search

lausser / check_logfiles

A plugin (monitoring-plugin, not nagios-plugin, see also http://is.gd/PP1330) which scans logfiles for patterns.
https://omd.consol.de/docs/plugins/check_logfiles/
GNU General Public License v2.0
46 stars 27 forks source link

"winwarncrit" option causes Windows eventlog messages to be prefixed with "EE_(EE|WW)_TT" #71

Open atj opened 2 years ago

atj commented 2 years ago

When monitoring the Windows eventlog, if the winwarncrit option is specified the log messages output by the plugin are prefixed with one of the following:

I've tested using the latest git head (v4.0.1.6 at the time of writing) and the issue is still present. Steps to reproduce the issue are provided below:

Configuration file:

$options = 'report=long, maxlength=768';
$protocolretention=1;

@searches =
(
##
## Windows System EventLog Check
##
{
                tag => 'system-eventlog',
                script => sub {
                                my $trimlength = 500;
                                $op_trim = substr($ENV{CHECK_LOGFILES_SERVICEOUTPUT},0,$trimlength);
                                print $op_trim;
                                return $ENV{CHECK_LOGFILES_SERVICESTATEID};
                },
                type => 'wevtutil',
                eventlog => {
                                eventlog => 'application',
                                include => {
                                },
                },
                criticalpatterns => [
                                '.*',
                ],
                criticalexceptions => [
                ],
                warningpatterns => [
                ],
                warningexceptions => [
                ###STARTOFWARNINGEXCEPTIONS###
                ##ENDOFWARNINGEXCEPTIONS###
                ],
                okpatterns => [
                ###STARTOFOKPATTERNS###
                ###ENDOFOKPATTERNS###  
                ],
                options => 'nocase,supersmartscript,winwarncrit,sticky=90,preferredlevel=warning',
},
)

Clear the Application event log in Event Viewer and then run check_logfiles:

PS C:\Users\xxx\check_logfiles-522ebe\plugins-scripts> perl .\check_logfiles -f .\test.conf
OK - no errors or warnings|'system-eventlog_lines'=0 'system-eventlog_warnings'=0 'system-eventlog_criticals'=0 'system-eventlog_unknowns'=0

Use Powershell to add a warning to the event log:

New-EventLog -LogName Application -Source CheckLogfilesTest
Write-EventLog -LogName "Application" -Source "CheckLogfilesTest" -EventId 4242 -EntryType Warning -Message "Test warning event"

Run check_logfiles again:

PS C:\Users\xxx\check_logfiles-522ebe\plugins-scripts> perl .\check_logfiles -f .\test.conf
WARNING - (1 warnings in test.protocol-2022-05-05-14-08-58) - EE_WW_TT2022-05-05T14:08:50 4242 Test warning event |'system-eventlog_lines'=1 'system-eventlog_warnings'=1 'system-eventlog_criticals'=0 'system-eventlog_unknowns'=0
tag system-eventlog WARNING
EE_WW_TT2022-05-05T14:08:50 4242 Test warning event

Add an error to the event log using Powershell:

Write-EventLog -LogName "Application" -Source "CheckLogfilesTest" -EventId 4242 -EntryType Error -Message "Test error event"

Run check_logfiles again:

PS C:\Users\xxx\check_logfiles-522ebe\plugins-scripts> perl .\check_logfiles -f .\test.conf
CRITICAL - (2 errors, 1 warnings in test.protocol-2022-05-05-14-09-35) - EE_EE_TT2022-05-05T14:09:30 4242 Test error event ...|'system-eventlog_lines'=1 'system-eventlog_warnings'=1 'system-eventlog_criticals'=2 'system-eventlog_unknowns'=0
tag system-eventlog CRITICAL
EE_EE_TT2022-05-05T14:09:30 4242 Test error event
EE_EE_TT2022-05-05T14:09:30 4242 Test error event
EE_WW_TT2022-05-05T14:08:50 4242 Test warning event

Note how each message is prefixed with "EE_(EE|WW)_TT". However when I remove the winwarncrit option from the configuration the output doesn't include those prefixes:

PS C:\Users\xxx\check_logfiles-522ebe\plugins-scripts> perl .\check_logfiles -f .\test.conf
CRITICAL - (3 errors in test.protocol-2022-05-05-14-15-31) - 2022-05-05T14:12:02 4242 Test error event ...|'system-eventlog_lines'=3 'system-eventlog_warnings'=0 'system-eventlog_criticals'=3 'system-eventlog_unknowns'=0
tag system-eventlog CRITICAL
2022-05-05T14:08:50 4242 Test warning event
2022-05-05T14:09:30 4242 Test error event
2022-05-05T14:12:02 4242 Test error event

I tried changing the type option from "wevtutil" to "eventlog" but the issue remained.