Event Log Monitoring using nscp-local

Hello

Please help to monitor Windows Event Log using nscp-local in Director

  1. I have created a Service Template for nscp-local

  2. Add the two data fields are added

  3. I created a service using the template

But the service is failing with the following error
No Handler for the command: check_eventlog

Note I have also enabled the check_eventlog in nsclient.ini
image

Something is not right as the exact Inspect command from icinga won’t run on the server

image

@Carsten You kind attention / direction please - this has blocked 50 + deployment for event log monitoring

On the commandline you use CheckSystem module but you have it disabled in the nsclient.ini :slight_smile:

Hello Carsten

I was eagerly waiting for your attention. Thank You for providing the information
I really missed that. Honestly I didn’t know as I am doing nscp-local for the first time. I changed that to enabled

From services.msc
I restarted the nsclient service
I restarted the icinga service
Still the output remains same. So definitely something else is missed :frowning:

To add : Do we have a better way to monitor Windows Event Log? We have 50+ event IDs waiting to be monitored

Let me check this, i think your command is missing something.

This is the command i created and for me it works so far.

object CheckCommand "nscp-local-eventlog" {
        import "nscp-local"

        arguments += {
                "--filter" = {
                        value = "$nscp_eventlog_filter$"
                }
                "--file" = {
                        value = "$nscp_eventlog_file$"
                }
                "--scan-range" = {
                        value = "$nscp_eventlog_scan_range$"
                }
                "--warning" = {
                        value = "$nscp_eventlog_warning$"
                }
                "--critical" = {
                        value = "$nscp_eventlog_critical$"
                }
                "--unique-index" = {
                        set_if = "$nscp_eventlog_unique_index$"
                }
                "--bookmark" = {
                        value = "$nscp_eventlog_bookmark$"
                }
                "-a" = {
                        value = "$nscp_eventlog_arguments$"
                        repeat_key = true
                }
        }

        vars.nscp_query = "check_eventlog"
        vars.nscp_showall = "$nscp_eventlog_showall$"
        vars.nscp_eventlog_filter = "level in ('warning', 'error', 'critical')"
        vars.nscp_eventlog_warning = "level = 'warning' or problem_count > 0"
        vars.nscp_eventlog_critical = "level in ('error', 'critical')"
        vars.nscp_eventlog_unique_index = true
        vars.nscp_modules = [ "CheckEventlog" ]

}

Hello Carsten

I am working on it from director perspective

I will post screenshot of the same and then probably I will need a little bit more help to exactly try for our monitoring based on eventID

This is how it looks in the Inspect Screen:
‘C:\Program Files\NSClient++\nscp.exe’ ‘client’ ‘–log’ ‘critical’ ‘–module’ ‘CheckEventlog’ ‘-b’ ‘-q’ ‘check_eventlog’

image

So looks like it is listing all Critical alerts :slight_smile:
Now I need to help to monitor only very specific Event ID on a Specific source

image

EDIT:

I added the parameter nscp_eventlog_scan_range = -10m thinking that it will clear the alert if there is no error log and the number of error patterns discovered will be less. But it doesn’t look like it has any effect on the alert. Infact what is strange the Inspect command is returning the same command

image

‘C:\Program Files\NSClient++\nscp.exe’ ‘client’ ‘–log’ ‘critical’ ‘–module’ ‘CheckEventlog’ ‘-b’ ‘-q’ ‘check_eventlog’

EDIT 2:
I made further changes to the service. I have added the filter like below

Now the inspect looks like below

‘C:\Program Files\NSClient++\nscp.exe’ ‘client’ ‘–log’ ‘critical’ ‘–module’ ‘CheckEventlog’ ‘-a’ ‘filter=provider = ‘’’******App’’’ and id = 20 and level=432’ ‘-b’ ‘-q’ ‘check_eventlog’
This is based on the document https://docs.nsclient.org/reference/windows/CheckEventLog/

I use eventcreate to fire a event in logs

eventcreate /ID 20 /L application /T ERROR /SO ******App /D “Test Event Log”

The alert won’t fire - I can see it in the event log

I am really now at my wits end. No clue how to make it work. I really need help as we are trying to establish iCinga The Monitoring Platform and I am really not able to figure this out

EDIT 3
I am very close now :slight_smile: The stupid ID filter is suppose to be like below

I have now 3 very pointed questions

  1. How can I use detail-syntax (I want to showcase the event ID in the message) I want to put “detail-syntax=%(source) %(level) ID %(id)”. How do I include it in the nscp-local command ?
  2. I want to filter for all levels if I use error or warning or information
  3. How to include scan-range=-1hr
    I tried the scan-range = -1hr
    I am getting the below

Inspect looks like below
‘C:\Program Files\NSClient++\nscp.exe’ ‘client’ ‘–log’ ‘critical’ ‘–module’ ‘CheckEventlog’ ‘-a’ ‘filter=provider = ‘’’***App’’’ and id IN (’’‘20’’’)’ ‘-a’ ‘scan-range=-1hr’ ‘-b’ ‘-q’ ‘check_eventlog’

Because my above post has become very heavy with too many edits - I am writing this fresh below

My current major road block is scan-range

nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog -a “scan-range=-1d”

This should ideally work. But it is not giving error (Invalid command line: unrecognised option ‘-1d’)

Use single quotes to get it working

Sorry where do I use single quotes? I am sorry Carsten my head is not working any more as I am decoding and learning icinga at the same time :slight_smile:

scan-range=’-7d’ doesn’t work either

C:\Program Files\NSClient++>nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog -a “scan-range=’-7d’”
Failed to process command : bad lexical cast: source type value could not be interpreted as target|

nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog -a 'scan-range=-1d'

or

nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog --scan-range '-1d'
nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog --scan-range '-1d'
nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog -a 'scan-range=-1d'

C:\Program Files\NSClient++>nscp --version
NSClient++, Version: 0.5.2.39 2018-02-04, Platform: x64

It won’t work :frowning: am i hitting a bug again


The below works when I mention a positive value. But it won’t take -ve value

nscp.exe client --log critical --module CheckEventlog -b -q check_eventlog -a “scan-range=1d”

This is how i do it with the command i created

'C:\Program Files\ICINGA2\/sbin\nscp\nscp.exe' 'client' '--critical' 'level in ('\''error'\'', '\''critical'\'')' '--filter' 'level in ('\''warning'\'', '\''error'\'', '\''critical'\'')' '--log' 'critical' '--module' 'CheckEventlog' '--scan-range' '-1w' '--unique-index' '--warning' 'level = '\''warning'\'' or problem_count > 0' '-b' '-q' 'check_eventlog'

Thanks Carsten

I think for some reason I was not able to make it work (scan-range) for me will not take -ve value. I have opened a issue https://github.com/mickem/nscp/issues/682

Now this is what I did to solve the typical problem I am facing
‘C:\Program Files\NSClient++\nscp.exe’ ‘client’ ‘–log’ ‘critical’ ‘–module’ ‘CheckEventlog’ ‘-a’ ‘filter=provider = ‘’’****App’’’ and id IN (’’‘20’’’) and written > -1h’ ‘-b’ ‘-q’ ‘check_eventlog’

And it is now working as expected

1 Like