Windows Event Log Monitoring

Hi Everyone

We have a check in place on an old Icinga1 server, using NSClient, that we are attempting to migrate over to Icinga2. This check monitors the windows event log for a specific pattern and flags when the criteria is met. This is how it looks on the command line:

./check_nrpe -2 -n -H HOSTNAME -t 60 -c checkeventlog -a file="application" MaxWarn=1 MaxCrit=1 "filter=generated > -10m AND id=17061" truncate=800 descriptions unique "syntax=%message%"
OK: No entries found|'count'=0;1;1

So as you can see we have the check passing correctly from the command line. However I am struggling to configure this correctly within the Icinga2 config. Please could I have some assistance regarding how the check / service command should look?

Appreciate more information may be needed so please just let me know what I should provide to get this in place.

Many Thanks.

You can use the nscp_api check command to run the same commands in Icinga2 as in Icinga1.


Hi Alex

Thank you for the information. I’ve got the service config in place and the syntax is passing in Icinga correctly but I’m not quite there yet with the arguments:

apply Service "Windows: Event Logs" {
  import "generic-service"
  check_command = "nscp_api"
  command_endpoint = host.vars.client_endpoint

  vars.nscp_api_host = "localhost"
  vars.nscp_api_password = host.vars.nscp_api_password //will be hidden...
  vars.nscp_api_query = "checkeventlog"
  vars.nscp_api_arguments = ["file=application", "MaxWarn=1", "MaxCrit=1", "filter='generated > -10m AND id=123'", "unique=1", "syntax=%message%"]

  assign where host.vars.dbeventchecks == "true"

I’ve tested the filter after pushing events into the correct windows log (ID 123 to the application log) but it doesn’t seem to work. I’m attempting to alert only for events within the previous 10 minutes on ID123, does that syntax look correct?

The nscp_api check command done the trick and I managed to get the key pairs correct on the arguments, thanks for your assistance Alex, greatly appreciated.

Glad you got it resolved. I experienced problems using the time filter (-10m) in my checks. The only way I could get the filter to work correctly is by using the default time (24h) filter. Is your time filter working correctly? If so, how did you get it working right?


Hi Alex

The following works fine for me and we’re using the legacy checkeventlog (not check_eventlog):

vars.nscp_api_query = "checkeventlog"
vars.nscp_api_arguments = ["file=application", "MaxWarn=1", "MaxCrit=1", "filter=generated > -10m AND id=17061", "unique=1", "syntax=%message%"]

So this only monitors the previous 10 minutes of the event log and after the 10 minutes are past the icinga alert will recover and this is the behaviour we need. I was experimenting with the newer ‘check_eventlog’ but couldn’t get it to work correctly.

Hope this helps.