Windows Eventlog

Hi everyone.

i’m completly new to icinga and monitoring.
I got it set up, installed icinga director and was also able to monitor a single server on a windwos client which has the icinga2 agent installed.

Now i wanted to monitor the eventlog but couldn’t find a command within icinga director.
How is that done?
I’ve already loocked at but couldn’t find something.

Another question is how to realise the following:
We have a backup batterie connected via usb to the server.
There is an event if the main power is lost and a second event if its restored (and a third if server a shutting down).
Is it possible to clear warning if the second event happens?
and only send a message if the third event occurs?


i additionally installed nscp+ agent on the windows machine. It has a check_eventlog command which is working if module checkeventlog is loaded. But i have no idea how to write a template command with this information. I just want to check for specific IDs and Providers.
Can someone help me or give me an example so that i have a starting point?

nscp is the way to go for this. I don’t think there is a premade one for the eventlog check. But you can write probably write your own by copying from the existing definitions from command-nscp-local.conf (/share/icigna2/include)

About your second question. Yes, that is very much possible with some icinga config tricks but you first need a working check.

Something like this should work with the default nscp ITL CheckCommand. The further commands inside the ITL always use this as basis. I haven’t tested it though, just copied some sample calls from a Google search.

apply Service "eventlog" {
  check_command = "nscp-local"

  command_endpoint = host.vars.client_endpoint

  vars.nscp_modules = [ "CheckEventLog" ] //explicitly load this module, afaik this is not enabled by default
  vars.nscp_query = "check_eventlog"

  vars.nscp_arguments = [ "file=Application", "MaxWarn=1", "MaxCrit=2", "filter=id=36887", "scan-range=-7d", "unique", "syntax=ID: %id%, Source: %source%, File: %file%" ]

  assign where host.vars.os == "Windows" && host.vars.client_endpoint

The specific arguments and syntax needs to be determined from the NSClient++ docs.



thanks for answering. meanwhile i came up with another solution which is even a bit more flexible i think.
you can find a german description here:

This allows to check anything which can be done by powershell and without the need of nscp.

1 Like

Hi Michael,

We are getting below error in Icinga for this ‘eventlog’ service.

scp.exe) failed: No such file or directory

Please let me know any modification needed or any package installation needed for this.


See here for troubleshooting this error.

Thanks for the update.

Where I need to correct NscpPath ?

I am using NSCP(Nsclient) setup at client side instead of Icinga-client.

I think your checks are executed on the master, and not the agent. Likely you are missing the command_endpoint configuration steps for executing the check on the agent itself.