<div>Hi,</div> <div> </div> <div> <div>WMI should solve this problem for you.</div></div> <div> </div> <div>Just some notes on related to this issue,</div> <div> </div> <div>First off, make sure your using the current version of NC_NEt 4.1a and you would have access to a more optimized event log check called "eventlog_new" The original eventlog searched the logs from the wrong end, and thus takes a long time on large logs, this new version asside from using different syntex checks from the most resent event first. </div> <div> </div> <div>The Output is the same, thus it does not give what your are looking for. (but it may be more optimized than the WMI You would need to test this.) if it is a quicker test, I recomend using it and setting up event handlers or manually running check_nt using WMI to get the file name. note this assumes that you normally do not get an alert , so you would want the checking to induce the least load. </div> <div> </div> <div>If you know the names of the files you can setup seperate checks using the REGEXP of the EVENTLOG_NEw and this would serve as a workaround.</div> <div> </div> <div>If your looking for the files being modified. FILEAGE may be a good workaround.</div> <div> </div> <div>you should be able to setup an event handler that takes the EVENTID reported by EVENTLOG check and runs a WMICAT, querry the WMI (Windows Managment interface) for the Event Log Message.</div> <div>CLASS - CIMV2 Win32_NTLogEvent -has the events and the messeges in it.</div> <div>writing a querry to it may be tricky but if you need the File mane from the Message field this is the way to get it without writing new scripts, or paying for upgrades.</div> <div> </div> <div>or just run WMI checks directly and use wrapper scripts to interpret the results. </div> <div>please not on this, if a querry has no match there may be a NO OUTPUT error. </div> <div> </div> <div>Good Luck.</div> <div> </div> <div>TOny (author of NC_Net)</div> <div> </div> <div> </div> <div><span class="gmail_quote">On 10/4/07, <b class="gmail_sendername">Florencio Cano</b> <<a href="mailto:florencio.cano@gmail.com">florencio.cano@gmail.com</a>> wrote:</span> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hello,<br>Thanks to Hugo and Roger help I've been able to check Windows 2003<br>EventLog from the Nagios server. My idea is to audit access to some <br>objects in the Windows 2003 machine as for example, a confidential<br>document. And I want to see an alert in Nagios when I receive this<br>information from the Windows EventLog Plugin (check_nt -v EVENTLOG).<br>But, now, I'm receiving only the error codes and I want to receive <br>more info detailed in the EventLog as for example the object name<br>(filename in my case). Is this possible?<br><br>And I wanted to say that I'm using NC_Net in a Spanish installation<br>Windows 2003 installation and it seems to run ok. <br>--<br>Florencio Cano Gabarda<br><br>-------------------------------------------------------------------------<br>This SF.net email is sponsored by: Splunk Inc.<br>Still grepping through log files to find problems? Stop. <br>Now Search log events and configuration files using AJAX and a browser.<br>Download your FREE copy of Splunk now >> <a href="http://get.splunk.com/">http://get.splunk.com/</a><br>_______________________________________________ <br>Nagios-users mailing list<br><a href="mailto:Nagios-users@lists.sourceforge.net">Nagios-users@lists.sourceforge.net</a><br><a href="https://lists.sourceforge.net/lists/listinfo/nagios-users">https://lists.sourceforge.net/lists/listinfo/nagios-users </a><br>::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.<br>::: Messages without supporting info will risk being sent to /dev/null<br></blockquote></div><br>