NSClient++ Help (#1) - Eventlog Filter 0.4.2 (#991) - Message List

Eventlog Filter 0.4.2

Hello,

I have a little problem with the new Filter .

I want to transmit all Eventlog Entry with Type( Level ) Error to Icinga in State Critical.

Can anyone send me the Filter ?

settings/eventlog/real-time/filters/eventlog filter=??????? severity = CRITCAL

Thanks

Jörg

j.nissen
06/11/12 16:01:33 (12 months ago)
Tree View Flat View (newer first) Flat View (older first)
  • Message #2648

    Hello,

    thanks -- it´s works fine...

    greatings from Germany

    Jörg

    j.nissen
    06/19/12 08:13:12 (12 months ago)
  • Message #2644

    Sorry... feelt almost stupid...

    it should be ...type = 'error'...

    The error is a string not a variable :)

    Michael Medin

    mickem
    06/18/12 22:57:57 (12 months ago)
  • Message #2643

    Sorry forgot, will try to check this (and the auto-lc) tonight... hopefully some new tomorrow...

    mickem
    06/18/12 08:47:51 (12 months ago)
  • Message #2642

    Hello,

    has you look at this ?

    thanks,

    Jörg

    j.nissen
    06/18/12 08:38:17 (12 months ago)
  • Message #2636

    Well, the error is with the filter: 

    e og\CheckEventLog.cpp:152  Error validating filter: Invalid types: Variable not
 found: error

    Means the filter (I should probably add so it displays with cone) was not parsed. NOt sure why I can look into this when I get back home...

    mickem
    06/13/12 11:57:35 (12 months ago)
  • Message #2635

    Hello,

    yes, Thread 529 ist known.

    My problem stay alive :-( No filter Match...

    nsclient.ini 

    [/modules]
CheckDisk = 1
CheckEventLog = 1
CheckExternalScripts = 1
CheckHelpers = 1
CheckSystem = 1
CheckWMI = 1
NRPEServer = 1
NSCAClient = 1
NSClientServer = 1
[/settings/default]
allowed hosts = XXX.XXX.XXX.XXX
cache allowed hosts = true
password =
certificate = ${certificate-path}/nrpe_dh_512.pem
timeout = 30
use ssl = true
[/settings/NRPE/server]
allow arguments = true
allow nasty characters = true
port = 5666
[/settings/NSCA/client]
channel = NSCA
hostname = nissen3
[/settings/NSCA/client/targets/default]
address = nsca://XXX.XXX.XXX.XXX:5667
encryption = des
timeout = 30
[/settings/NSClient/server]
performance data = true
port = 12489
[/settings/check/system/windows]
default = true
default buffer length = 1h
[/settings/check/system/windows/service mapping]
[/settings/crash]
archive = true
archive folder = ${shared-path}/crash-dumps
restart = true
restart target = NSClientpp
submit = false
submit url = http://crash.nsclient.org/submit
[/settings/eventlog]
buffer size = 131072
debug = true
lookup names = true
syntax =
[/settings/eventlog/real-time]
destination=NSCA
debug = true
enable active = true
enabled = true
log = application
maximum age = 5m
startup age = 30m
[/settings/eventlog/real-time/filters/errors]
filter=type = error
severity = CRITICAL
syntax=The end is neigh: %message%
ok message = Seems we are doing ok
command=my_eventlog_check
[/settings/external scripts]
allow arguments = true
allow nasty characters = true
script path =
timeout = 60
[/settings/external scripts/alias]
[/settings/external scripts/scripts]
[/settings/external scripts/wrapped scripts]
[/settings/external scripts/wrappings]
bat = scripts\\%SCRIPT% %ARGS%
ps1 = cmd /c echo scripts\\%SCRIPT% %ARGS%; exit($lastexitcode) | powershell.exe -command -
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%
[/settings/log]
date format = %Y-%m-%d %H:%M:%S
file name = ${exe-path}/nsclient.log
level = debug
[/settings/log/file]
max size = 0
[/settings/shared session]
enabled = false
[/settings/targets]

    test command 

    nscp eventlog --exec insert-eventlog --source "Application Error" --id 1000 --level error --category 0

