NC_net: check_nt and EVENTLOG

Anthony Montibello amontibello at gmail.com
Wed Mar 2 11:52:26 CET 2005
Previous message: NSClient++ 0.0.1 RC5 updated (and new CheckFileSize plugin)
Next message: NC_net: check_nt and EVENTLOG
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
hi, 

Details on using EventLog  in NC_Net.

An issue that I uncovered after reviewing this email was that white
space in the regular expression needs to be escaped with a backslash. 
(for some reason both single or double backslash seem to work for me
but no backslash fails)

the bassic format of the EventLog's -l is:
Arg1,arg2,arg3,arglist1,arglist2,arglist3
and the results is the count of how entries match, followed by a list
of event ID and the description field of the most recent event.
threshold testing using -w and -c can then be applied to the count.
FIXED v2.20 non_ok result was reported when -w and -c were not used.

Arg1 - the event log you wish search, or use 'any' to search all event
logs.  This parameter is not limited to built in evenlt logs, it will
accept and process any Event log that Windows  Event Log viewer has
access to.

Arg2 is the event type:standard built in ones are Informaiton,
Warning, Critical, or choose any for selecting all types.  This
argument accepts any type that is registered in windows.
Fixed in v2.20 - Type was case sensitive in earlier versions.

Arg3 is the number of minuit between the writen time of the event
entry (which could be mutch latter than the actual time of the event)
and the current time. for example if this value is 5 it will only
report event entries that were writen to the event log in the last 5
minutes.  use 0 to retrieve allevents.

example : all error entries from system that occured in the past hour:
"System,Error,60,0,0,0"

Arg1,arg2,arg3 are processed first and a copy is saved of any event
entry that matches all three.  Then the remaining filters are applied.

The filters are in a list form were the first element of the list is
how many items will be applied.  this is a signed numeber.  negitive
for exclude matching entries from list and positive number to include
only matching entries.

arglist4 : Event Source.  this filter list is to match against the
source of the entry.
for example to list all events that were from  NC_Net or EventLog that
occured in the last 5 min:
"any,any,5,2,EventLog,NC_Net,0,0"
To list any error that occured in the last 10 minites except for
errors by NC_Net:
"any,Error,10,-1,NC_Net,0,0"

Arglist5: Description Field Regular Expression Filter.
This filter uses a regular expression to match the entries Description
field.  It is case sensitive, and whitespace needs to be escaped. 
Regular expressios are simmilar to egrep. parathases and for grouping
and pipe for or.
To list all events that have the word start or stop in there description:
"any,any,0,0,2,start,stop,0"
this is equivalant to:
"any,any,0,0,1,(start|stop),0"
make sure to use the backslash to match whitespace in the expression.
for example: "any,any,0,0,1,Jack\ and\ Jill",0

Arglist6: is a filter for the event id.  This test the event ID as
text so using ranges is not accepted.  for example to test if NC_Net
was started in the last 5 minutes:
"Application,Informaiton,5,0,0,1,1004"

Note: V2.21 is currently in testing, and will be released soon, If
anyone is having issues with NC_Net let me know that way I can address
the problem before I release 2.21.
2.21: Enumcounterdesc - prints the internal detailed description of
the performance counter or categroy.
WMICOUNTER -tests the result of a WMI querry, if the query resolves to
a number or a list of numbers then it will test agains warning and
critical values.

Good Luck
Tony


On Tue, 1 Mar 2005 10:32:38 -0600, Lien, Mitch <mitch.lien at medtronic.com> wrote:
> Hi.
> 
> I am currently configuring Nagios to monitor several of our Netbackup servers here in Minneapolis, MN.
> 
> I am using the NC_Net 2.19 agent for our Win 2XXX servers and it is working well.
> 
> I have a question concerning the syntax of the check_nt command and finding multiple strings within any of the Windows event logs. I have attempted to use the "http://article.gmane.org/gmane.network.nagios.plugins/1228" example, but have not had success.
> For example, I am not sure what the check_nt command should look like to search/find the "SCSI INTERFACE ERROR" and "CHECK CONDITION" strings from the event logs.
> If anyone has examples on finding multiple strings it would be greatly appreciated.
> Thanks.
> Mitch Lien
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&opclick
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: NSClient++ 0.0.1 RC5 updated (and new CheckFileSize plugin)
Next message: NC_net: check_nt and EVENTLOG
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list