Eventlog, no output w. ID Filter higher 10000
Brought to you by:
montitech
Menu
▾
▴
Hi,
I would like monitor ACE Server eventlogs with event Id.
But it seems to be that entries with an Event ID higher than 10000 will not processed.
For Example: ./check_nt -H xxx -v EVENTLOG -l "Application,Information,60,1,ACESERVER,0,1,15223"
I get the message "OK: No entries in Application log recently."
Even though the message is existing.
When I`m filtering by description I receive the entry but with a different ID ( 1073757047).
Further I have an error (15005) of NC_Net in eventlog as following:
Unhandled exception during processing of Event ID filter in event log check Index was outside the bounds of the array.
What does this mean?
I´m very new with NC_Net and Nagios, hope somebody can help me out.
Many Thanks
Susanne
Hi Susanne,
Several comments to help you get started, then we can re-examine your issue if problems continue.
The Index out of bounds error should be a rare occurance that is caused by the Event log changing size while the eventlog check is being preformed. Upgrade to eventlog_new check should fix this. if it was more then a infrequent occurance please contact me via nc_net@montitech.com to better examine the situation.
EVENTLOG_NEW is a new check that is availible via the latest releases of check_nc_net and nc_net.
Please make sure you are using the newest version of NC_Net (v4.x) then make sure you are using CHeck_nc_net (which you may already be using) I usually change the name of check_nc_net to check_nt when I compile it. the code for the new event log check, is optimized to perform better, and it should not get a index error. Please report any issues you get here. the format of the new eventlog check has been optimized to not include and exclude filters, and it also accepts ranges for eventID and the eventID mismatch stuff has been resolved.
The second problem between the old event_log and the new one is the event_ID. If you take out the eventID from your initial check it should work. the issue with the eventID is a BUG in windows Event Log. There are several mechanisms from different versions of windows to write events to the event log. Internally in the Window Event Logs, the Event ID field is in a Union data field, thus not all of the number is used as the event ID only the bottom bytes. This is only an issue when some venders write events to the window log. This has been resolved in the new event log check.
Plese follow up as to if this resolves your issues or other questions.
Tony
Event log checks, should be compiled with a minimum amount of information that identifies what you need.
For example if you need all Errors from a particular source in the last 10 min.
Hi Tony,
Thank you for your fast reply.
I´ve implemented check_nc_net in Nagios plugins now.
As I understanded I`m using check_nt -h xxxx -v EVENTLOG_NEW ... instead EVENTLOG?
Because when I´m using EVENTLOG_NEW I get following error: Client - ERROR: Argument mismatch
When I`m using EVENTLOG I have the same result as before: No entries in Application log.
What I can do is filtering for the ID which has been returned when I`m filtering by description.
The error message(15005) of NC_Net in Eventlog seems to be resolved now.
NC_Net Version is 4.1a
Susanne
Hi Susanne,
I Thought I had mentioned, (it is in the documentation and the help) that the syntex of EVENTLOG_NEW is different from the syntex of EVENTLOG.
please refer to check_nt --help=EVENTLOG_NEW for the check_nc_net internal help and the following link for the documentation on the new commands introduced in version 4.x
http://sourceforge.net/docman/display_doc.php?docid=48794&group_id=160140
THe documention is also located in the install directory of NC_NEt and in the Start menu of the user who installed NC_NET
THe new command that matches your earlier post would be:
For old Example: ./check_nt -H xxx -v EVENTLOG -l "Application,Information,60,1,ACESERVER,0,1,15223"
For Example: ./check_nt -H xxx -v EVENTLOG_NEW -l "Application^Information^60^ACESERVER^15223^"
THis matches the querrie:
all Information events in the Application log from the last 60 min, that have the source of ACESERVER and the Event ID of 15223.
TO get all events from application log the past hour use the following:
For Example: ./check_nt -H xxx -v EVENTLOG_NEW -l "Application^^60^^^"
To get all Warning and information events from aceserver
For Example: ./check_nt -H xxx -v EVENTLOG_NEW -l "Application^Information,warning^60^ACESERVER^^"
The last field after the ^ is a comma seperated list of Regular expressions that match against the message field of the event log entries. this naturally takes more work to accomplish but without this option the eventlogs should be relitively quick, (once again dependent on the number of events in the event log)
Please follow up wiht your success/ or questions.
TOny
Hi Tony,
yeah it´s working now.
Sorry you´re right, I had to read documentation first, but I was not aware that syntax has been changed.
Thank you very much for your excellent and fast help :-))))
kind regards
Susanne