NC_Net EVENTLOG quirk
Andreas Ericsson
ae at op5.se
Fri Apr 1 10:48:15 CEST 2005
Anthony Montibello wrote:
> Hi,
>
> I started looking into this when I received your email on this issue last week,
> I have been able to simulate the same problem however it still needs
> more intensive diagnostics before a patch can be put into NC_Net.
>
> You can check 16711696 instead of 16 until A proper patch for the
> problem has been found. this is a 16711680 offset from the number that
> you are looking for.
>
> Quote form Paul>>"
> I have noticed that the checks that aren't working correctly either have
> spaces in the source name or under 3 digit ID's. Is this just
> coincidence?? "
>
> This is coincidence, There are very few Event Sources that have space
> in the source name.
False. Practically all of them do.
> Your above example With Norton Antivirus was able
> to recognize all events from Norton Antivirus but the Event ID offset
> was the issue.
>
> NOTE: Ignore Whitespace for Regular Expressions. This is only for the
> message filter of the event Log check (parameters between event ID and
> Source ID)
> Whitespace is ignored during the regular expression so to have
> whitespace as part of your expression it needs to be escaped thus:
> For all entries in the last hour that contain "SCSI INTERFACE ERROR"
> or "CHECK CONDITION" use something like;
> "any,any,60,0,2,SCSI\ INTERFACE\ ERROR,CHECK\ CONDITION,0"
>
> Technical Detail of problem with Norton Antivirus:
> Doing an event log check for Norton Antivirus the EventLog check is
> returning the wrong result. I still need more diagnostics but my
> observation are:
> NC_Net uses type int to check the Event_ID. The Event ID is also type
> int. on most cases the event ID works fine. When checking Norton
> Antivirus somehow the EventID is offset by 16711680 or in hex
> 00FF0000h I am not sure what is causing this mismatch to occur, since
> looking through the code all the types should be int32 are int32. I am
> suspecting that their may be a bug somewhere in the manner that Dot
> net handles either the Event entry Objects or maybe I am overlooking
> something?
>
> When I have a proper solution to this issue it will be documented in
> the version section of the read me.
>
> Hope this helps,
> Tony
>
>
> On Mar 31, 2005 11:55 AM, Paul Bourgeau <psbourgeau at mpccorp.com> wrote:
>
>>Can anyone help???
>>
>>Thank You,
>>Paul Bourgeau
>>
>>Ph: 262-523-3300 x60279
>>Fx: 208-898-2371
>>psbourgeau at mpccorp.com
>>
>>-----Original Message-----
>>From: nagios-users-admin at lists.sourceforge.net
>>[mailto:nagios-users-admin at lists.sourceforge.net] On Behalf Of Paul
>>Bourgeau
>>Sent: Wednesday, March 23, 2005 10:57 AM
>>To: nagios-users at lists.sourceforge.net
>>Subject: [Nagios-users] NC_Net EVENTLOG quirk
>>
>>I have been successful in getting this check to work with one exception.
>>I am trying to get notifications of whenever Norton AntiVirus makes a
>>specific log entry and it doesn't seem to work.
>>
>>For instance, when it logs an entry to state that the definitions are
>>current, Windows logs the following:
>>
>>Source:Norton AntiVirus
>>EventID:16
>>Type:Information
>>Description:Virus Definitions are current.
>>
>>When I run this check, it does not work....
>>./check_nc_net -H hostname -v EVENTLOG -l "application,any,1440,1,Norton
>>AntiVirus,0,1,16"
>>OK: No entries in application log recently.
>>
>>But when I generalize the check, it comes back with an entry......
>>./check_nc_net -H hostname -v EVENTLOG -l "application,any,1440,1,Norton
>>AntiVirus,0,0"
>>14 Errors with ID:
>>16711696;16711704;16711703;16711685;16711683;16711686;16711686;16711686;
>>16711686;16711686;16711686;16711686;16711685;;Virus Found!Virus name:
>>EICAR Test String in File:
>>C:\RECYCLER\S-1-5-21-790525478-1547161642-1801674531-500\Dc466.txt by:
>>Scheduled sca;. Action: Clean failed : Quarantine succeeded :
>>
>>I have noticed that the checks that aren't working correctly either have
>>spaces in the source name or under 3 digit ID's. Is this just
>>coincidence?? In the documentation it states that it "ignores extra
>>white space in the Regular expression".
>>
>>Any other Event ID check works fine, i.e...
>>
>>Source:NC_Net
>>EventID:3005
>>Type:Information
>>Description:NC_Net Service Ending:-NC_Net 2.21 03/13/05
>>
>>./check_nc_net -H hostname -v EVENTLOG -l
>>application,any,1440,0,0,1,3005
>>1 Errors with ID: 3005 LAST - ID 3005: NC_Net Service Ending :-NC_Net
>>2.21 02/25/05
>>
>>I have tried this on v2.20 and v2.21 with the same result.
>>
>>Thanks in advance for the help!!
>>
>>Disclaimer: 23/3/2005
>>
>>MPC Computers is providing the following information in compliance with
>>federal regulations:
>>
>>MPC Computers, LLC
>>906 E. Karcher Road
>>Nampa, Idaho 83687
>>1-888-224-4247
>>http://www.mpccorp.com
>>
>>To discontinue receiving e-mail communications from MPC in the future,
>>please go to:
>>http://www.mpccorp.com/email/manage.html and follow the instructions.
>>
>>-------------------------------------------------------
>>This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon
>>2005
>>Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
>>Embedded(r) & Windows Mobile(tm) platforms, applications & content.
>>Register
>>by 3/29 & save $300 http://ads.osdn.com/?ad_idh83&alloc_id�149&op=ick
>>_______________________________________________
>>Nagios-users mailing list
>>Nagios-users at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/nagios-users
>>::: Please include Nagios version, plugin version (-v) and OS when
>>reporting any issue.
>>::: Messages without supporting info will risk being sent to /dev/null
>>
>>Disclaimer: 31/3/2005
>>
>>MPC Computers is providing the following information in compliance with federal regulations:
>>
>>MPC Computers, LLC
>>906 E. Karcher Road
>>Nampa, Idaho 83687
>>1-888-224-4247
>>http://www.mpccorp.com
>>
>>To discontinue receiving e-mail communications from MPC in the future, please go to:
>>http://www.mpccorp.com/email/manage.html and follow the instructions.
>>
>>-------------------------------------------------------
>>This SF.net email is sponsored by Demarc:
>>A global provider of Threat Management Solutions.
>>Download our HomeAdmin security software for free today!
>>http://www.demarc.com/Info/Sentarus/hamr30
>>_______________________________________________
>>Nagios-users mailing list
>>Nagios-users at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/nagios-users
>>::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
>>::: Messages without supporting info will risk being sent to /dev/null
>>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by Demarc:
> A global provider of Threat Management Solutions.
> Download our HomeAdmin security software for free today!
> http://www.demarc.com/Info/Sentarus/hamr30
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
--
Andreas Ericsson andreas.ericsson at op5.se
OP5 AB www.op5.se
Lead Developer
-------------------------------------------------------
This SF.net email is sponsored by Demarc:
A global provider of Threat Management Solutions.
Download our HomeAdmin security software for free today!
http://www.demarc.com/Info/Sentarus/hamr30
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list