    Debug information 

    System.dll as )
d rvice\NSClient++.cpp:830  addPlugin(C:/Program Files/NSClient++//modules/Check
WMI.dll as )
d rvice\NSClient++.cpp:830  addPlugin(C:/Program Files/NSClient++//modules/NRPES
erver.dll as )
d rvice\NSClient++.cpp:830  addPlugin(C:/Program Files/NSClient++//modules/NSCAC
lient.dll as )
d rvice\NSClient++.cpp:830  addPlugin(C:/Program Files/NSClient++//modules/NSCli
entServer.dll as )
d rvice\NSClient++.cpp:807  Loading plugin: CheckDisk
d rvice\NSClient++.cpp:807  Loading plugin: Event log Checker.
d rvice\NSClient++.cpp:807  Loading plugin: Check External Scripts
e og\CheckEventLog.cpp:152  Error validating filter: Invalid types: Variable not
 found: error
d rvice\NSClient++.cpp:807  Loading plugin: Helper function
d eventlog_wrapper.cpp:80   Attempting to match: Anwendung with application
d rvice\NSClient++.cpp:807  Loading plugin: CheckSystem
d eventlog_wrapper.cpp:80   Attempting to match: Hardware-Ereignisse with applic
ation
d rvice\NSClient++.cpp:807  Loading plugin: CheckWMI
d tem\PDHCollector.cpp:91   Loading counters...
d eventlog_wrapper.cpp:80   Attempting to match: Microsoft Office Alerts with ap
plication
d rvice\NSClient++.cpp:807  Loading plugin: NRPE server
d tem\PDHCollector.cpp:94   Loading counter: memory commit limit = \4\30
d eventlog_wrapper.cpp:80   Attempting to match: Sicherheit with application
e erver\NRPEServer.cpp:125  Certificate key not found: C:/Program Files/NSClient
++//security/certificate_key.pem
d eventlog_wrapper.cpp:80   Attempting to match: System with application
d erver\NRPEServer.cpp:130  Allowed hosts definition: XXX.XXX.XXX.XXX(255.255.255.
255)
d tem\PDHCollector.cpp:103  Counter status: -1073738823: Der angegebene Leistung
sindikator wurde nicht gefunden.
d tem\PDHCollector.cpp:94   Loading counter: cpu = \238(_total)\6
d tem\PDHCollector.cpp:94   Loading counter: memory commit bytes = \4\26
d tem\PDHCollector.cpp:103  Counter status: -1073738823: Der angegebene Leistung
sindikator wurde nicht gefunden.
d tem\PDHCollector.cpp:94   Loading counter: uptime = \2\674
d tem\PDHCollector.cpp:103  Counter status: -1073738823: Der angegebene Leistung
sindikator wurde nicht gefunden.
d de\socket/server.hpp:81   Using SSL: ssl: none, cert: C:/Program Files/NSClien
t++//security/nrpe_dh_512.pem (PEM), C:/Program Files/NSClient++//security/certi
ficate_key.pem, dh: C:/Program Files/NSClient++//security/nrpe_dh_512.pem, ciphe
rs: ADH, ca: C:/Program Files/NSClient++//security/ca.pem
d de\socket/server.hpp:97   Attempting to bind to: :5666
d de\socket/server.hpp:107  Bound to: :5666
d rvice\NSClient++.cpp:807  Loading plugin: NSCAClient
d rvice\NSClient++.cpp:807  Loading plugin: NSClient server
d r\NSClientServer.cpp:136  Allowed hosts definition: XXX.XXX.XXX.XXX(255.255.255.
255)
d de\socket/server.hpp:97   Attempting to bind to: :12489
d de\socket/server.hpp:107  Bound to: :12489
d rvice\NSClient++.cpp:604  NSClient++ - 0,4,1,3 2012-06-08 Started!
l ce\simple_client.hpp:32   Enter command to inject or exit to terminate...
d og\CheckEventLog.cpp:125  No filter matched: error Application Error: Name der
 Berichtskennung: %13n Moduls: %12%11: 0x%10%5, Zeitstempel: 0x%6
    j.nissen
    06/13/12 11:18:17 (12 months ago)
  • Message #2627

    If you check #529 it has good information on how to do something a bit more advanced but should hopefully be a good starting point.

    As it seems the syntax I have now is "ok" I shall start writing some documentations about it hopefully this or next week...

    But some short presudo configuration for you: 

    [settings/eventlog/real-time]
enabled=true
[/settings/eventlog/real-time/filters/errors]
filter=type = error
severity = CRITICAL
destination=NSCA
syntax=The end is neigh: %message%
ok message = Seems we are doing ok
command=my_eventlog_check

    In addition to this you also need to configure NSCAClient (again pseudo configuration as I don't recall the syntax off the top of my head): 

    [/settings/NSCA/client/targets/default]
address=192.168.0.1:5667
encryption=aes
password=very-very-secret

    Michael Medin

    mickem
    06/11/12 16:12:50 (12 months ago)
Tree View Flat View (newer first) Flat View (older first)

Subscriptions