NSClient++ Help (#1) - only filter special ID's from eventlog [SOLVED] (#532) - Message List
Hi, Is there a opportunity to filter only special eventlog ID's on an Exchange Server? In this case 1019,1018,1004,1005,5001,9518,9555,9559.
Dirk
-
Message #1648
uhmm?
you mean like use the event log id filter option?
Michael Medin
mickem03/04/10 16:21:31 (2 years ago)-
Message #1649
Like Michael says: http://www.nsclient.org/nscp/wiki/CheckEventLog/CheckEventLog#FilterTypes
You can filter on EventId? You'll want something like "filter=out filter+eventId=1019 filter+eventId=1018"...etc
That means that everything is excluded except the eventId's you specify...
mike2k03/04/10 17:13:35 (2 years ago)-
Message #1656
I have several entries with ID 4102 and 7022
./check_nrpe -H 10.1.1.6 -c CheckEventLog -a file=System MaxWarn=1 MaxCrit=3 filter+eventID==4102 filter-generated=\<18d filter=out filter=all truncate=100 Wins, Wins, Wins, Wins, Wins, Wins, Wins, Wins, Wins, Wins, Wins, Wins, Wins, Wins, Wins, Wins, ...|'eventlog'=31;1;3;
./check_nrpe -H 10.1.1.6 -c CheckEventLog -a file=System MaxWarn=1 MaxCrit=3 filter+eventID==7022 filter-generated=\<18d filter=out filter=all truncate=100 Service Control Manager, Service Control Manager, Service Control Manager, Service Control Manag...|'eventlog'=43;1;3;
But the combination does not work.
./check_nrpe -H 10.1.1.6 -c CheckEventLog -a file=System MaxWarn=1 MaxCrit=3 filter+eventID==4102 filter+eventID==7022 filter-generated=\<18d filter=out filter=all truncate=100 Eventlog check ok|'eventlog'=0;1;3;
Ruddimaster03/05/10 11:27:32 (2 years ago)-
Message #1660
Ha!
This is a very good question and the answer is that in the latest nightly you can do like so:
CheckEventLog file=application file=system filter=out MaxWarn=1 MaxCrit=1 filter-eventID=ne:1 filter-eventID=eq:1 append-filter-eventSource==SecurityCenter truncate=1023 unique descriptions "syntax=%source%: %id% (%count%)"
Notice the rather important append-filter-eventSource==SecurityCenter? this appends to the previous (ie. previous filter...) another option. This is to create "sort of like AND statements".
Thus the above becomes:
- DISCARD (eventID neq 1)
- KEEP (eventID eq 1) AND (eventSource exact: 'SecurityCenter?')
Each filter "rule" can ONLY have a single check of each TYPE:
filter-eventID=eq:1 append-filter-eventID=eq:2 append-filter-eventSource==SecurityCenter
Will result in (notice that the original (eventID eq 1) is discarded:
- KEEP (eventID eq 2) AND (eventSource exact: 'SecurityCenter?')
Also note that there is no additional "+/-/. concept since they apply to the rule as a hole so you can NOT do append-filter+eventID=eq:2
Michael Medin
mickem03/08/10 21:48:48 (2 years ago)-
Message #1663
Hi Michael,
Thnx for your reply. Now you've lost me.
in my case: Now, I have within 10 days 7 error entries. KDC, KDC, KDC, Service Control Manager, KDC, KDC, KDC,
KDC=ID 27 Service Control Manager=ID 7034
/check_nrpe -H 10.1.1.6 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=3 filter.eventID==27 filter.eventID==21 filter=in truncate=100 filter-generated=\>10d KDC, KDC, KDC, KDC, KDC, KDC, eventlog: 6 > critical|'eventlog'=6;1;3;
so far so good
Now I want to filter out only errors:
check_nrpe -H 10.1.1.6 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=3 filter.eventID==27 filter.eventID==21 filter=in truncate=100 filter-generated=\>10d filter+eventType==error KDC, KDC, KDC, Service Control Manager, KDC, KDC, KDC, eventlog: 7 > critical|'eventlog'=7;1;3;
This is not Correct.
Can you tell me the syntax to solve this problem? file=system AND (eventID=27 OR eventID=21) AND eventType=error
Ruddimaster
Ruddimaster03/10/10 13:21:56 (2 years ago)-
Message #1664
Hi,
I think that is the solution
check_nrpe -H 10.1.1.6 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=3 filter.eventID==27 filter.eventID==21 filter=in truncate=100 filter-generated=\>10d filter-eventType==info filter-eventType==warning
Ruddimaster03/10/10 14:34:41 (2 years ago) -
Message #1665
First off: This is false: KDC=ID 27 Service Control Manager=ID 7034
You might have event-id cooming from KDC and you might have event ID 7034 comming from SDC (but the IDs are not the source).
Secondly:
- filter=in Don't keep any entries not matching filter rules
- filter.eventID==27 if nothing discards this entry keep everything that matches this
- filter.eventID==21 if nothing discards this entry keep everything that matches this
- filter-generated=\>10d Discard all "old" entries
- filter+eventType==error Keep all errors (unless the old ones since they are already discarded by 3)
So the above gives you all errors (regardless of source, id or kind) unless they are "old".
What you want is: And this is just of the top of my head so I haven't tried this or anything... (and I tend to get confused by this syntax so I usually need to play around a bit)
- filter=in Don't keep any entries not matching filter rules
- filter-generated=\>10d ALWAYS have this first as it is faster. Discard all "old" entries
- filter-eventType=ne:error Discard everything NOT an error (unless it is old (1))
- filter+eventID==21 Keep it (unless it is old (1) or it is an error (2))
- filter+eventID==27 Keep it (unless it is old (1) or it is an error (2))
they are already discarded by 1)
Also note I am unsure of the filter-eventType=ne:error might have to do a series of discards on the "other values" (ie. filter-eventType==information etc).
Michael Medin
mickem03/10/10 15:32:42 (2 years ago)
-
-
-
-
-
Message #1720
Use the new where-filters :P
Michael Medin
mickem04/14/10 21:46:22 (22 months ago)
