Does anyone have event log monitors that work?

C. Bensend benny at bennyvision.com
Fri Mar 19 15:31:43 CET 2010

Previous message: Monitoring mysql with nagios on centos
Next message: Does anyone have event log monitors that *work*?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey folks,

   I have been beating my head against various and sundry walls,
tables, and desks for quite some time now, and my brain is starting
to get very, VERY mushy.

   I need to monitor Windows event logs.  You'd think this would
be easy, but either the tools available out there don't work (which
I doubt, I KNOW you monitor event logs), or I'm man enough to admit
that I'm a hopeless idiot.

   I've tried to get help on the 3rd-party sites (Steve
Shipway's site for Nagios EventLog Service and NSClient++), but
they're either away from their desks for an extended period of
time or I've just plain worn them out and they're no longer answering
my questions.

   I beg of you; if you use either of these tools and *successfuly*
monitor Windows event logs, please give me a hand.  I apologize for
the length of this email, but this is my last stand - if I cannot
get event log monitoring working, this entire project may get
scrapped.

THE PROBLEM:

   Both tools appear to work.  There are no errors, just lack of
   expected results.  If I look in an event log and *see* a 1074 in
   the system log, I expect to find a hit for a 1074 with either
   tool.  Both tools are completely missing them or returning the
   wrong severity, or not filtering on event ID at all.


Example with NSClient++ and NRPE:

I am looking at a system event log on a host.  I SEE a 1041
with a severity of "error" from source DhcpServer yesterday
at 10:58:32AM.  So, I fire up the following from the command
line:

./check_nrpe -H hntbw598 -p 5666 -t 90 -c CheckEventLog \
   -a file="system" filter=new filter=in MaxWarn="1" \
   MaxCrit="10" filter-generated=="\>24h" filter+severity=="error" \
   filter+eventID=="1041" truncate=900 unique descriptions \
   "syntax=%source%: (%severity% event ID %id%) %message% (%count% events
found)"

(sorry about the line wrap)

Now, to my understanding, this means:

* check in the system event log (file="system")
* use the new EventLog syntax for NSClient++ (filter=new)
* include all the things that match my filters (filter=in)
* warn at 1 hit (MaxWarn="1")
* critical at 1 hit (MaxCrit="1")
* ignore things over 24 hours (filter-generated=="\>24h")
* only include errors (filter+severity=="error")
* only include event ID 1041 (filter+eventID=="1041")
* truncate output at 900 char (truncate=900)
* only include unique hits (unique)
* include the descriptions (descriptions)
* format the syntax nicely

Am I misunderstanding any of these parameters?

When I run it, however, I get the following:

SideBySide: (error event ID 32) Dependent Assembly Microsoft.VC80.ATL
could not be found and Last Error was The referenced assembly is not
installed on your sys  (8 events found), SideBySide: (error event ID 59)
Resolve Partial Assembly fai Reference error message: The referenced
assembly is not installed on your syste . (16 events found), DhcpServer:
(success event ID 1041) The DHCP service is no addresses, or there are no
active interfaces. (10 events found), EventLog: (error event ID 6013) The
system uptime is 1632415 seconds. (52 events found), DCOM: (error event ID
10016) The application-specific permission settings do not gran  to
the...|'eventlog'=88;1;10; AA3DA1}erver application with CLSID

(again, sorry for the line wrap)

WTF.  Am I just completely absolutely not understanding how these
filters work?  WHY did it return anything other than my single 1041?

When I try the same type of filter with Nagios EventLog Agent, I
just don't get any NSCA events at all, it just skips it.  Running
the agent on debug level hasn't given me clue yet, although I'm
still trying.


How do you guys monitor your event logs?  Anyone using NSClient++?
I can't use NC_Net, I cannot install .NET on these hundreds of
Windows machines.  I just cannot understand why this is so damned
hard/frustrating/whatever.  Maybe I'm just an idiot, but I'm at
the end of my rope here...

THANK YOU for any help you can provide (including cluebats to the
head)!

Benny


-- 
"Show me on the doll where the marketing touched you."
                               -- "Mally" on Fazed.net





------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Monitoring mysql with nagios on centos
Next message: Does anyone have event log monitors that *work*?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list

Does anyone have event log monitors that *work*?

Does anyone have event log monitors that work?