HOWTO: handle windows events.

Bishop, Dean dean.bishop at tcdsb.org
Wed Sep 11 21:56:49 CEST 2002
Previous message: Confusion re: logging of notifications
Next message: Reproducible nagios crash
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
k, so here it is.  cleaned up and everythang.

Basic BackLog config and Swatch configs are comments in the perl script
below.

now...to get it paging people all this crap...

enjoy,
dean



###################################
#					    #	
# here is the service definition: #
#					    #
###################################

define service{							
	name				generic-service
	active_checks_enabled		1
	passive_checks_enabled		1
	parallelize_check			1
	obsess_over_service		0
	is_volatile				0		
	check_freshness			0
	notifications_enabled		1
	event_handler_enabled		1
	flap_detection_enabled		1
	process_perf_data			1
	retain_status_information	1
	retain_nonstatus_information	1
	check_period			24x7			
	max_check_attempts		3				
	retry_check_interval		5				
	notification_interval		45				
	notification_period		24x7				
	notification_options		w,u,c,r				
	register				0
	}
# Service definition for a Windows Event
define service{
	name					WindowsEvent
	use					generic-service
	service_description		Windows Event ;<--this is important.
Don't change the name here.
	check_period			none
	contact_groups			ServerAdmins
	check_command			check-host-alive
	is_volatile				1
	max_check_attempts		1
	normal_check_interval		10
	retry_check_interval		10
	notification_interval		15
	host_name				fs03.tcdsb.org ;<--this is
important.  it must match the name recorded by syslog.
								   ;   check
/var/log/winevents.log.
	}

###################################
#					    #	
# here is the perl script that i  #
# use to make it happen.          #
#					    #
###################################

#!/usr/bin/perl
# The purpose of this script is to receive the windows events from swatch,
#  format them, and dump them into the nagios external command file.
#
# Written, through much blood sweat and coffee by Dean Bishop
#  ( dbishop at ehvert.com).
# Mileage may vary.  You can ask me for help, but this is about the 5th
#  perl script i have written.
#
#
# Swatch is watching a syslog file that is dumped to by the windows 2000
#  servers using Intersect Allaince's Backlog.
#  (http://www.intersectalliance.com/products/BackLogNT).
#
# When configuring Backlog i set the Category to "local0" and "notice".
# Also it is necessary to set the delimiter to "comma".
#
# Then add the following line to /etc/syslog.conf:
#local0.*                      /var/log/winevents.log
#
# My swatch config looks like this right now but will be cleaned up and
#   ammended as necessary.
#watchfor /1000/ and /User Error/
#        ignore
#watchfor /fs03.tcdsb.org/ and /529,Security/
#        exec echo $0 | /usr/local/bin/parser
#
# Don't need this
#        echo = random
#       ignore
#watchfor /fs03.tcdsb.org/ and /9,System|11,System|15,System|51,System/
#        exec echo $0 | /usr/local/bin/parser
#watchfor   /Warning|Error|Failure/
#
# Don't need the next two lines either.  Just for testing purposes.
#        bell 3
#        echo = random
#        exec echo $0 | /usr/local/bin/parser

# Written, through much blood sweat and coffee by Dean Bishop
#  ( dbishop at ehvert.com).
# Mileage may vary.  You can ask me for help, but this is about the 5th
#  perl script i have written.

# Get the windows event from swatch.
$event = <STDIN>;

# Substitute all commas for spaces.
$event =~ s/,/ /g;

# Substitute all double-spaces for single-spaces.
$event =~ s/  / /g;

# Substitute the irritating "^I" character from backlog (which seems to be
like
#  a tab or other sort of whitespace thang) for nothing.  In other words,
#  remove it.
$event =~ s/\^I//g;

# Split the scalar bits into an array using space as the delimiter.
# Most messages seem to be <= 40 words long so that's all we will deal with.
@line =  split (/ /, $event );

# Clean, rearrange, and add to the message to make it clear in the
#  notifications.
$problem= "Date:$line[7] $line[8] $line[9] $line[11] Time:$line[10]
Source:$line[5] Category:$line[17] Type:$line[16] EventID:$line[12]
EventNumber:$line[6] User:$line[14] Computer:$line[18] Description:";

# The first 18 words are before the description of the event.  The rest is 
#  from the description block.
# Here we are jumping to the 19th word and lumping words 19-40 into one
scalar.
$i=19;
while ( $i < "35" ) {
	$problem = $problem . "$line[$i] ";
	++$i;
	};

# Get the time in seconds from UNIX epoch and clear off the trailing
<CR><LF>.
chomp ($date = `date +%s`);

# Form the command to be dumped into the Nagios external command file.
$command = "[$date] PROCESS_SERVICE_CHECK_RESULT;$line[3];Windows
Event;2;$problem\n";

# Define the Nagios external command file.
$file = "/usr/local/nagios/var/rw/nagios.cmd";

# Open the Nagios external command file for appending.
open (FILE, ">>$file");

# Write the full command to the Nagios external command file.
print FILE $command;

# Close the external command file.
close (FILE);

# Enjoy.  Currently from just 1 of about 150 windows 2000 servers i am
#  getting about 10 messages per minute.  Had to un-tweak sendmail so that
#  it wouldn't throttle the outbound messages and number of MTA children.


-------------------------------------------------------
In remembrance
www.osdn.com/911/
Previous message: Confusion re: logging of notifications
Next message: Reproducible nagios crash
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list