Windows Log Monitoring - Icinga2

Icinga 2
1

Hi Team,

I would like to monitor windows log files with Icinga2… What would be best practices to do monitor windows log files & event logs…

I am looking at possible ways for this… I see there are few plugins to check logstash or graylog…

Do we really need another log monitor solution(Graylog or ELK stack) to integrate with icinga2 or is it not possible icinga2 itselft can monitor the logs, where we can see on icinga2 UI?

Correct me if i am wrong? Any advise would be appreciated.

thanks

2

IMHO Monitoring and Logging are two different subjects.
For Logging I would always go for the ELK Stack.

3

You always can use a check which goes trough the logfiles and searches for states, messages or eventids in a certain timerange or only new events.

A example for a simple check for an eventID:

# check_Event - V0.82
# Example: .\check_Event.ps1 -id 5586 -channel Application -minutes 30 -messages "String"
# id = EventID (required)
# Channel = Event channel (f.e. System, Application etc.) optional (All channels can be quite slow)
# minutes = how many minutes the check should go back in time to look for the event. (Default is 60 minutes)
# message = String to search in the eventmessage  (optional)


Param(
    [string]$channel,
    [string]$id,
    [string]$minutes,
    [string]$message
)



$lognames = $channel


#reset variables
$eventcount=0
$msgs=@()

# get now
$startdate= Get-Date

#set default values
if (-not $minutes) { $minutes = "60" } 
if (-not $id) { 
   write-host "no EventID given!" 
   exit 3;
} 
if (-not $channel) {  
    $lognames = Get-WinEvent -ListLog * 
} else {
    try {
       $lognames = Get-WinEvent -ListLog $channel -EA stop
    } catch { 
            write-host "UNKNOWN: Channel `"$channel`" not found !"
            exit 3
    }
}

# Get timeframe
$lasttimestamp= $startdate-(New-TimeSpan -minute $minutes)




foreach ( $level in @(1, 2, 3)) {
    foreach ($logname in $lognames) {
      # Ereignisprotokoll(e) auslesen
      if ($message) {
           $events= Get-WinEvent -FilterHashTable @{ 
				LogName = $logname.LogName; Level = $level; id = $id; Starttime=$lasttimestamp } `
				-MaxEvents 30000 -EA SilentlyContinue | where {$_.Message -match "$message"} 
        } else {
		    $events= Get-WinEvent -FilterHashTable @{ 
				LogName = $logname.LogName; Level = $level; id = $id; Starttime=$lasttimestamp } `
				-MaxEvents 30000 -EA SilentlyContinue
        }
		$eventcount+= ($events | Measure-Object).Count
        
		# Weiterverarbeitung nur, wenn Events vorliegen
		if ( ($events | Measure-Object).Count -gt 0 ) {
			foreach ( $event in $events) {
                if ($shortoutput) {
                    $msg= ""
                } else {
		    $msg=$event.Message
                }
		$logname=$event.LogName
		if ( $logname) { $logname=$logname -ireplace( "Microsoft-Windows-", "") }
			$provname=$event.ProviderName
			if ( $provname) { $provname=$provname -ireplace( "Microsoft-Windows-", "") }
			if ( $logname.Contains( $provname)) { $logname="" }
			if (( $provname -eq $logname) -or ( $logname -eq "")) { 
				$msg= ( $provname+ " - "+ $msg + "("+ $event.Id+ ") *")
			} else {
				$msg= ( $logname + "/"+ $provname+ " - "+ $msg + "("+ $event.Id+ ") *")
			}
                 	if ( $msg -ne "") { $msgs+= $msg }
		}
		} else { $msg="" }
	}
}
if ( $eventcount -gt 0 ) { 
        write-host "WARNING - Event $id is thrown $($msgs.Count)x in the last $minutes minutes! "
        write-host ($($msgs |select -Unique) + "| Events=$($msgs.Count)")
        exit 1
} else {
        write-host "OK - Event $id is not reported"
        write-host "| Events=$($msgs.Count)"
        exit 0
}
#Exit UNKNOWN
exit 3
1 Like