Context Navigation

NSClient++ Help (#1) - problem with checking event log - w2k8r2 [SOLVED] (#643) - Message List

problem with checking event log - w2k8r2 [SOLVED]

Hello,

i have problem with enumerating filtered events form Windows Server 2008 r2 (nagios is on centos 5.4).

There is a problem with filtering. i try to filter as below

/usr/local/nagios/libexec/check_nrpe -H 192.168.1.101 -p 5666 -c CheckEventLog -a file=system "filter=generated > -1d AND severity NOT IN ('success', 'informational'" MaxWarn=5 MaxCrit=6 "syntax=%id%:%type%:%severity%:%count%" unique

and i see that this found severity success and informational but there is NOT IN

3:info:informational:3, 4:info:informational:1, 6:info:success:10, 12:warning:success:2, 12:info:success:2, 13:info:success:1, 26:info:success:2, 29:warning:warning:1, 109:info:success:1, 139:info:success:2, 143:info:success:2, 219:warning:success:4, 1014:warning:success:2, 1054:error:success:14, 1058:error:success:51, 1074:info:warning:2, 1501:info:success:1, 4200:info:success:2, 5719:error:success:1, 5775:error:success:9, 5781:warning:success:3, 5784:info:success:3, 5792:info:success:12, 6005:info:warning:2, 6006:info:warning:1, 6009:info:warning:2, 6013:info:warning:3, 7000:error:error:2, 7001:info:success:2, 7002:info:success:1, 7036:info:informational:221, 10148:info:success:2, 10154:warning:success:2, 14531:info:informational:2, 14533:info:informational:2, 15007:info:informational:2, 15008:info:informational:2, 20010:info:success:3, 40961:warning:success:2, 50036:info:success:2, 50037:info:success:1, 51046:info:success:2, 51047:info:success:1, eventlog: 388 > critical|'eventlog'=388;5;6;

so i changed NOT IN to IN and it gaves me:

3:info:informational:3, 4:info:informational:1, 6:info:success:10, 12:warning:success:2, 12:info:success:2, 13:info:success:1, 26:info:success:2, 29:warning:warning:1, 109:info:success:1, 139:info:success:2, 143:info:success:2, 219:warning:success:4, 1014:warning:success:2, 1054:error:success:14, 1058:error:success:52, 1074:info:warning:2, 1501:info:success:1, 4200:info:success:2, 5719:error:success:1, 5775:error:success:9, 5781:warning:success:3, 5784:info:success:3, 5792:info:success:12, 6005:info:warning:2, 6006:info:warning:1, 6009:info:warning:2, 6013:info:warning:3, 7000:error:error:2, 7001:info:success:2, 7002:info:success:1, 7036:info:informational:221, 10148:info:success:2, 10154:warning:success:2, 14531:info:informational:2, 14533:info:informational:2, 15007:info:informational:2, 15008:info:informational:2, 20010:info:success:3, 40961:warning:success:2, 50036:info:success:2, 50037:info:success:1, 51046:info:success:2, 51047:info:success:1, eventlog: 389 > critical|'eventlog'=389;5;6;

the same output. something wrong with filter the same situation is with %type%

in w2k8 there is not as severity or type but level - it could be added. i would like to find only error event and monitor their number per day but can not :(

thx for every tip for it in advance

Voytas

Tree View Flat View (newer first) Flat View (older first)

Message #1915
according to filtering with %type% i found out if i change strings for digits there is OK i.e.
```
"filter=type = 1 AND generated > -1d"
```
is OK type 1 = error type 2 = warning ...
voytas

08/01/10 20:32:40 (3 years ago)

Message #1916

The problem is that you have not terminated the expression correctly:

..."filter=generated > -1d AND severity NOT IN ('success', 'informational'"...

Notice the missing ) in the NOT IN (... expression...

If you enable "debug" like so:

CheckEventLog file=system debug=true "filter=generated > -1d AND severity NOT IN ('success', 'informational'" MaxWarn=5 MaxCrit=6 "syntax=%id%:%type%:%severity%:%count%" unique

You can "sort of" see this in the resulting expression...

d \CheckEventLog.cpp(693) Using: where generated > -1d AND severity NOT IN ('success', 'informational'
d \CheckEventLog.cpp(344) Parsing: generated > -1d AND severity NOT IN ('success', 'informational'
d \CheckEventLog.cpp(352) Parsing succeeded: {tbd}op:>({tbd}:generated, {tbd}fun:neg({tbd}fun:convert({tbd} { {tbd}#1, {tbd}'d',  } )))
d \CheckEventLog.cpp(359) Type resolution succeeded: {bool}op:>({date}:generated, {date}fun:neg({date}fun:convert({tbd} { {tbd}#1, {tbd}'d',  } )))
d \CheckEventLog.cpp(366) Binding succeeded: {bool}op:>({date}:generated, {date}fun:bound:neg({date}fun:bound:convert({tbd} { {tbd}#1, {tbd}'d',  } )))
d \CheckEventLog.cpp(373) Static evaluation succeeded: {bool}op:>({date}:generated, {date}#1280603923)

The hint here is: {bool}op:>({date}:generated, {date}#1280603923) This is the final expression you will be using (when strippping out meta chars): > ( generated, 1280603923) As you can see the erroneous part has been "removed" along the parsing and evaluation of the expression.

I probably should improve the error reporting here though to make it tell you it is incorrect.

Context Navigation

NSClient++ Help (#1) - problem with checking event log - w2k8r2 [SOLVED] (#643) - Message List

Subscriptions

Download in other formats: