Event Logging not working with Application and Services Logs in NCPA 3

[zjerky]

The following will return results with 2.4.1 but not with 3.0.1.

https://hostname:5693/api/logs?name=%22Active%20Directory%20Web%20Services%22&logged_after=2w

I thought it could be the space, but Forwarded Events (which is in the Windows Logs folder) works on 3.0:

https://hostname:5693/api/logs?name=Forwarded Events&logged_after=2w

But this one times out:

https://hostname:5693/api/logs?name=Active Directory Web Services&logged_after=2w

Anything in the Windows Logs event folder works fine (e.g. System, Application, Forwarded Events), but it will not work with anything in Application and Services Logs that I tried (e.g. Active Directory Web Services, Directory Service, DNS Server, etc.)

For reference, this is the command we are using from Nagios XI that worked with NCPA 2.4.1 but not with 3.0.1:

/check_ncpa.py -H $HOSTADDRESS$ -t 'TokenRemoved' -P 5693 -M 'logs' -q 'name=Active Directory Web Services,logged_after=2h,severity=ERROR' -c 0

NCPA 2.4.1 returned results NCPA 3.0.1 returned: UNKNOWN: An error occurred connecting to API. (HTTP error: '500 INTERNAL SERVER ERROR')

If the syntax changed for accessing Event Logs from the API, please let me know.

[gittethis]

I found the cause, related to the fact the default date retrieval format changed between 2.4.1 and 3.0 (for the non "Windows Logs") and this is actually failling the check for any log not in this category. Syntax is like :

• check_ncpa.py -H 10.10.10.12 -t token -P 5693 -M logs -q name=Hardware Events,logged_after=30m
• check_ncpa.py -H 10.10.10.12 -t token -P 5693 -M logs -q name=Application,logged_after=30m or
• check_ncpa.py -H 10.10.10.12 -t token -P 5693 -M logs -q name=Microsoft-Windows-TaskScheduler%4Operational,logged_after=1h

I managed to correct it (and test it for a fair amount of usecases) on one of my machines but i need to properly upload the changes trough git

[zjerky]

Thank you for taking the time to fix this.

I am a bit new to this, will the fix show up in future versions?

[gittethis]

Sure! If it will be considered valid by the testers it will be merged into the next release. If you are in urgent need of this functionality i could probably provide you a temporary release for you to test properly in the meantime on your side (will be exactly the actual official 3.0.1 but with the above fix added)

[sawolf]

On the support forum, a user had these to share:

2024-01-08 12:32:24,816 listener DEBUG before_request() - type(request.view_args): <class 'dict'>
2024-01-08 12:32:24,816 listener INFO before_request() - request.url: https://<servername>:5693/api/logs/?token=<token>&critical=0&check=1&name=DFS+Replication&logged_after=30m&severity=ERROR
2024-01-08 12:32:24,816 listener DEBUG before_request() - request.path: /api/logs/
2024-01-08 12:32:24,816 listener DEBUG before_request() - request.url_rule: /api/<path:accessor>
2024-01-08 12:32:24,816 listener DEBUG before_request() - request.view_args: {'accessor': 'logs/'}
2024-01-08 12:32:24,816 listener DEBUG before_request() - request.routing_exception: None
2024-01-08 12:32:25,082 listener.server ERROR Exception on /api/logs/ [GET]
Traceback (most recent call last):
File "listener\windowslogs.py", line 86, in get_logs
File "listener\windowslogs.py", line 572, in get_event_logs
File "_strptime.py", line 568, in _strptime_datetime
File "_strptime.py", line 349, in _strptime
ValueError: time data '2024-01-08 10:15:53.877000+00:00' does not match format '%m/%d/%y %H:%M:%S'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "listener\windowslogs.py", line 102, in run_check
File "listener\windowslogs.py", line 75, in walk
File "listener\windowslogs.py", line 72, in log_method
File "listener\windowslogs.py", line 91, in get_logs
Exception: General error occurred while getting log DFS Replication: ValueError("time data '2024-01-08 10:15:53.877000+00:00' does not match format '%m/%d/%y %H:%M:%S'")

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "flask\app.py", line 1455, in wsgi_app
File "flask\app.py", line 869, in full_dispatch_request
File "flask\app.py", line 867, in full_dispatch_request
File "flask\app.py", line 852, in dispatch_request
File "listener\server.py", line 305, in token_auth_decoration
File "listener\server.py", line 1111, in api
File "listener\windowslogs.py", line 105, in run_check
AttributeError: 'Exception' object has no attribute 'message'

It looks like the patch will probably handle this, just making sure the data is here.

@ne-bbahn is out of the office this week, but he will review the patch and do some additional testing when he's back. Either the provided patch or a similar fix will show up starting in NCPA 3.0.2 or 3.1.0 (whatever our next release ends up being)

[ne-bbahn]

This should be solved in 3.0.2. There are a few other little issues with Windows Logs, but this particular issue should be fixed now.