CheckEventLog - Will not filter correctly on auditFailure

[djlewis78]

module Version:0.3.8.76 (x64)

I have tried to get all failed logon events from the security log with no success. Below are some tests i have run -

##########
# Test 1
##########

-intro-
In this command I want to view auditFailures in the security log using type as the filter since severity only reports success.

-command-

/usr/local/libexec/nagios/check_nrpe2 -H 192.168.1.29 -c CheckEventLog -a debug=true file=Security MaxCrit=1 "filter=generated gt -1d AND type = 'auditFailure'" truncate=800 unique "syntax=%source%: (%count%) %id% %type% %severity%"

-returns-

Eventlog check ok|'eventlog'=0;0;1;

-debug-

d NSClient++.cpp(1106) Injecting: CheckEventLog: debug=true, file=Security, MaxCrit=1, filter=generated gt -1d AND type = 'auditFailure', truncate=800, unique, syntax=%source%: (%count%) %id% %type% %severity%
d \CheckEventLog.cpp(671) Filter:
d \CheckEventLog.cpp(693) Using: where generated gt -1d AND type = 'auditFailure'
d \CheckEventLog.cpp(344) Parsing: generated gt -1d AND type = 'auditFailure'
d \CheckEventLog.cpp(352) Parsing succeeded: {tbd}op:and({tbd}op:>({tbd}:generated, {tbd}fun:neg({tbd}fun:convert({tbd} { {tbd}#1, {tbd}'d',  } ))), {tbd}op:=({tbd}:type,{tbd}'auditFailure'))
d \CheckEventLog.cpp(359) Type resolution succeeded: {bool}op:and({bool}op:>({date}:generated, {date}fun:neg({date}fun:convert({tbd} { {tbd}#1, {tbd}'d',  } ))), {bool}op:=({int}:type, {int}fun:auto_convert({string}'auditFailure')))
d \CheckEventLog.cpp(366) Binding succeeded: {bool}op:and({bool}op:>({date}:generated, {date}fun:bound:neg({date}fun:bound:convert({tbd} { {tbd}#1, {tbd}'d',  } ))), {bool}op:=({int}:type, {int}fun:bound:auto_convert({string}'auditFailure')))
d \CheckEventLog.cpp(373) Static evaluation succeeded: {bool}op:and({bool}op:>({date}:generated, {date}#1288489232), {bool}op:=({int}:type, {int}#0))
d \CheckEventLog.cpp(700) Boot time: 160
d \CheckEventLog.cpp(484) Attempting to match: Application with Security
d \CheckEventLog.cpp(484) Attempting to match: Security with Security
d \CheckEventLog.cpp(793) Evaluation time: 1870
d NSClient++.cpp(1142) Injected Result: OK 'Eventlog check ok'
d NSClient++.cpp(1143) Injected Performance Result: ''eventlog'=0;0;1; '

##########
# Test 2
##########

-intro-
In this call I have 529 and 680 failures in the security log that I am specifically requesting. This results in 680 results coming back with also the 'auditSuccess' which is something that i am trying to filter out.

-command-

/usr/local/libexec/nagios/check_nrpe2 -H 192.168.1.29 -c CheckEventLog -a debug=true file=Security MaxCrit=1 "filter=generated gt -1d AND (id = '680' OR id = '529')" truncate=800 unique "syntax=%source%: (%count%) %id% %type% %severity%"

-returns-

Security: (3) 529 auditFailure success, Security: (5) 680 auditSuccess success, Security: (3) 680 auditFailure success, eventlog: 11 > critical|'eventlog'=11;0;1;

-debug-

d NSClient++.cpp(1106) Injecting: CheckEventLog: debug=true, file=Security, MaxCrit=1, filter=generated gt -1d AND (id = '680' OR id = '529'), truncate=800, unique, syntax=%source%: (%count%) %id% %type% %severity%
d \CheckEventLog.cpp(671) Filter:
d \CheckEventLog.cpp(693) Using: where generated gt -1d AND (id = '680' OR id = '529')
d \CheckEventLog.cpp(344) Parsing: generated gt -1d AND (id = '680' OR id = '529')
d \CheckEventLog.cpp(352) Parsing succeeded: {tbd}op:and({tbd}op:>({tbd}:generated, {tbd}fun:neg({tbd}fun:convert({tbd} { {tbd}#1, {tbd}'d',  } ))), {tbd}op:or({tbd}op:=({tbd}:id, {tbd}'680'), {tbd}op:=({tbd}:id, {tbd}'529')))
d \CheckEventLog.cpp(359) Type resolution succeeded: {bool}op:and({bool}op:>({date}:generated, {date}fun:neg({date}fun:convert({tbd} { {tbd}#1, {tbd}'d',  } ))), {bool}op:or({bool}op:=({int}:id, {int}fun:auto_convert({string}'680')), {bool}op:=({int}:id, {int}fun:auto_convert({string}'529'))))
d \CheckEventLog.cpp(366) Binding succeeded: {bool}op:and({bool}op:>({date}:generated, {date}fun:bound:neg({date}fun:bound:convert({tbd} { {tbd}#1, {tbd}'d',  } ))), {bool}op:or({bool}op:=({int}:id, {int}fun:bound:auto_convert({string}'680')), {bool}op:=({int}:id, {int}fun:bound:auto_convert({string}'529'))))
d \CheckEventLog.cpp(373) Static evaluation succeeded: {bool}op:and({bool}op:>({date}:generated, {date}#1288489311), {bool}op:or({bool}op:=({int}:id, {int}#680), {bool}op:=({int}:id, {int}#529)))
d \CheckEventLog.cpp(700) Boot time: 150
d \CheckEventLog.cpp(484) Attempting to match: Application with Security
d \CheckEventLog.cpp(484) Attempting to match: Security with Security
d \CheckEventLog.cpp(793) Evaluation time: 1880
d NSClient++.cpp(1142) Injected Result: CRITICAL 'Security: (3) 529 auditFailure success, Security: (5) 680 auditSuccess success, Security: (3) 680 auditFailure success, eventlog: 11 > critical'
d NSClient++.cpp(1143) Injected Performance Result: ''eventlog'=11;0;1; '

