<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v = "urn:schemas-microsoft-com:vml" xmlns:o = "urn:schemas-microsoft-com:office:office" xmlns:w = "urn:schemas-microsoft-com:office:word" xmlns:x = "urn:schemas-microsoft-com:office:excel" xmlns:p = "urn:schemas-microsoft-com:office:powerpoint" xmlns:a = "urn:schemas-microsoft-com:office:access" xmlns:dt = "uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s = "uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs = "urn:schemas-microsoft-com:rowset" xmlns:z = "#RowsetSchema" xmlns:b = "urn:schemas-microsoft-com:office:publisher" xmlns:ss = "urn:schemas-microsoft-com:office:spreadsheet" xmlns:c = "urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa = "urn:schemas-microsoft-com:office:activation" xmlns:html = "http://www.w3.org/TR/REC-html40" xmlns:q = "http://schemas.xmlsoap.org/soap/envelope/" XMLNS:D = "DAV:" xmlns:x2 = "http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois = "http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir = "http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds = "http://www.w3.org/2000/09/xmldsig#" xmlns:dsp = "http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc = "http://schemas.microsoft.com/data/udc" xmlns:xsd = "http://www.w3.org/2001/XMLSchema" xmlns:sub = "http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec = "http://www.w3.org/2001/04/xmlenc#" xmlns:sp = "http://schemas.microsoft.com/sharepoint/" xmlns:sps = "http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf = "http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf = "http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver = "http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m = "http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels = "http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t = "http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m = "http://schemas.microsoft.com/exchange/services/2006/messages" XMLNS:Z = "urn:schemas-microsoft-com:"><HEAD><TITLE>Re: [Nagios-users] Monitoring Windows Eventviewer</TITLE> <META http-equiv=Content-Type content="text/html; charset=us-ascii"> <META content="MSHTML 6.00.2900.3314" name=GENERATOR> <STYLE>@font-face { font-family: Cambria Math; } @font-face { font-family: Calibri; } @font-face { font-family: Tahoma; } @page Section1 {size: 612.0pt 792.0pt; margin: 72.0pt 72.0pt 72.0pt 72.0pt; } P.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif" } LI.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif" } DIV.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif" } A:link { COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99 } SPAN.MsoHyperlink { COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99 } A:visited { COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99 } SPAN.MsoHyperlinkFollowed { COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99 } P { FONT-SIZE: 12pt; MARGIN-LEFT: 0cm; MARGIN-RIGHT: 0cm; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto } SPAN.EmailStyle18 { COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply } .MsoChpDefault { FONT-SIZE: 10pt; mso-style-type: export-only } DIV.Section1 { page: Section1 } </STYLE> </HEAD> <BODY lang=EN-US vLink=purple link=blue> <DIV dir=ltr align=left> </DIV> <DIV></DIV> <DIV class=Section1> > Thanks for the info,<o:p></o:p> <o:p> </o:p> > Great that it can be done with the NSClient++ as I have it installed on all our servers.<o:p></o:p> <o:p> </o:p> > What do I need to define in the NSClient++ agent and where ?<o:p></o:p> > Is it in the .ini file or elsewhere ? The only thing you need to do on the Windows server is enable the CheckEventLog.dll by removing the semicolon from that line in the nsc.ini file. Regards, -greg <o:p></o:p> <o:p></o:p> <o:p> </o:p> <DIV> <DIV style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0cm; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0cm; PADDING-BOTTOM: 0cm; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none"> From: Frater, Greg J [mailto:GJFRATER@bechtel.com] Sent: maandag 2 juni 2008 21:41 To: Tim Van Caeyzeele Cc: nagios-users@lists.sourceforge.net Subject: Re: [Nagios-users] Monitoring Windows Eventviewer<o:p></o:p></DIV></DIV> <o:p> </o:p> >Dear All, <o:p></o:p> >Would anyone have experience in checking the windows eventviewer for certain events, or turning nagios red in case of ERRORs ?<o:p></o:p> >What script are you using ? preferably something that can simply interact with NSClient <o:p></o:p> We do this using the NSClient++ agent (<A href="file:///\\www.nsclient.org">www.nsclient.org</A>). It checks the event logs and filters them based on criteria you define, alerting when the number of hits you specify is reached (i.e. when the system log has 1 or more events with an ID of XXXX within the last 10 minutes send alerts). Here is an example we use to monitor for a specific Oracle error. In the example we check the "application" log of the server every "60" minutes for events with an ID of "20" with event type of "Error" containing a string in the text of the message "Can not allocate log", check turns critical after 1 matching event is found that is time stamped within the last "65" minutes.<o:p></o:p> <o:p> </o:p> Checkcommands.cfg: define command{ command_name check_eventlogs command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 -c checkEventLog -a filter=new $ARG1$ MaxWarn=$ARG2$ MaxCrit=$ARG3$ filter-generated=\$ARG4$ $ARG5$ truncate=$ARG6$<o:p></o:p> # Desc: # $ARG1$ = event logs to check (i.e. file=system file=application) # $ARG2$ = Warning level (i.e. number of hits to generate a warning response) # $ARG3$ = Critical level (i.e. number of hits to generate a critcal response) # $ARG4$ = Time period (i.e. 1 day is '1d' 30 hours is '>30h') # $ARG5$ = Filters (i.e. filter-eventID==9009 filter-eventSource=Tcpip) see <A href="http://www.nsclient.org/nscp/wiki/CheckEventLog/CheckEventLog">http://www.nsclient.org/nscp/wiki/CheckEventLog/CheckEventLog</A> for detailed info<o:p></o:p> # $ARG6$ = Amount of data to return in characters (i.e. truncate=150) # Example: check_nrpe -H server_name_here -p 5666 -c checkEventLog -a filter=new file=system MaxWarn=1 MaxCrit=1 filter-generated=\>30h filter+eventID==10002 descriptions truncate=138<o:p></o:p> } <o:p></o:p> Services.cfg: define service{ use standard-srv service_description eventlog: Oracle archive log errors check_command check_eventlogs!file=application!1!1!>65m!filter+eventID==20 filter+eventType==error filter+message=substr:"Can not allocate log"!100<o:p></o:p> normal_check_interval 60 notification_options w,c contact_groups apps host_name server1, server2 } <o:p></o:p> HTH, <o:p></o:p> -greg <o:p></o:p> <o:p> </o:p></DIV></BODY></HTML>