Searching...
  1. Home /
  2. How to Monitor Windows Events

How to Monitor Windows Events

Knowledge Base

Objective

Show how to monitor Windows Events through NSClient++.

Target Audience

Administrators and OpMon users which needs monitor specific Windows Events.

Prerequisites

  • Have the OpMon installed.
  • Have the NSClient++ installed. How to install the agent can be seen here.

About the Windows Events

The Event Viewer is a Windows Native Tool, which register details about system errors, including the erros caused by hardware failure, like HD or Memory Ram, being possible to analyze Login erros and a various Operational System information.

Solution

The Events monitor it is done by the NRPE check, so it is necessary validate the Agent operation. After followed the steps described here, execute the following command:

[root@opmon ~]# /usr/local/opmon/libexec/check_nrpe -H 192.168.10.1
I (0.4.4.23 2016-04-05) seem to be doing fine..

After the return above we can configure the commands, like the examples bellow:

Checks in the last 5 minutes if have an event ID 0 or 916 in Application:

[root@opmon ~]# /usr/local/opmon/libexec/check_nrpe -H 192.168.10.1 -c check_eventlog -a file=application scan-range=-5m "filter=id=0 or id=916" "warning=id=0 or id=916" "critical=none" "top-syntax=%(status): %(count) eventos encontrados para os IDs 0 e 916" "perf-config=level(ignored:false)"
WARNING: 1 eventos encontrados para os IDs 0 e 916|'Application_AdobeARMservice_id'=0;0;0

Remembering  the command check_event log is native of NSClient++, and it’s not necessary configure him and the -a parameter refer to what check_eventlog are expecting.

Checks in the last 24 hours if exists an event ID 0 or 916 with the message ‘The’ in Application:

[root@opmon ~]# /usr/local/opmon/libexec/check_nrpe -H 192.168.10.1 -c check_eventlog -a file=application "filter=id IN (0,916) AND message like 'The' AND written>-24h" "crit=count > 0" "`echo -e "detail-syntax=%(count) Event(s) found at %(written) with ID %(id) from %(source) found. nMessage: %(message)"`"
CRITICAL: 23/23 0 Event(s) found at 2w 3d 12:2 with ID 916 from ESENT found.
Message: DllHost (9324,G,0) The beta feature EseDiskFlushConsistency is enabled in ESENT due to the beta site mode settings 0x800000., 1 Event(s) found at 2w 3d 12:2 with ID 916 from ESENT found.
Message: DllHost (9324,G,0) The beta feature EseDiskFlushConsistency is enabled in ESENT due to the beta site mode settings 0x800000., 2 Event(s) found at 2w 3d 12:2 with ID 916 from ESENT found.
Message: DllHost (9324,G,0) The beta feature EseDiskFlushConsistency is enabled in ESENT due to the beta site mode settings 0x800000., 3 Event(s) found at 2w 3d 12:2 with ID 916 from ESENT found.
Message: svchost (3988,G,0) The beta feature EseDiskFlushConsistency is enabled in ESENT due to the beta site mode settings 0x800000., 4 Event(s) found at 2w 3d 12:2 with ID 916 from ESENT found.

Check in the last 24 hours if exists an event with ID 0 in Application:

[root@opmon ~]# /usr/local/opmon/libexec/check_nrpe -H 192.168.10.1 -c check_eventlog -a file=application "filter=id IN (0) AND written>-24h" "crit=count > 0" "`echo -e "detail-syntax=%(count) Event(s) found at %(written) with ID %(id) from %(source) found. nMessage: %(message)"`"
CRITICAL: 7/7 0 Event(s) found at 2w 3d 12:2 with ID 0 from AdobeARMservice found.
Message: , 1 Event(s) found at 2w 3d 12:2 with ID 0 from AdobeARMservice found.
Message: , 2 Event(s) found at 2w 3d 12:2 with ID 0 from igfxCUIService2.0.0.0 found.
Message: , 3 Event(s) found at 2w 3d 12:2 with ID 0 from igfxCUIService2.0.0.0 found.
Message: , 4 Event(s) found at 2w 3d 12:2 with ID 0 from igfxCUIService2.0.0.0 found.
Message: , 5 Event(s) found at 2w 3d 12:1 with ID 0 from igfxCUIService2.0.0.0 found.
Message: , 6 Event(s) found at 2w 3d 12:1 with ID 0 from igfxCUIService2.0.0.0 found.
Message: |'count'=7;0;0

Checks in the last 1 hour if exists an event with several error ou informational in System:

[root@opmon ~]# /usr/local/opmon/libexec/check_nrpe -H 192.168.10.1 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -1h AND severity = 'error' OR severity = 'informational'"
EventLog, The system uptime is 954977 seconds., Microsoft-Windows-Kernel-General, The access history in hive ??C:ProgramDataMicrosoftProvisioningMicrosoft-Desktop-Provisioning-Sequence.dat was cleared updating 0 keys and creating 0 modified pages., Service Control Manager, The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start., Service Control Manager, The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start., Microsoft-Windows-WindowsUpdateClient, Installation Successful: Windows successfully installed the following update: 9WZDNCRFJ3P2-Microsoft.ZuneVideo, Microsoft-Windows-WindowsUpdateClient, Installation Started: Windows has started installing the following update: 9WZDNCRFJ3P2-Microsoft.ZuneVideo, Microsoft-Windows-Kernel-General, The access history in hive ??C:Userscristiano.nessAppDataLocalPackagesMicrosoft.ZuneVideo_8wekyb3d8bbweSettingssettings.dat was cleared updatin

Done! And now?

After you tested the commands and know how to use, add the monitor to the OpMon.

As you wish, you can see the NSClient++ documentation on this link  and can use too the Monitoring Model NSClient++,  and the documentation can see on this link.

Updated on 05/12/2017

Was this article helpful?

Yes No

Ficou com alguma dúvida?

Perguntas & Respostas

Participe da nossa comunidade e tire dúvidas ou compartilhe respostas e ideias.

Participar

Professional Support

Não encontrou a resposta que procura? Não se preocupe, estamos aqui para ajudar!

Abrir chamado

Treinamento Online

Através da plataforma Udemy, você encontra todos os treinamentos das nossas soluções.

Inscreva-se