NSClient++ Help (#1) - Check Event Log filter+message (#145) - Message List
I am trying to run a check for a specific message in the event log.
I want to find Event ID's that equal 2005, in the application Log in the last 7 days and have the word "butch" in the message section of the event.
I can get the check to work and find the 2005 id and errors but not filtering down to the message.
Command is listed below:
./check_nrpe -H 192.168.4.25 -c CheckEventLog -a filter=new file=application MaxWarn=1 MaxCrit=2 filter+generated==\7d filter+eventType==error filter+eventID==2005 filter+message==substr:"butch" filter=in filter=all
Any help is appreciated.
-
Message #386
humm, let me check on this and get back to you...
MickeM
mickem05/08/08 12:06:52 (5 years ago)-
Message #1121
Hmmmm,
Made some "progress" I am not sure why but I have found that I can get a filter to work if I look for one of the "values" from event message say - User32 - but if I try and filter on the "description" - Logon Process: - I get no matches.
In my case I want to look for a logon type of 10 so looking for the string 10 is not going to be sure to only get the messages I want so I can't just filter using the "value" I need to look for the "description" followed by the "value".......
Not sure what to do next........
mark03/09/09 18:51:30 (4 years ago) -
Message #1122
Hmmmm,
Made some "progress" I am not sure why but I have found that I can get a filter to work if I look for one of the "values" from event message say - User32 - but if I try and filter on the "description" - Logon Process: - I get no matches.
In my case I want to look for a logon type of 10 so looking for the string 10 is not going to be sure to only get the messages I want so I can't just filter using the "value" I need to look for the "description" followed by the "value".......
Not sure what to do next........
mark03/09/09 18:51:59 (4 years ago) -
Message #1097
I have this problem also - using latest stable release and latest RC
I can filter 528 events in security log - logon and want to look for those via terminal services - so need to look for Logon Type: 10 in message. I can use this type of filtering for some messages with other event id's and this works fine however if I filter for 528 events I get all matches ask for only those with the message substr and I get no matches - I also tried just Logon to discount quoting strings funnies - no help
mark03/02/09 14:13:04 (4 years ago)-
Message #1099
Not sure why this does not work (it should). The substring should not be preceded by 2 equal signs but that is all.
so:
filter+message=substr:butch
should work...
MickeM
mickem03/02/09 18:30:00 (4 years ago)-
Message #1117
Thanks for the info but that doesn't seem to help with my problem. Maybe the output from running in test mode will help explain things better than I have above - using latest RC of the program :
l NSClient++.cpp(386) Enter command to inject or exit to terminate...
CheckEventLog descriptions "syntax=%written%:%type%:%severity%:%source%:%id%:%me
ssage%" truncate=8000 file=security filter=new filter+generated=<1h filter+event
ID==528 MaxWarn=1 MaxCrit=2
d NSClient++.cpp(1017) Injecting: CheckEventLog: descriptions, syntax=%written%:
%type%:%severity%:%source%:%id%:%message%, truncate=8000, file=security, filter=
new, filter+generated=<1h, filter+eventID==528, MaxWarn=1, MaxCrit=2
result: eventlog: 4 > critical--
d NSClient++.cpp(1053) Injected Result: CRITICAL 'Thursday, March 05, 2009 15:32, Thursday, March 05, 2009 16:00:23:auditSuccess:success:Security:528:Successfu[[BR]] , Thursday, March 05, 2009 16:02:51:auditSuccess:success:Security:528:Successfu[[BR]] , Thursday, March 05, 2009 16:03:24:auditSuccess:success:Security:528:Successfu[[BR]] , eventlog: 4 > critical'127.0.0.1
d NSClient++.cpp(1054) Injected Performance Result: eventlog'=4;1;2; '
CRITICAL:Thursday, March 05, 2009 15:32:03:auditSuccess:success:Security:528:Suc, Thursday, March 05, 2009 16:00:23:auditSuccess:success:Security:528:Successfu[[BR]] , Thursday, March 05, 2009 16:02:51:auditSuccess:success:Security:528:Successfu[[BR]] , Thursday, March 05, 2009 16:03:24:auditSuccess:success:Security:528:Successfu[[BR]] , eventlog: 4 > critical|'eventlog'=4;1;2;
CheckEventLog descriptions "syntax=%written%:%type%:%severity%:%source%:%id%:%me
ssage%" truncate=8000 file=security filter=new filter+generated=<1h filter+event
ID==528 filter+message=substr:Logon MaxWarn=1 MaxCrit=2
d NSClient++.cpp(1017) Injecting: CheckEventLog: descriptions, syntax=%written%:
%type%:%severity%:%source%:%id%:%message%, truncate=8000, file=security, filter=
new, filter+generated=<1h, filter+eventID==528, filter+message=substr:Logon, Max
Warn=1, MaxCrit=2
result: --
d NSClient++.cpp(1053) Injected Result: OK 'Eventlog check ok'
d NSClient++.cpp(1054) Injected Performance Result: eventlog'=0;1;2; '
OK:Eventlog check ok|'eventlog'=0;1;2;
The two commands should generate the same result I think - the contents of event 528 from event viewer is :
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff?
Event ID: 528
Date: 05/03/2009
Time: 16:03:24
User: <removed>\<removed>
Computer: <removed>
Description:
Successful Logon:
User Name: <removed>
Domain: <removed>
Logon ID: (0x0,0x70ABBA)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: <removed>
Logon GUID: -
Caller User Name: <removed>$
Caller Domain: <removed>
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 356
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.I have checked the syntax against the documentation but I guess I must be missing something ?
mark03/05/09 17:39:19 (4 years ago)
-
-
-
