TracNav menu
-
Home
-
Documentation
- …
-
Information
- …
-
Commands/Modules
-
CheckDisk
- CheckFileSize
- CheckDriveSize
- CheckFile
-
CheckEventLog
- CheckEventLog
-
CheckSystem
- CheckCPU
- CheckUpTime
- CheckServiceState
- CheckProcState
- CheckMem
- CheckCounter
-
CheckHelpers
- CheckAlwaysOK
- CheckAlwaysCRITICAL
- CheckAlwaysWARNING
- CheckOK
- CheckCRITICAL
- CheckWARNING
- CheckMultiple
- CheckVersion
-
CheckTaskSched
- CheckTaskSched
-
FileLogger
- N/A
-
NRPEListener
- N/A
-
NSClientListener
- N/A
-
SysTray
- N/A
-
CheckWMI
- CheckWMI
- CheckWMIValue
-
RemoteConfiguration
- N/A
-
CheckExternalScripts
- N/A
-
LUAScript
- Guide
-
NSCAAgent
- N/A
-
Donate
- …
CheckEventLog
CheckEventLog is part of the wiki:CheckEventLog module.
This check enumerates all event in the event log and filters out (or in) events and then the resulting list is used to determine state.
| Option | Values | Description |
| file | A event log file name | The name of an eventlog file the default ones are Application, Security and System. |
| filter | in, out, any, all | Specify the way you want to filter things. (Se section below) |
| descriptions | None | Flag to specify if you want to include string representation of the error messages. |
| truncate | length of the returned set | This will truncate the output after the specified length. As NRPE can only handle 1024 chars you need to truncate the output. |
| MaxWarn | number of records | The maximum records to allow before reporting a warning state. |
| MaxCrit | number of records | The maximum records to allow before reporting a critical state. |
| filter-eventType | error, warning, etc | An event type to filter out: error, warning, info, auditSuccess or auditFailure. Note that unlike other commands, this requires '==', for example filter-eventType==info. The info,error, etc are all case sensitive. |
| filter-eventSource | [[string expression]] | The name of the source of the event. Can be a substring or regularexpression |
| filter-generated | [[time expression]] | Time ago the message was generated |
| filter-written | [[time expression]] | Time ago the message was written to the log |
| filter-message | [[string expression]] | Filter strings in the message. Can be a substring or regularexpression |
| filter-eventID | [[numeric expression]] | Filter based on the event id of the log message. |
| filter-severity | success, informational, warning or error | Filter based on event severity. (filter-severity==warning) |
| syntax | String | A string to use to represent each matched eventlog entry the following keywords will be replaced with corresponding values: %source%, %generated%, %written%, %type%, %severity%, %strings%, %id% |
A time expression is a date/time interval as a number prefixed by a filter prefix (<, >, =, !=) and followed by a unit postfix (m, s, h, d, w). A few examples of time expression are: filter-generated=>2d means filter will match any records older than 2 days, filter-generated=<2h means match any records newver then 2 hours.
A string expression is a key followed by a string that specifies a string expression. Currently substr and regexp are supported. Thus you enter filter-message=regexp:(foo|bar) to enter a regular expression and filter-message=substr:foo to enter a substring patter match.
Filter
| in | means any thing matching this filter will be included in the result. |
| out | means any thing matching this filter will be excluded from the result. |
| any | means any of the filter rules has to match. |
| all | means all of the filter rules have to match. |
Thus filter=all filter=in and filter=any filter=out is the combinations that makes the most sense depending on your filter concept.
Examples
Check the Application event log for errors in the last 48 hours. Filter out any Cdrom and NSClient errors as well as all warnings. Allow 3 errors before a warning is issued and 7 before a critical state.
checkEventLog file=system file=application MaxWarn=1 MaxCrit=1 filter-generated=>2d filter-eventSource=substr:Service filter-eventSource=substr:Tcpip filter=out filter=any
CRITICAL: 27 > critical: ESENT, ESENT, ESENT, ESENT,...
define command {
command_name check_event_log
command_line check_nrpe -H $HOSTADDRESS$ -p 5666 -c checkEventLog -a file=system file=application MaxWarn=1 MaxCrit=1 filter-generated=>2d filter-eventSource=substr:Service filter-eventSource=substr:Tcpip filter=out filter=any
}
check_command check_event_log
---
Check for errors by eventid in the last 2 hours.
$ARG1$ = file to check ie. Application, Security, System
$ARG2$ = Max Warn amount
$ARG3$ = Max Critical amount
$ARG4$ = eventID Number
./check_nrpe -H $HOSTNAME$ -c CheckEventLog -a file="$ARG1$" MaxWarn=$ARG2$ MaxCrit=$ARG3$ filter-generated=\<2h filter-eventID==$ARG4$ filter-eventType==error filter=in filter=all
---
Check for errors by source name in the last 2 hours.
$ARG1$ = file to check ie. Application, Security, System
$ARG2$ = Max Warn amount
$ARG3$ = Max Critical amount
$ARG4$ = Source Name ie. Service Control Manager
./check_nrpe -H $HOSTNAME$ -c CheckEventLog -a file="$ARG1$" MaxWarn=$ARG2$ MaxCrit=$ARG3$ filter-generated=\<2h filter-eventSource=="$ARG4$" filter-eventType==error filter=in filter=all
---
