[Naplax-users] RE: event log

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Rusty. One thing I see that's going to cause you problems down the
line is the value for max_check_attempts. It should be set to 1, as I've
made this mistake myself. In fact, the help text for the plugin actually
attempts to address this fact:

"The nagios service that uses this plugin should be configured to send
notifications on the first error state, because the Agent will not
return the same Error more than one time."

Here's the way I would explain it. The plugin only "looks" for matching
events that have occurred since the last service check. For example if a
matching event occurs but your max_check_attempts value is set to 4,
then Nagios will attempt to check the service 3 more times before it
sets the service into a Critical or Warning state (depending on how your
service check is defined). But if no matching events occur between check
number 1 and check number 2, then the plugin returns an OK status and
the service check is no longer a Warning or Critical state. Leaving the
MAX_CHECK_ATTEMPTS value set to 1 ensures Nagios sends out a
notification on the first matching event.

Now to address your question directly...here is an event log check that
I currently use. The command is:

.../check_win_eventlog -H $HOSTADDRESS$ -s $HOSTADDRESS$ -l System -i
.*:+4003 -t .*:+2 -q .*:+"LPDSVC" -m .*:+"A request from client was
refused because system is out of resources."

I'll list the pertinent components:

-l System:	Name of the log. It is typically Application, System,
Security. However (I think) it can take the value of any subkey of
HKLM\System\CurrentControlSet\System\EventLog.

-i .*:+4003:	Means "don't match any event, then match only events
whose "Event ID" is 4003.

-t .*:+2:		Means "don't match any event, then only match
events whose "Event Type" is 2. Event types are 1=3DError, 2=3DWarning,
4=3DInformation, 8=3DSuccess, 16=3DFailure.

-q .*:+"LPDSVC":	Means "don't match any event, then only match
events whose event "Source" is "LPDSVC".

-m .*:+"A request from client was refused because system is out of
resources.":	This means "don't match any event, then only match
events whose event "Descrition" contains the string "A request from
client was refused because system is out of resources.".

Hopefully that should give you enough to go on.