<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7653.2"> <TITLE>Re: [Nagios-users] Monitoring Windows Eventviewer</TITLE> </HEAD> <BODY>  >Dear All, >Would anyone have experience in checking the windows eventviewer for certain events, or turning nagios red in case of ERRORs ? >What script are you using ? preferably something that can simply interact with NSClient We do this using the NSClient++ agent (<A HREF="file://www.nsclient.org">www.nsclient.org</A>). It checks the event logs and filters them based on criteria you define, alerting when the number of hits you specify is reached (i.e. when the system log has 1 or more events with an ID of XXXX within the last 10 minutes send alerts). Here is an example we use to monitor for a specific Oracle error. In the example we check the "application" log of the server every "60" minutes for events with an ID of "20" with event type of "Error" containing a string in the text of the message "Can not allocate log", check turns critical after 1 matching event is found that is time stamped within the last "65" minutes. Checkcommands.cfg: define command{ command_name check_eventlogs command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 -c checkEventLog -a filter=new $ARG1$ MaxWarn=$ARG2$ MaxCrit=$ARG3$ filter-generated=\$ARG4$ $ARG5$ truncate=$ARG6$ # Desc: # $ARG1$ = event logs to check (i.e. file=system file=application) # $ARG2$ = Warning level (i.e. number of hits to generate a warning response) # $ARG3$ = Critical level (i.e. number of hits to generate a critcal response) # $ARG4$ = Time period (i.e. 1 day is '1d' 30 hours is '>30h') # $ARG5$ = Filters (i.e. filter-eventID==9009 filter-eventSource=Tcpip) see <A HREF="http://www.nsclient.org/nscp/wiki/CheckEventLog/CheckEventLog">http://www.nsclient.org/nscp/wiki/CheckEventLog/CheckEventLog</A> for detailed info # $ARG6$ = Amount of data to return in characters (i.e. truncate=150) # Example: check_nrpe -H server_name_here -p 5666 -c checkEventLog -a filter=new file=system MaxWarn=1 MaxCrit=1 filter-generated=\>30h filter+eventID==10002 descriptions truncate=138 } Services.cfg: define service{ use standard-srv service_description eventlog: Oracle archive log errors check_command check_eventlogs!file=application!1!1!>65m!filter+eventID==20 filter+eventType==error filter+message=substr:"Can not allocate log"!100 normal_check_interval 60 notification_options w,c contact_groups apps host_name server1, server2 } HTH, -greg </BODY> </HTML>