PowerShell Framework: Windows EventLog Monitoring

Meta Icinga Events and Community
1

Hello

Trying to make hands dirty after @cstein pushed me to powershell framework
:skull_and_crossbones: telling me this is the way to move forward.

I generated a event ID : 3201

My Single Service Looks Like below

apply Service "XXX-P_MS_P_EvtLogID3201" {
    import "XXX-tmplService-MS-PS_EventLog"
    assign where "XXX-tmplHost-MS" in host.templates
    vars.IcingaCheckEventlog_Array_IncludeEventId = [ "3201" ]
    vars.IcingaCheckEventlog_Object_Warning = "1"
    vars.IcingaCheckEventlog_String_LogName = "Application"
    import DirectorOverrideTemplate
}

My Service Template Looks Like Below

template Service "XXX-tmplService-MS-PS_EventLog" {
    import "XXX-tmplService-Default"

    check_command = "Invoke-IcingaCheckEventlog"
    check_interval = 15m
    command_endpoint = host_name
    vars.IcingaCheckEventlog_Int32_Verbosity = "3"
}

then I generated a event like below on the server

$evt = new-object System.Diagnostics.EventLog("Application")
$evt.Source = "MyEvent"
$infoevent = [System.Diagnostics.EventLogEntryType]::Information
$evt.WriteEntry("My Test Event",$infoevent,3201)

I see the event in the eventLog
But Do not see my alert firing :frowning: what did I do wrong
I think I am confused with the critical and warning threshold - but not able to understand very clearly - is it like a count ?

2

The documentation of the plugin says that the warning and critical thresholds are the number of events above which the check exits with a warning or critical.

Have you tried checking for any other events to see if the check basically works?
Or try adding the IncludeEntryType option?

Haven’t used the check myself yet, so I can just do fingerpointing :wink:

3

Exactly So. My requirement is if I see the eventID 3201 even one time or more then one time I should be alerted with a warning.

I was following the document → Icinga Plugins - Icinga for Windows

I changed it to the following

apply Service "XXX-P_MS_P_EvtLogID3201" {
    import "XXX-tmplService-MS-PS_EventLog"


    assign where "XXX-tmplHost-MS" in host.templates
    vars.IcingaCheckEventlog_Array_IncludeEventId = [ "3201" ]
    vars.IcingaCheckEventlog_Object_Warning = "~:1"
    vars.IcingaCheckEventlog_String_LogName = "Application"
    vars.IcingaCheckEventlog_Switchparameter_DisableTimeCache = true

    import DirectorOverrideTemplate
}

Also I disabled the time cache = true so that it looks historical

I am getting the below

image
image737×230 8.1 KB

But It should be Warning instead of OK. Also strangely and very strangely the plugin do not have information on the message which is very critical in log monitoring to publish the source and the message. Is this normal or am I doing something really silly

EDIT:

Yes i was being silly. To raise alert we need to be more than 0.

image
image765×254 11 KB

But no Message :frowning: Bad Mojo Bad Mojo - We need the event Log Message as well

1 Like
4

That would have been my next suggestion :smiley:

Maybe create a feature request for the plugin to add this functionality.
Or think about implementing something like Graylog for log management?

5

Thanks

Created a new enhancement request

But the major problem is different - Why on earth it is raising soft state. My Service Template only has check_interval = 15m not even sampling interval

image
image772×436 18 KB

image

6

I would suggest you open another thread for this, as it is a different problem which (most likely) has nothing to do with the PowerShell plugins :slight_smile: