NC_Net EVENTLOG quirk
Anthony Montibello
amontibello at gmail.com
Fri Apr 1 08:54:17 CEST 2005
Hi,
I started looking into this when I received your email on this issue last week,
I have been able to simulate the same problem however it still needs
more intensive diagnostics before a patch can be put into NC_Net.
You can check 16711696 instead of 16 until A proper patch for the
problem has been found. this is a 16711680 offset from the number that
you are looking for.
Quote form Paul>>"
I have noticed that the checks that aren't working correctly either have
spaces in the source name or under 3 digit ID's. Is this just
coincidence?? "
This is coincidence, There are very few Event Sources that have space
in the source name. Your above example With Norton Antivirus was able
to recognize all events from Norton Antivirus but the Event ID offset
was the issue.
NOTE: Ignore Whitespace for Regular Expressions. This is only for the
message filter of the event Log check (parameters between event ID and
Source ID)
Whitespace is ignored during the regular expression so to have
whitespace as part of your expression it needs to be escaped thus:
For all entries in the last hour that contain "SCSI INTERFACE ERROR"
or "CHECK CONDITION" use something like;
"any,any,60,0,2,SCSI\ INTERFACE\ ERROR,CHECK\ CONDITION,0"
Technical Detail of problem with Norton Antivirus:
Doing an event log check for Norton Antivirus the EventLog check is
returning the wrong result. I still need more diagnostics but my
observation are:
NC_Net uses type int to check the Event_ID. The Event ID is also type
int. on most cases the event ID works fine. When checking Norton
Antivirus somehow the EventID is offset by 16711680 or in hex
00FF0000h I am not sure what is causing this mismatch to occur, since
looking through the code all the types should be int32 are int32. I am
suspecting that their may be a bug somewhere in the manner that Dot
net handles either the Event entry Objects or maybe I am overlooking
something?
When I have a proper solution to this issue it will be documented in
the version section of the read me.
Hope this helps,
Tony
On Mar 31, 2005 11:55 AM, Paul Bourgeau <psbourgeau at mpccorp.com> wrote:
> Can anyone help???
>
> Thank You,
> Paul Bourgeau
>
> Ph: 262-523-3300 x60279
> Fx: 208-898-2371
> psbourgeau at mpccorp.com
>
> -----Original Message-----
> From: nagios-users-admin at lists.sourceforge.net
> [mailto:nagios-users-admin at lists.sourceforge.net] On Behalf Of Paul
> Bourgeau
> Sent: Wednesday, March 23, 2005 10:57 AM
> To: nagios-users at lists.sourceforge.net
> Subject: [Nagios-users] NC_Net EVENTLOG quirk
>
> I have been successful in getting this check to work with one exception.
> I am trying to get notifications of whenever Norton AntiVirus makes a
> specific log entry and it doesn't seem to work.
>
> For instance, when it logs an entry to state that the definitions are
> current, Windows logs the following:
>
> Source:Norton AntiVirus
> EventID:16
> Type:Information
> Description:Virus Definitions are current.
>
> When I run this check, it does not work....
> ./check_nc_net -H hostname -v EVENTLOG -l "application,any,1440,1,Norton
> AntiVirus,0,1,16"
> OK: No entries in application log recently.
>
> But when I generalize the check, it comes back with an entry......
> ./check_nc_net -H hostname -v EVENTLOG -l "application,any,1440,1,Norton
> AntiVirus,0,0"
> 14 Errors with ID:
> 16711696;16711704;16711703;16711685;16711683;16711686;16711686;16711686;
> 16711686;16711686;16711686;16711686;16711685;;Virus Found!Virus name:
> EICAR Test String in File:
> C:\RECYCLER\S-1-5-21-790525478-1547161642-1801674531-500\Dc466.txt by:
> Scheduled sca;. Action: Clean failed : Quarantine succeeded :
>
> I have noticed that the checks that aren't working correctly either have
> spaces in the source name or under 3 digit ID's. Is this just
> coincidence?? In the documentation it states that it "ignores extra
> white space in the Regular expression".
>
> Any other Event ID check works fine, i.e...
>
> Source:NC_Net
> EventID:3005
> Type:Information
> Description:NC_Net Service Ending:-NC_Net 2.21 03/13/05
>
> ./check_nc_net -H hostname -v EVENTLOG -l
> application,any,1440,0,0,1,3005
> 1 Errors with ID: 3005 LAST - ID 3005: NC_Net Service Ending :-NC_Net
> 2.21 02/25/05
>
> I have tried this on v2.20 and v2.21 with the same result.
>
> Thanks in advance for the help!!
>
> Disclaimer: 23/3/2005
>
> MPC Computers is providing the following information in compliance with
> federal regulations:
>
> MPC Computers, LLC
> 906 E. Karcher Road
> Nampa, Idaho 83687
> 1-888-224-4247
> http://www.mpccorp.com
>
> To discontinue receiving e-mail communications from MPC in the future,
> please go to:
> http://www.mpccorp.com/email/manage.html and follow the instructions.
>
> -------------------------------------------------------
> This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon
> 2005
> Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
> Embedded(r) & Windows Mobile(tm) platforms, applications & content.
> Register
> by 3/29 & save $300 http://ads.osdn.com/?ad_idh83&alloc_id149&op=ick
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
> reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
> Disclaimer: 31/3/2005
>
> MPC Computers is providing the following information in compliance with federal regulations:
>
> MPC Computers, LLC
> 906 E. Karcher Road
> Nampa, Idaho 83687
> 1-888-224-4247
> http://www.mpccorp.com
>
> To discontinue receiving e-mail communications from MPC in the future, please go to:
> http://www.mpccorp.com/email/manage.html and follow the instructions.
>
> -------------------------------------------------------
> This SF.net email is sponsored by Demarc:
> A global provider of Threat Management Solutions.
> Download our HomeAdmin security software for free today!
> http://www.demarc.com/Info/Sentarus/hamr30
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
-------------------------------------------------------
This SF.net email is sponsored by Demarc:
A global provider of Threat Management Solutions.
Download our HomeAdmin security software for free today!
http://www.demarc.com/Info/Sentarus/hamr30
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list