Saturday, August 21, 2010

Check Windows Event Logs with Nagios

Although NSClient++ is very well documented, I had a little trouble actually getting NRPE working with the Windows Event Log. There are two ways that I use Nagios to monitor Windows Event Logs:
  1. Scanning for problems, say in the System Log
  2. Scanning for something that should be happening, such as NTBackup running successfully
Initial setup required for either scenario:
  • Nagios with working NRPE on the Windows host (I use and will describe NSClient++)
  • Uncomment the CheckEventLog.dll entry in the NSC.ini file

Once the NSC.ini file is setup for on Windows, you can enter the checks below into your Nagios commands.cfg file and call them as needed.

#Check the Windows System Log for Errors in the last hour
define command{
        command_name    check_eventvwr_sys_errors
        command_line    $USER1$/check_nrpe -H $HOSTNAME$ -p 5666 -c CheckEventLog -a filter=new file="system" MaxWarn=1 MaxCrit=1 filter-generated=\<1h filter-eventType==error filter=in filter=all

#Check for NTBackup Running within the last day
#Event ID 8001 is "end of backup"
define command{
        command_name    check_exchange_backups
        command_line    $USER1$/check_nrpe -H $HOSTNAME$ -p 5666 -c CheckEventLog -a filter=new file=application MinWarn=0 MinCrit=0 filter-generated=\>1d filter+eventID=="8001" filter+eventType==info filter=out filter=all

This yet another example of just how powerful Nagios can be for an organization. With this in place, administrators can feel confident that their Windows servers are healthy, from a system standpoint.


prettyby7 said...

Thanks!! Helped formed the basis for what I needed to tweak it for my own environment (system and application monitoring last hr). Couldn't have gotten it without this! :--)

Kola Richardson said...

Very useful - thanks! Can you give example of how to "call it" in "*".cfg file please? Thanks in advance.

Kola Richardson said...

Thanks a lot for posting this! Can you give example of how to call this from .cfg file please?

Mark said...

I know I'm commenting well past the post date but I could also use a "call" example if possible.