check event log

Jim Avery jim at jimavery.me.uk
Mon Feb 21 13:58:45 CET 2011

Previous message: check event log
Next message: check event log
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 21 February 2011 10:27, Tristan Drinkwater <tristand at micro-p.com> wrote:
> Morning all (depending where you are in the world..)
>
> I’m trying to catch all error and warning logs from application event folder
> but I’m struggling with the filter+generated bit.
>
> In a nut shell all I want is anything red that happened within the last 24
> hours.
>
> Here is my syntax I’m running from the libexec folder till I get it right;
>
> ./check_nrpe –H ip –p 5667 –c CheckEventLog –a filter=in file=application
> filter.eventType==error filter+generated=\<24h MaxCrit=1
>
> This return’s 12 errors. Only 3 of which happened in the last 24 hours.
>
> It seems to be either not using the filter I’ve detailed or making up its
> own one!!
>
> Can anyone see what I’m doing wrong?


I'm not sure.  What I can tell you is I use the following syntax when
using the 0.3.5 version of NSClient++ when looking for alerts
specifically from MSSQL.


  Event_MSSQLSERVER=inject CheckEventLog filter=new file=application
MaxWarn=1 MaxCrit=2 filter+generated=<30m
filter+eventSource=MSSQLSERVER filter+eventType==error filter=in
filter=all

Note in particular "filter=new" might be important, and I have
"filter+eventType" where you have "filter.eventType".

I have found CheckEventLog especially in older versions of NSClient++
can behave quite bizarrely at times.  My advice is keep your query as
simple as you can (but tbh, yours probably couldn't be much simpler).

If you're using the latest version of NSClient++ (0.3.8), you might
find the new syntax easier, for example:

  CheckEventLog file=application file=system MaxWarn=1 MaxCrit=1
"filter=generated gt -1h AND severity NOT IN ('success',
'informational')" truncate=800 unique descriptions "syntax=%severity%:
%source%: %message% (%count%)"

You may need to play with how various characters are escaped as I
don't run it quite the same way as you do.

hth,

Jim

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: check event log
Next message: check event log
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list