Hi Icinga Team and community!
I’m a relatively new Icinga admin, so bear with me.
I’ve been tasked with setting up an alert that looks at the Windows applications event logs for event id 1977. Thats simple enough, and my check works. However, this event ID is somewhat generic for the application, and the event the user really wants to check for has the text “BuildProcedurePickerTree” somewhere in the event’s message field. If I add that string (either with or without *'s around it) in -includemessage, I then get no results back at all, even though I know they exist within the results I was getting before.
I have tried disabling the time cache, but that doesn’t seem to make a difference. I’m assuming the -includemessage switch is used to parse through an event’s message text, but maybe that’s not the case? I tried running the commandlet locally, but I’m getting the same results. Below are my service definition, and some examples of what I’m referring to.
zones.d/ca-satellite/services.conf
object Service "Check Windows Event Logs" {
host_name = "XXXX"
import "Check Windows Event Logs"
vars.IcingaCheckEventlog_Array_IncludeEventId = [ "1977" ]
vars.IcingaCheckEventlog_Array_IncludeMessage = [ "BuildProcedurePickerTree" ]
vars.IcingaCheckEventlog_Int32_Verbosity = "2"
vars.IcingaCheckEventlog_String_LogName = "Application"
vars.IcingaCheckEventlog_Switchparameter_DisableTimeCache = true
}
Invoke-IcingaCheckEventlog -logname application -IncludeEventId 1977 -Verbosity 2 -DisableTimeCache -includemessage "*BuildProcedurePickerTree*"
[OK] EventLog: 1 Ok
\_ [OK] No EventLogs found: 0c
0
Invoke-IcingaCheckEventlog -logname application -IncludeEventId 1977 -Verbosity 2 -DisableTimeCache
[OK] EventLog: 1 Ok
\_ [OK] Between: [2/8/2024 2:13:48 PM] - [2/8/2024 4:12:39 PM] there occurred 296 event(s).
\_ [OK] Event Message: 02/09/2024 00:12:39.994 Error Message: 4.24.570.0 User ID:....
at CommonLib.ProcedurePickerHelper.BuildProcedurePickerTree(String aPracticeCode, String wProcedureCodeSearchString, Boolean ....