I’m using Invoke-IcingaCheckEventlog to check some authorization events. One of these, EventID 4776 sometimes includes “Error Code: 0x0” (there’s a tab after the colon). The 0x0 indicates “no error”. I’m trying to exclude it from being counted among the results but I’m not able to capture it.
The check command returns this line all munged together:
Event Message: The computer attempted to validate the credentials for an account.Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account: usernameSource Workstation: WORKSTATIONError Code: 0x0
The server’s Icinga config file includes this check command which runs successfully in every other way, except for the ExcludeMessage stanza.
object Service "Check Windows Event Logs 4776" {
host_name = "AD-SERVER-NAME"
check_command = "Invoke-IcingaCheckEventlog"
vars.IcingaCheckEventlog_Array_IncludeEventId = [ "4776" ]
vars.IcingaCheckEventlog_Array_ExcludeMessage = [ "Error Code: 0x0" ]
vars.IcingaCheckEventlog_String_LogName = "Security"
vars.IcingaCheckEventlog_Object_Warning = "5"
vars.IcingaCheckEventlog_Object_Critical = "15"
vars.IcingaCheckEventlog_Int32_Verbosity = "2"
vars.IcingaCheckEventlog_Object_After = "10m"
}
I’ve tried with space and tab characters between the “:” and “0x0” and neither matched it as it is still flagged and reported by the check command. Am I using the wrong argument for this command? Is there a way to use regex to better catch this output?