<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Rage Italic";
panose-1:3 7 5 2 4 5 7 7 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>When I use the elog.exe Nagios check, the --incOp part does
not seem to work as I would expect it to.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The command I am running is:<o:p></o:p></p>
<p class=MsoNormal>C:\Program Files\NRPE_NT\plugins\bin>elog --logs
Application --include Source:"BlackBerry Controller" --incOp And
--include Description:"will not restart" --period 7200 --timeout 30<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The results I get are:<o:p></o:p></p>
<p class=MsoNormal>CRITICAL - Backup Exec(45828:2:3);BlackBerry
Controller(0:457:13);BlackBerry Messaging Agent IT-UTIL1 Agent
1(10:311:268);Windows Server Update Services(21:21:1);BlackBerry Dispatcher
IT-UTIL1(0:41:38);BlackBerry Router(2:1:5);Application Hang(2:0...<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I would expect this to find event log messages in the last 5
days that are in the Application log, have a Source of “BlackBerry Controller”,
and have the text “will not restart” in the Description. But
what I seem to get is every message in the last 5 days.<o:p></o:p></p>
<p class=MsoNormal>Can someone point out the flaw in my thinking or syntax, so
I can get this check working?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>If I run the command with just the Source part, I get back
an appropriate number of messages, so all I wanted to do was filter that set a
little more to pull out messages with certain text.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>command:<o:p></o:p></p>
<p class=MsoNormal>C:\Program Files\NRPE_NT\plugins\bin>elog --logs
Application --include "Source":"BlackBerry Controller"
--period 7200 --timeout 30 -vv<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>results:<o:p></o:p></p>
<p class=MsoNormal><snip><o:p></o:p></p>
<p class=MsoNormal>11/13/2009 6:08:19 PM
Warning
None BlackBerry
Controller<o:p></o:p></p>
<p class=MsoNormal> The description for Event ID
'-1342222410' in Source 'BlackBerry Controller' cannot be found. The
local computer may not have the necessary registry information or message DLL
files to display the message, or you may not have permission to access
them. The following information is part of the event:''IT-UTIL1' agent 1:
will not restart - reached the maximum of 10 restarts per 24 hours'<o:p></o:p></p>
<p class=MsoNormal><snip><o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Done<o:p></o:p></p>
<p class=MsoNormal>WARNING - BlackBerry Controller(0:457:13);<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Oddly enough, the Event ID shown in the above message is NOT
the Event ID shown in the Event Viewer. That Event ID is 20406.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>thanks,<o:p></o:p></p>
<p class=MsoNormal><b><span style='font-size:18.0pt;font-family:"Rage Italic";
color:#1F497D'>John</span></b><span style='font-size:12.0pt;font-family:"Times New Roman","serif";
color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:black'>John Patrick Carroll | Senior
Systems Administrator</span><span style='color:navy'><br>
</span><span style='font-size:10.0pt;color:red'>Gov</span><span
style='font-size:10.0pt;color:black'>Delivery, Inc.</span><span
style='color:navy'><br>
</span><span style='font-size:10.0pt;color:gray'>408 St. Peter St, Ste
600 | St Paul, MN 55102-1147<br>
651.757.4124 or 866.276.5583 ext. 124</span><span style='font-size:12.0pt;
font-family:"Times New Roman","serif";color:navy'><o:p></o:p></span></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;color:gray'>Resources</span><span style='font-size:
12.0pt;font-family:"Times New Roman","serif";color:navy'><br>
</span><span style='font-size:8.0pt;color:gray'>Website: <a
href="http://www.govdelivery.com"><span style='color:gray'>www.govdelivery.com</span></a><br>
Blog: <a href="http://www.reachthepublic.com"><span style='color:gray'>www.reachthepublic.com</span></a><br>
Twitter: <a href="http://www.twitter.com/govdelivery"><span style='color:gray'>www.twitter.com/govdelivery</span></a></span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif";color:navy'><o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>