syslog messages events

Dean Bishop dbishop at ehvert.com
Mon May 19 03:54:54 CEST 2003
Previous message: syslog messages events
Next message: Individual Proccesses Check with nrpe
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sorry all, I haven't had time to clean this up and post it to the FAQ yet.
Here is the version of the script I use to convert messages from swatch for
input into the Nagios external command file.  Comments within tell you how
to set up the rest of the required components.

If you have questions drop me a line.

Later,
Dean

Let me know of any improvements.  I am no perl wizard but this does what I
need.



#!/usr/bin/perl
# parser.pl
# The purpose of this script is to receive the windows events from swatch,
#  format them, and dump them into the nagios external command file.
#
# Written, through much blood sweat and coffee by Dean Bishop
#  ( dbishop at ehvert.com).
# Mileage may vary.
#
#
# Swatch is watching a syslog file that is dumped to by the windows 2000
#  servers using Intersect Allaince's Backlog.
#  (http://www.intersectalliance.com/products/BackLogNT).
#
# When configuring Backlog i set the Category to "local0" and "notice".
# Also it is necessary to set the delimiter to "comma".
#
# Then add the following line to /etc/syslog.conf:
#local0.*                      /var/log/winevents.log
#
# My swatch config looks like this right now.
# Basically, swatch uses regex to watch for certain strings in the syslog.
#  in the first example you can see that it is watching for the server name
#  which appears in the eventlog, and eventid 529 from the source Security.
#  Note that this is the source of the event, not the log.

#watchfor /fs03.tcdsb.org/ and /529,Security/
#        exec echo $0 | /usr/local/bin/parser
#
#watchfor /fs03.tcdsb.org/ and /9,System|11,System|15,System|51,System/
#        exec echo $0 | /usr/local/bin/parser
#watchfor   /Warning|Error|Failure/
#
# Don't need the next two lines.  Just for testing purposes.
#        bell 3
#        echo = random
#        exec echo $0 | /usr/local/bin/parser


# Get the windows event from swatch.
$event = <STDIN>;
open (FILE, ">>/root/dump.txt");
print FILE "test"."$1";
close (FILE);
# Substitute all commas for spaces.
$event =~ s/,/ /g;

# Substitute all double-spaces for single-spaces.
$event =~ s/  / /g;

# Substitute the irritating "^I" character from backlog (which seems to be
like
#  a tab or other sort of whitespace thang) for nothing.  In other words,
#  remove it.
$event =~ s/\^I//g;

# Split the scalar bits into an array using space as the delimiter.
# Most messages seem to be <= 40 words long so that's all we will deal with.
@line =  split (/ /, $event );

# Clean, rearrange, and add to the message to make it clear in the
#  notifications.
$problem= "EventID:$line[12] Date:$line[7] $line[8] $line[9] $line[11]
Time:$line[10] Source:$line[5] Category:$line[17] Type:$line[16]
EventNumber:$line[6] User:$line[14] Computer:$line[18] Description:";

# The first 18 words are before the description of the event.  The rest is
#  from the description block.
# Here we are jumping to the 19th word and lumping words 19-40 into one
scalar.
$i=19;
while ( $i < "35" ) {
        $problem = $problem . "$line[$i] ";
        ++$i;
        };

# Get the time in seconds from UNIX epoch and clear off the trailing
<CR><LF>.
chomp ($date = `date +%s`);

# Form the command to be dumped into the Nagios external command file.
$command = "[$date] PROCESS_SERVICE_CHECK_RESULT;$line[4];Windows Event
$line[12];2;$problem\n";

# Define the Nagios external command file.
$file = "/usr/local/nagios/var/rw/nagios.cmd";

# Open the Nagios external command file for appending.
open (FILE, ">>$file");

# Write the full command to the Nagios external command file.
print FILE $command;

# Close the external command file.
close (FILE);




-----Original Message-----
From: Stanley Hopcroft [mailto:Stanley.Hopcroft at IPAustralia.Gov.AU] 
Sent: May 18, 2003 6:50 AM
To: doron carmeli-shrim
Cc: Nagios-users at lists.sourceforge.net
Subject: Re: [Nagios-users] syslog messages events

Dear Sir,

On Sun, May 18, 2003 at 02:45:18AM -0700, doron carmeli-shrim wrote:
> Does anybody know how can i monitor syslod messages
> with nagios ??
> 

Two options (at least)

1 check_log from the standard plugin distro

2 (more complicated but more scalable)

 2.1 use swatch to watch the log and detect the alertable messages
 2.2 have swatch submit a passive service check result either to the
     Nag command queue (if swatch is co-located) otherwise with ncsa.

 This version is also adaptable (see the FAQ or Dean Bishops letters in
 the gmane Nag archives) to checking NT/2K event logs with another
 'event to syslog' shim such as Snare/Backlog. 

Yours sincerely.


-- 
------------------------------------------------------------------------
Stanley Hopcroft
------------------------------------------------------------------------

'...No man is an island, entire of itself; every man is a piece of the
continent, a part of the main. If a clod be washed away by the sea,
Europe is the less, as well as if a promontory were, as well as if a
manor of thy friend's or of thine own were. Any man's death diminishes
me, because I am involved in mankind; and therefore never send to know
for whom the bell tolls; it tolls for thee...'

from Meditation 17, J Donne.


-------------------------------------------------------
This SF.net email is sponsored by: If flattening out C++ or Java
code to make your application fit in a relational database is painful, 
don't do it! Check out ObjectStore. Now part of Progress Software.
http://www.objectstore.net/sourceforge
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue. 
::: Messages without supporting info will risk being sent to /dev/null


-------------------------------------------------------
This SF.net email is sponsored by: If flattening out C++ or Java
code to make your application fit in a relational database is painful, 
don't do it! Check out ObjectStore. Now part of Progress Software.
http://www.objectstore.net/sourceforge
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: syslog messages events
Next message: Individual Proccesses Check with nrpe
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list