| Version 15 (modified by anonymous, 5 years ago) (diff) |
|---|
TracNav
Documentation
Guides
Information
Sponsoring
Modules
- overview
Checks and commands
- overview
CauseCrashes
CheckNSCP
CheckDisk
CheckLogFile
CheckEventLog
CheckSystem
CheckHelpers
- overview
- check_always_ok
- check_always_critical
- check_always_warning
- check_ok
- check_critical
- check_warning
- check_multi
- check_version
- check_timeout
- check_negate
CheckTaskSched
CheckTaskSched2
CheckWMI
Scripting Languages?
Servers and protocols?
- overview?
check_nrpe (NRPE Server)
check_nrpe (NRPE Client)
check_nt (NSClient Server)
check_nt (NSClient Client)?
NSCA (NSCA Server)
NSCA (NSCA Client)
NRDP (NRDP Client)
check_mk (CheckMK Server)
check_mk (CheckMK Client)
graphite (Graphite Client)
SMTP (SMTP Client)
syslog (Syslog Client)
Utilities and tools?
Donate
CheckEventLog
CheckEventLog is part of the wiki:CheckEventLog module. This page describes the new syntax, for the old syntax refer to the old page: CheckEventLogOld The new syntax is a bit sketchy in the docs as of yet... I shall try to fix some better examples.. but the best idea would be for someone that uses this to help me with that :)
This check enumerates all event in the event log and filters out (or in) events and then the resulting list is used to determine state.
| Option | Values | Description |
| file | A event log file name | The name of an eventlog file the default ones are Application, Security and System. If the specified eventlog was not found due to some idiotic reason windows opens the "application" log instead. |
| filter | in, out, any, all | Specify the way you want to filter things. (See section below) |
| filter | new | Has to be set to use this syntax |
| descriptions | None | Flag to specify if you want to include string representation of the error messages. |
| truncate | length of the returned set | This will truncate the output after the specified length. As NRPE can only handle 1024 chars you need to truncate the output. |
| MaxWarn | number of records | The maximum records to allow before reporting a warning state. |
| MaxCrit | number of records | The maximum records to allow before reporting a critical state. |
| syntax | String | A string to use to represent each matched eventlog entry the following keywords will be replaced with corresponding values: %source%, %generated%, %written%, %type%, %severity%, %strings%, %id% |
| filter<mode><type> | <filter value> | A number of strings to use for filtering the event log |
Filters
Capturing eventlog entries (or discarding them) are done with filters. There are three kinds of filters.
- positive requirments All these filters must match or the row is discarded.
- negative requriments None of these filters can match (if any do the row is discarded).
- normal matches If this matches the line is included.
Thus if you want to have: errors, from the last month but not the ones from the cdrom, but if the source is MyModule? get everything. I would break this down as such: (notice there are other options). . type=error
- date=older than 2 months
. source=MyModule? This would pick up all errors, and drop all old records and then pickup all "MyModule?" records.
The syntax of the filter is: filter<mode><type>=<expression>
Filter <Mode>s
| <mode> | title | description |
| + | required filter | If you miss this filter the line is discarded |
| . | normal filter | If a hit the line is included |
| - | negative filter | If a line hits this it is discarded |
Filter <Type>s
| <type> | Values | Description |
| eventType | error, warning, etc | An event type to filter out: error, warning, info, auditSuccess or auditFailure. Note that unlike other commands, this requires '==', for example filter-eventType==info. The info,error, etc are all case sensitive. |
| eventSource | string expression? | The name of the source of the event. Can be a substring or regularexpression |
| generated | time expression? | Time ago the message was generated |
| written | time expression? | Time ago the message was written to the log |
| message | string expression? | Filter strings in the message. Can be a substring or regularexpression |
| eventID | numeric expression? | Filter based on the event id of the log message. |
| severity | success, informational, warning or error | Filter based on event severity. (filter-severity==warning) |
time expression
A time expression is a date/time interval as a number prefixed by a filter prefix (<, >, =, !=) and followed by a unit postfix (m, s, h, d, w). A few examples of time expression are: filter+generated=>2d means filter will match any records older than 2 days, filter+generated=<2h means match any records newer then 2 hours. Warning, the bash interprets the "<,>,!". Use the "\" to avoid this. e.g. filter+generated=\>2d . On the Client activate the "Nasty Metachars" Option, to allow the \.
string expression
A string expression is a key followed by a string that specifies a string expression. Currently substr and regexp are supported. Thus you enter filter.message=regexp:(foo|bar) to enter a regular expression and filter-message=substr:foo to enter a substring patter match.
TODO: Add support for negating filters with filter=out, if you need that use the old syntax for now...
| in | means any thing matching this filter will be included in the result. |
| out | means any thing matching this filter will be excluded from the result. |
| any | means any of the filter rules has to match. |
| all | means all of the filter rules have to match. |
Thus filter=all filter=in and filter=any filter=out is the combinations that makes the most sense depending on your filter concept.
Examples
Check the Application event log for errors in the last 48 hours. Filter out any Cdrom and NSClient errors as well as all warnings. Allow 3 errors before a warning is issued and 7 before a critical state.
This is the corresponding command:
checkEventLog filter=new file=system file=application MaxWarn=1 MaxCrit=1 filter-generated=>2d filter-eventSource=substr:Service filter-eventSource=substr:Tcpip CRITICAL: 27 > critical: ESENT, ESENT, ESENT, ESENT,...
Define in nagios configuration:
define command {
command_name check_event_log
command_line check_nrpe -H $HOSTADDRESS$ -p 5666 -c checkEventLog -a filter=new file=system file=application MaxWarn=1 MaxCrit=1 filter-generated=>2d filter-eventSource=substr:Service filter-eventSource=substr:Tcpip
}
Please note: You need allow_nasty_meta_chars=1 in NSC.ini to use time filters like ">2d" (last 48 hours). Now you can define a new service like this:
define service{
use generic-service
host_name <hostname>
service_description <description>
check_command check_event_log
}
---
Check for errors by eventid in the last 2 hours.
$ARG1$ = file to check ie. Application, Security, System
$ARG2$ = Max Warn amount
$ARG3$ = Max Critical amount
$ARG4$ = eventID Number
./check_nrpe -H $HOSTNAME$ -c CheckEventLog -a filter=new file="$ARG1$" MaxWarn=$ARG2$ MaxCrit=$ARG3$ filter-generated=\<2h filter-eventID==$ARG4$ filter-eventType==error filter=in filter=all
---
Check for errors by source name in the last 2 hours.
$ARG1$ = file to check ie. Application, Security, System
$ARG2$ = Max Warn amount
$ARG3$ = Max Critical amount
$ARG4$ = Source Name ie. Service Control Manager
./check_nrpe -H $HOSTNAME$ -c CheckEventLog -a filter=new file="$ARG1$" MaxWarn=$ARG2$ MaxCrit=$ARG3$ filter-generated=\<2h filter-eventSource=="$ARG4$" filter-eventType==error filter=in filter=all
