you might wanna look into WMI if you have a "new" OS (there you can do more "select syntax" stuff ie. and/or/grouping and such. (also if it does not do what I say, let me know your cmd and I shall look into it, might be a bug or two in there :)

MickeM

Thank you for your rapid help MickeM, but it doesn't work.

It shows me Every ID of the last 3 days. the problem is, like you said, the "." says "keep this and go on".

What I need is something like .ID==1 .ID==14 .ID==1003 .ID==1007 "AND NOW STOP SEARCHING" ;-)

Hope, you have an Idea

My Command is:

(lines wrapped to make it simpler to read)
command[check_example]=inject checkEventLog file=System
filter=new filter=all
MaxCrit=1 MaxWarn=1
filter-generated=>3d
filter-eventType==error filter-eventType==info
filter.eventID==1 filter.eventID==14 filter.eventID==1003
filter.eventID==1007 truncate=1022 syntax=%id%

and it shows me Every Id of the last 3 Days

oki... sounds like something is broken then, I shall look into it when I get home tonight...

MickeM

Sorry for not getting back sooner but been a tad busy last few days. Anyways this was a bug has been fixed in the last nightly. I also checked the ! thingy and there was a != you could use, but I have (in latest nightly) added a shorthand ! for it so you can now do:

checkEventlog file=System filter=new filter=all truncate=1022 syntax=%id% MaxCrit=1 MaxWarn=1 filter-eventType=!warning filter.eventID==51

and get all warnings for event-id 51 (add more id:s if you so wish :):

51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, 51...

Thank for your help, but there is still a problem with your check. I installed the latest nightly. I used your check-command from the post above. This is what the log says:

05-03-2008 16:15:44: debug:.\NSClient++.cpp:513: Injecting: check_example:
05-03-2008 16:15:44: debug:.\NSClient++.cpp:513: Injecting: checkEventlog: file=System, filter=new, filter=all, truncate=1022, syntax=%id%, MaxCrit=1, MaxWarn=1, filter-eventType=, warning, filter.eventID==51
05-03-2008 16:15:44: debug:.\NSClient++.cpp:533: Injected Result: WARNING 'Unknown filter key:  (numeric filters have to have an operator as well ie. foo=>5 or bar==5)'
05-03-2008 16:15:44: debug:.\NSClient++.cpp:534: Injected Performance Result: ''
05-03-2008 16:15:44: debug:.\NSClient++.cpp:533: Injected Result: WARNING 'Unknown filter key:  (numeric filters have to have an operator as well ie. foo=>5 or bar==5)'

Do you have an Idea, where the problem is? Thanks RoM

LOL, bangs are "separators" between arguments in for NRPE (I only tried with a local command) humm... that sort of sucks... anyways you can see the "problem" here:

,filter-eventType=, warning,

I shall add a new <> you can use to "get around it" :) Check next nightly (in a few minutes)...

MickeM

MickeM, you are the best ;)

It works fantastic.

Thank you for spending so much time in my Problem!!

Hi MickeM, bad news... it still doesn't work :(

My Command is:

command[check_example]=inject checkEventlog file=System filter=new filter=all truncate=240 syntax=%id% MaxCrit=1 MaxWarn=1 filter-eventType=<>warning filter.eventID==1 filter.eventID==14 filter.eventID==1003 filter-generated=>36h

and it still returns also Error and Info.

And the second problem i have is:

command[check_er_source]=inject checkEventLog file=System filter=new MaxCrit=1 MaxWarn=1 filter-eventType=<>error filter.eventSource=Netlogon filter=all filter=in truncate=200 syntax=%id%

It should return all Errors from the source "Netlogon", but it returns "OK" (the Event Viewer shows me minimum 5) I also tried the combinations:

filter+eventSource=Netlogon
filter.eventSource==Netlogon
filter.eventSource=substr:Netlogon

Any help?

P.S. When the Checkcommands are working, i would (if you want :) ) refresh the Documentation-Part of the Check_eventlog

Thanks, RoM

sorry for this... since I "first" checked < and then <> it of course thought that "< int('>warning')" was a better idea then "<> 'warning'" :) Fixed in the next nightly.

As for the other issue a good thing might be to figure out "which rule" is "broken" that you can easily (well... maybe not but...) do by adding the following to nsc.ini:

[EventLog]
debug=1

It will give you *a lot* of output so be warned (and it is probably a good idea to use the "proper syntax" so you can identify the items) it is not a good idea to use when you are not debugging things.

d \checkeventlog.cpp(540) Matched: . (contiunue): event-id:  for: warning
d \checkeventlog.cpp(529) Matched: - event-type:  for: info
d \checkeventlog.cpp(540) Matched: . (contiunue): event-id:  for: warning
d \checkeventlog.cpp(540) Matched: . (contiunue): event-id:  for: warning
d \checkeventlog.cpp(529) Matched: - event-type:  for: info
d \checkeventlog.cpp(540) Matched: . (contiunue): event-id:  for: warning
d \checkeventlog.cpp(540) Matched: . (contiunue): event-id:  for: warning
d \checkeventlog.cpp(529) Matched: - event-type:  for: error
d \checkeventlog.cpp(529) Matched: - event-type:  for: info
d \checkeventlog.cpp(529) Matched: - event-type:  for: error
d \checkeventlog.cpp(540) Matched: . (contiunue): event-id:  for: warning
d \checkeventlog.cpp(540) Matched: . (contiunue): event-id:  for: warning
d \checkeventlog.cpp(540) Matched: . (contiunue): event-id:  for: warning

How to read it you say? Well... sort of like this: Matched -event-type == a rulse along the lines of: filter-eventType an the for: is the renderd (same as output) eventlog entry that matched. For the .:ed ones you get a hit for "." and possibly (afterwards) a - or + that will terminate the chain.

But try issue 2 with the next nightly, might be fixed automagically with the working <> fix.

(nightly out in a bit) Michael Medin