Monitor specific EventID with Invoke-IcingaCheckEventlog

Service Monitoring
1

Hi Community!

Im trying to monitor a specific event with the icinga-for-windows PowerShell-Framework. The command im trying to use is Invoke-IcingaCheckEventlog but i cant’t get it to work propertly
The Event is Microsoft-Windows-SMBServer/Audit with ID 3000 (SMB1 access)

This is the command im using

Invoke-IcingaCheckEventlog -LogName "Microsoft-Windows-SMBServer\Audit" -IncludeEntryType Information -Verbosity 2

I tried severel different arguments (-before, -after, - IncludeEventID, etc.) without any success - it always finds 0 entries. Trying it without the -LogName argument also fails despite it schouldn’t be mandatory

grafik
grafik862×66 7.68 KB

In the Windows Eventlog there are plenty of entries:

grafik
grafik1166×843 47.1 KB

Does anyone know what i am doing wrong?

2

Can you please try to run the Plugin with -DisableTimeCache in Addition and check, if this changes the output?

Please try also to change the log name and replace \ with /, as inside the Screenshot the name is different.

3

Hi,
thanks for your suggestions but sadly they didn’t help.
The output with -DisableTimecache stays the same and changing the \ to / results in the plugin not finding the Eventlog at all - see screenshot below:

grafik
grafik1135×174 28 KB

Do i have to escape the / or \ in any way so it gets interpreted correctly?

When using the Get-WinEvent native command it works correctly (with the /)

grafik
grafik821×326 50.6 KB

What i forgot to mention in my original post:
Icinga Framework Version is 1.4.1
OS ist Windows Server 2019 Standard (English language)

Anything else i can try? It seems like all events that are in “subfolders” are not working properply

4

Ah, that is the reason why it is not working. We use Get-WinEvent starting with Plugins v1.5.0.
Iassume this is the reason why this does not work. Would it be possible to update to 1.5.2 / 1.5.1 and check if this behavior is fixed?

2 Likes
5

That’s it! I updated my Framework and Plugins to 1.5.x and it’s working as it should:

grafik
grafik1105×227 23.3 KB

Sometimes it’s just the simple things - like updating your software :slight_smile:

Thanks a lot for your help - have a nice weekend!

2 Likes