We have a check in place on an old Icinga1 server, using NSClient, that we are attempting to migrate over to Icinga2. This check monitors the windows event log for a specific pattern and flags when the criteria is met. This is how it looks on the command line:
./check_nrpe -2 -n -H HOSTNAME -t 60 -c checkeventlog -a file="application" MaxWarn=1 MaxCrit=1 "filter=generated > -10m AND id=17061" truncate=800 descriptions unique "syntax=%message%"
OK: No entries found|'count'=0;1;1
So as you can see we have the check passing correctly from the command line. However I am struggling to configure this correctly within the Icinga2 config. Please could I have some assistance regarding how the check / service command should look?
Appreciate more information may be needed so please just let me know what I should provide to get this in place.
Thank you for the information. I’ve got the service config in place and the syntax is passing in Icinga correctly but I’m not quite there yet with the arguments:
I’ve tested the filter after pushing events into the correct windows log (ID 123 to the application log) but it doesn’t seem to work. I’m attempting to alert only for events within the previous 10 minutes on ID123, does that syntax look correct?
The nscp_api check command done the trick and I managed to get the key pairs correct on the arguments, thanks for your assistance Alex, greatly appreciated.
Glad you got it resolved. I experienced problems using the time filter (-10m) in my checks. The only way I could get the filter to work correctly is by using the default time (24h) filter. Is your time filter working correctly? If so, how did you get it working right?
So this only monitors the previous 10 minutes of the event log and after the 10 minutes are past the icinga alert will recover and this is the behaviour we need. I was experimenting with the newer ‘check_eventlog’ but couldn’t get it to work correctly.