Event Log Monitoring using nscp-local

radioactive9 · April 29, 2020, 10:51am

Hello

Please help to monitor Windows Event Log using nscp-local in Director

I have created a Service Template for nscp-local

image743×121 2.01 KB
Add the two data fields are added

image722×118 1.96 KB
I created a service using the template

image717×293 7.61 KB

But the service is failing with the following error
No Handler for the command: check_eventlog

Note I have also enabled the check_eventlog in nsclient.ini

Something is not right as the exact Inspect command from icinga won’t run on the server

@anon66228339 You kind attention / direction please - this has blocked 50 + deployment for event log monitoring

anon66228339 · April 30, 2020, 7:26am

On the commandline you use CheckSystem module but you have it disabled in the nsclient.ini

radioactive9 · April 30, 2020, 9:17am

Hello Carsten

I was eagerly waiting for your attention. Thank You for providing the information
I really missed that. Honestly I didn’t know as I am doing nscp-local for the first time. I changed that to enabled

From services.msc
I restarted the nsclient service
I restarted the icinga service
Still the output remains same. So definitely something else is missed

To add : Do we have a better way to monitor Windows Event Log? We have 50+ event IDs waiting to be monitored

anon66228339 · April 30, 2020, 9:28am

Let me check this, i think your command is missing something.

anon66228339 · April 30, 2020, 10:33am

This is the command i created and for me it works so far.

object CheckCommand "nscp-local-eventlog" {
        import "nscp-local"

        arguments += {
                "--filter" = {
                        value = "$nscp_eventlog_filter$"
                }
                "--file" = {
                        value = "$nscp_eventlog_file$"
                }
                "--scan-range" = {
                        value = "$nscp_eventlog_scan_range$"
                }
                "--warning" = {
                        value = "$nscp_eventlog_warning$"
                }
                "--critical" = {
                        value = "$nscp_eventlog_critical$"
                }
                "--unique-index" = {
                        set_if = "$nscp_eventlog_unique_index$"
                }
                "--bookmark" = {
                        value = "$nscp_eventlog_bookmark$"
                }
                "-a" = {
                        value = "$nscp_eventlog_arguments$"
                        repeat_key = true
                }
        }

        vars.nscp_query = "check_eventlog"
        vars.nscp_showall = "$nscp_eventlog_showall$"
        vars.nscp_eventlog_filter = "level in ('warning', 'error', 'critical')"
        vars.nscp_eventlog_warning = "level = 'warning' or problem_count > 0"
        vars.nscp_eventlog_critical = "level in ('error', 'critical')"
        vars.nscp_eventlog_unique_index = true
        vars.nscp_modules = [ "CheckEventlog" ]

}

radioactive9 · April 30, 2020, 1:24pm

Hello Carsten

I am working on it from director perspective

I will post screenshot of the same and then probably I will need a little bit more help to exactly try for our monitoring based on eventID

This is how it looks in the Inspect Screen:
‘C:\Program Files\NSClient++\nscp.exe’ ‘client’ ‘–log’ ‘critical’ ‘–module’ ‘CheckEventlog’ ‘-b’ ‘-q’ ‘check_eventlog’

So looks like it is listing all Critical alerts
Now I need to help to monitor only very specific Event ID on a Specific source

EDIT:

I added the parameter nscp_eventlog_scan_range = -10m thinking that it will clear the alert if there is no error log and the number of error patterns discovered will be less. But it doesn’t look like it has any effect on the alert. Infact what is strange the Inspect command is returning the same command

‘C:\Program Files\NSClient++\nscp.exe’ ‘client’ ‘–log’ ‘critical’ ‘–module’ ‘CheckEventlog’ ‘-b’ ‘-q’ ‘check_eventlog’

EDIT 2:
I made further changes to the service. I have added the filter like below