##########
# Test 3
##########

-intro-
In this call I have 529 and 680 failures in the security log that I am specifically requesting aswell as filtering for only for 'type' that is a auditFailure as show in the result returned above

-command-

/usr/local/libexec/nagios/check_nrpe2 -H 192.168.1.29 -c CheckEventLog -a debug=true file=Security MaxCrit=1 "filter=generated gt -1d AND (id = '680' OR id = '529') AND type = 'auditFailure'" truncate=800 unique "syntax=%source%: (%count%) %id% %type% %severity%"

-returns-

Eventlog check ok|'eventlog'=0;0;1

-debug-

d NSClient++.cpp(1106) Injecting: CheckEventLog: debug=true, file=Security, MaxCrit=1, filter=generated gt -1d AND (id = '680' OR id = '529') AND type = 'auditFailure', truncate=800, unique, syntax=%source%: (%count%) %id% %type% %severity%
d \CheckEventLog.cpp(671) Filter:
d \CheckEventLog.cpp(693) Using: where generated gt -1d AND (id = '680' OR id = '529') AND type = 'auditFailure'
d \CheckEventLog.cpp(344) Parsing: generated gt -1d AND (id = '680' OR id = '529') AND type = 'auditFailure'
d \CheckEventLog.cpp(352) Parsing succeeded: {tbd}op:and({tbd}op:and({tbd}op:>({tbd}:generated, {tbd}fun:neg({tbd}fun:convert({tbd} { {tbd}#1, {tbd}'d',  } ))), {tbd}op:or({tbd}op:=({tbd}:id, {tbd}'680'), {tbd}op:=({tbd}:id, {tbd}'529'))), {tbd}op:=({tbd}:type, {tbd}'auditFailure'))
d \CheckEventLog.cpp(359) Type resolution succeeded: {bool}op:and({bool}op:and({bool}op:>({date}:generated, {date}fun:neg({date}fun:convert({tbd} { {tbd}#1, {tbd}'d',  } ))), {bool}op:or({bool}op:=({int}:id, {int}fun:auto_convert({string}'680')), {bool}op:=({int}:id, {int}fun:auto_convert({string}'529')))), {bool}op:=({int}:type, {int}fun:auto_convert({string}'auditFailure')))
d \CheckEventLog.cpp(366) Binding succeeded: {bool}op:and({bool}op:and({bool}op:>({date}:generated, {date}fun:bound:neg({date}fun:bound:convert({tbd} { {tbd}#1, {tbd}'d',  } ))), {bool}op:or({bool}op:=({int}:id, {int}fun:bound:auto_convert({string}'680')), {bool}op:=({int}:id, {int}fun:bound:auto_convert({string}'529')))), {bool}op:=({int}:type, {int}fun:bound:auto_convert({string}'auditFailure')))
d \CheckEventLog.cpp(373) Static evaluation succeeded: {bool}op:and({bool}op:and({bool}op:>({date}:generated, {date}#1288489402), {bool}op:or({bool}op:=({int}:id, {int}#680), {bool}op:=({int}:id, {int}#529))), {bool}op:=({int}:type, {int}#0))
d \CheckEventLog.cpp(700) Boot time: 310
d \CheckEventLog.cpp(484) Attempting to match: Application with Security
d \CheckEventLog.cpp(484) Attempting to match: Security with Security
d \CheckEventLog.cpp(793) Evaluation time: 2030
d NSClient++.cpp(1142) Injected Result: OK 'Eventlog check ok'
d NSClient++.cpp(1143) Injected Performance Result: ''eventlog'=0;0;1; '

-thoughts-
As can be seen in the return outputs I am unable to filter for audit failures only. I can only believe that the query is not referencing the correct enum? just a stab in the dark.

[mickem]

Verified this works for me on 0.4.0.

Michael Medin