NSClient++ Help (#1) - Using CheckEventLog to see if an event has occurred at least once (in last x hrs) (#320) - Message List
I need a check to confirm if a given event has occurred in the last hour - if it HAS occurred at least once, then everything is OK, so return a 0. If it HASN'T, then return a fault. Is it possible to do this with CheckEventLog? I know I can do it with an external script coupled with something like MS Logparser, but would rather do it via NSClient++!
eg: below script has MaxWarn/MaxCrit? values, but in my case, I want a MaxCrit of 0... Is there another way to do it?
./check_nrpe -H SERVERNAME -c CheckEventLog -a filter=new file="Application" MaxWarn=2 MaxCrit=5 filter+generated=\<1h filter+eventSource="Example Application" filter+eventType==info filter+message="substr: completed successfully" filter=in filter=all
-
Message #974
Humm, not sure I follow, MaxCrit=0 does not work or?
MickeM
mickem01/14/09 18:14:37 (3 years ago)-
Message #984
Thanks for replying mate. Basically, the event I want to check for is a GOOD event - I want it to be in the log.. if it HASN'T been logged, thats when I want NSClient to flag a critical or warning.. so:
0 matching results = bad --> returns a 2 to Nagios 1 or more matching result = good --> returns a 0 to Nagios
To be honest I haven't tried MaxCrit=0, but assume it won't work because "1 or more matching results" would also trigger the maxcrit threshold...?
So its pretty much the exact opposite of how a normal check would work.. we've got a few legacy apps that we don't have source for, which fire off success messages into the app log, but the error/troubleshooting side of things leaves a bit to be desired.
Plus would be good for things like backup scripts etc. Its one thing to look for a fault, but if the backup script doesn't fire in the first place, a conventional CheckEventLog check wouldn't help
Any ideas?
anonymous01/16/09 02:27:22 (3 years ago)-
Message #1018
I am looking to do the EXACT same thing... that is check if eventlog has an event ID or something and if it doesnt indicate a critical state if it finds the event in the log all is OK
MaxCrit=0 does not work...
anonymous01/24/09 01:31:41 (3 years ago)-
Message #1021
The new (out in a bit) nightly will support this:
2009-01-23 MickeM + Added better support for numerical hit matching in the eventlog module. You can now use exact and detailed matching. You can now use the following syntax: CheckEventLog ... warn=ne:1 crit=eq:0 ... To generate a warning if the number of hits are != 1 and a critical if the number of hits are = 0. Other operators avalible are: =, >, <, <>, !, !=, eq:, ne:, gt:, lt:MickeM
mickem01/24/09 11:10:08 (3 years ago)-
Message #1166
Damn Micke, sorry for taking so long to actually try this feature...! I really do appreciate it.
/usr/local/nagios/libexec/check_nrpe -H 10.250.0.110 -c CheckEventLog -a filter=new file="'Application'" MaxWarn=5 MaxCrit=10 filter+generated=\<24h filter+eventType==info filter+eventSource=="LiveState Recovery" filter+message=substr:"base recovery point of C:\ completed successfully." filter=in filter=all
...which results in:
LiveState Recovery|'eventlog'=1;5;10;
...there is a matching record, so the check effectively returns a value of "1" - but if I change the check syntax to:
/usr/local/nagios/libexec/check_nrpe -H 10.250.0.110 -c CheckEventLog -a filter=new file="'Application'" MaxWarn=eq:1 MaxCrit=eq:0 filter+generated=\<24h filter+eventType==info filter+eventSource=="LiveState Recovery" filter+message=substr:"base recovery point of C:\ completed successfully." filter=in filter=all
...which results in:
LiveState Recovery, eventlog: 1 > critical|'eventlog'=1;0;0;
... the record is still matched (ie, it returns a 1, but the result is still critical..
Have I got the syntax wrong? Am just going on the notes you've got in the change log...! :)
destr0y04/29/09 01:51:04 (3 years ago)
-
-
-
-