Now the inspect looks like below

‘C:\Program Files\NSClient++\nscp.exe’ ‘client’ ‘–log’ ‘critical’ ‘–module’ ‘CheckEventlog’ ‘-a’ ‘filter=provider = ‘'’******App’'’ and id = 20 and level=432’ ‘-b’ ‘-q’ ‘check_eventlog’
This is based on the document https://docs.nsclient.org/reference/windows/CheckEventLog/

I use eventcreate to fire a event in logs

eventcreate /ID 20 /L application /T ERROR /SO ******App /D “Test Event Log”

The alert won’t fire - I can see it in the event log

I am really now at my wits end. No clue how to make it work. I really need help as we are trying to establish iCinga The Monitoring Platform and I am really not able to figure this out

EDIT 3
I am very close now The stupid ID filter is suppose to be like below

I have now 3 very pointed questions

How can I use detail-syntax (I want to showcase the event ID in the message) I want to put “detail-syntax=%(source) %(level) ID %(id)”. How do I include it in the nscp-local command ?
I want to filter for all levels if I use error or warning or information
How to include scan-range=-1hr
I tried the scan-range = -1hr
I am getting the below

image810×382 12.4 KB

image761×345 7.43 KB

Inspect looks like below
‘C:\Program Files\NSClient++\nscp.exe’ ‘client’ ‘–log’ ‘critical’ ‘–module’ ‘CheckEventlog’ ‘-a’ ‘filter=provider = ‘'’***App’'’ and id IN (‘'‘20’'’)’ ‘-a’ ‘scan-range=-1hr’ ‘-b’ ‘-q’ ‘check_eventlog’

radioactive9 · May 4, 2020, 9:18am

Because my above post has become very heavy with too many edits - I am writing this fresh below

My current major road block is scan-range

nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog -a “scan-range=-1d”

This should ideally work. But it is not giving error (Invalid command line: unrecognised option ‘-1d’)

anon66228339 · May 4, 2020, 9:44am

Use single quotes to get it working

radioactive9 · May 4, 2020, 10:20am

Sorry where do I use single quotes? I am sorry Carsten my head is not working any more as I am decoding and learning icinga at the same time

scan-range=’-7d’ doesn’t work either

C:\Program Files\NSClient++>nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog -a “scan-range=’-7d’”
Failed to process command : bad lexical cast: source type value could not be interpreted as target|

anon66228339 · May 4, 2020, 10:21am

nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog -a 'scan-range=-1d'

or

nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog --scan-range '-1d'

radioactive9 · May 4, 2020, 10:24am

nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog --scan-range '-1d'
nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog -a 'scan-range=-1d'

C:\Program Files\NSClient++>nscp --version
NSClient++, Version: 0.5.2.39 2018-02-04, Platform: x64

It won’t work am i hitting a bug again

The below works when I mention a positive value. But it won’t take -ve value

nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog -a “scan-range=1d”

anon66228339 · May 4, 2020, 10:47am

This is how i do it with the command i created

'C:\Program Files\ICINGA2\/sbin\nscp\nscp.exe' 'client' '--critical' 'level in ('\''error'\'', '\''critical'\'')' '--filter' 'level in ('\''warning'\'', '\''error'\'', '\''critical'\'')' '--log' 'critical' '--module' 'CheckEventlog' '--scan-range' '-1w' '--unique-index' '--warning' 'level = '\''warning'\'' or problem_count > 0' '-b' '-q' 'check_eventlog'

radioactive9 · May 4, 2020, 11:59am

Thanks Carsten

I think for some reason I was not able to make it work (scan-range) for me will not take -ve value. I have opened a issue https://github.com/mickem/nscp/issues/682

Now this is what I did to solve the typical problem I am facing
‘C:\Program Files\NSClient++\nscp.exe’ ‘client’ ‘–log’ ‘critical’ ‘–module’ ‘CheckEventlog’ ‘-a’ ‘filter=provider = ‘’’****App’’’ and id IN (’’‘20’’’) and written > -1h’ ‘-b’ ‘-q’ ‘check_eventlog’

And it is now working as expected