Monitoring Windows Eventviewer

Frater, Greg J GJFRATER at bechtel.com
Mon Jun 2 21:41:20 CEST 2008

Previous message: Monitoring Windows Eventviewer
Next message: Monitoring Windows Eventviewer
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Dear All,

>Would anyone have experience in checking the windows eventviewer for
certain events, or turning nagios red in case of ERRORs ?
>What script are you using ? preferably something that can simply
interact with NSClient

We do this using the NSClient++ agent (www.nsclient.org).  It checks the
event logs and filters them based on criteria you define, alerting when
the number of hits you specify is reached (i.e. when the system log has
1 or more events with an ID of XXXX within the last 10 minutes send
alerts).  Here is an example we use to monitor for a specific Oracle
error.  In the example we check the "application" log of the server
every "60" minutes for events with an ID of "20" with event type of
"Error" containing a string in the text of the message "Can not allocate
log", check turns critical after 1 matching event is found that is time
stamped within the last "65" minutes.


Checkcommands.cfg:
define command{
        command_name    check_eventlogs
        command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 -c
checkEventLog -a filter=new $ARG1$ MaxWarn=$ARG2$ MaxCrit=$ARG3$
filter-generated=\$ARG4$ $ARG5$ truncate=$ARG6$
# Desc:
#       $ARG1$ = event logs to check (i.e. file=system file=application)
#       $ARG2$ = Warning level (i.e. number of hits to generate a
warning response)
#       $ARG3$ = Critical level (i.e. number of hits to generate a
critcal response)
#       $ARG4$ = Time period (i.e. 1 day is '1d' 30 hours is '>30h')
#       $ARG5$ = Filters (i.e. filter-eventID==9009
filter-eventSource=Tcpip) see
http://www.nsclient.org/nscp/wiki/CheckEventLog/CheckEventLog for
detailed info
#       $ARG6$ = Amount of data to return in characters (i.e.
truncate=150)
#       Example: check_nrpe -H server_name_here -p 5666 -c checkEventLog
-a filter=new file=system MaxWarn=1 MaxCrit=1 filter-generated=\>30h
filter+eventID==10002 descriptions truncate=138
        }

Services.cfg:
define service{
        use                             standard-srv
        service_description             eventlog: Oracle archive log
errors
        check_command
check_eventlogs!file=application!1!1!>65m!filter+eventID==20
filter+eventType==error filter+message=substr:"Can not allocate log"!100
        normal_check_interval           60
        notification_options            w,c
        contact_groups                  apps
        host_name                       server1, server2
        }

HTH, 

-greg



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20080602/af42e435/attachment.html>
-------------- next part --------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Monitoring Windows Eventviewer
Next message: Monitoring Windows Eventviewer
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list