search

pulsejets / check_wmi_eventid

0 stars 1 forks source link

No luck getting this to work with the Setup event log #5

Open grberk opened 5 years ago

grberk commented 5 years ago

Is there something different in regards to this script and it querying the Setup event log? I've tested this on different logs with different event IDs and info levels with success, but no matter what I use on the Setup event log, it comes back with nothing. Everything shows 0 events with no issues, and that clearly is not so.

I was hoping to use this for a way to query my event logs (in particular, the Setup log) to look for event ID 4 /info level to detect when a monitored host in Nagios has a pending reboot.

grberk commented 5 years ago

Is anyone maintaining this or monitoring these issues?

pulsejets commented 5 years ago

Hi

Yes I do , but right now I don’t have a Access to a windows server , only Linux

What version windows server ?

Br Kenneth

Den 7. dec. 2018 kl. 22.20 skrev grberk notifications@github.com:

Is anyone maintaining this or monitoring these issues?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

grberk commented 5 years ago

We have different versions of Windows server in our environment, but they would be 2008 R2, 2012 R2 or 2016.

pulsejets commented 5 years ago

HI

Could you provide me with all the arguments you are using ?

Den 7. dec. 2018 kl. 22.47 skrev grberk notifications@github.com:

We have different versions of Windows server in our environment, but they would be 2008 R2, 2012 R2 or 2016.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/pulsejets/check_wmi_eventid/issues/5#issuecomment-445375855, or mute the thread https://github.com/notifications/unsubscribe-auth/ANQ8GL7n4OLh6gBbYvB7Du8crQc5JoQhks5u2uHwgaJpZM4YaMrg.

grberk commented 5 years ago

I have one server I'm testing this on that has an event log entry of type Info and event ID 4 on 12/3/18 at 9:46:51 PM, and I'm using this command line to check:

/usr/local/nagios/libexec/check_wmi_eventid.sh -H <server's IP here> -u <user/password here> -l setup -e4 -w1 -c3 -t3 -m15000 And the results show as this:

Select EventCode,EventIdentifier,EventType,SourceName from Win32_NTLogEvent where ( Logfile = "setup" ) and ( eventcode = "4" ) and ( EventType = "3" ) and TimeGenerated > "20181130045130.000000-000"
OK 0 with Severity Level Information in setup with in the last 10 Days, 10 hour|eventid4=0;1;3;;
grberk commented 5 years ago

Ooops. I didn't mean to close this.

grberk commented 5 years ago

Maybe I have this working. I set the W and C options to 0, and now I see warning or critical, depending on what I have set.

All I really want is to get an alert as soon as the check sees at least ONE iteration of event ID 4 in the Setup event log.

grberk commented 5 years ago

Actually, leaving W and C options set to 0 shows warning or critical, depending on whether I have one or both included in the command line, no matter what time period I check. I have it set to check the previous 60 minutes, and it still shows Warning if I use -W0 and Critical if I have -C0 (and -W0). The last entry in the event log was back on 12/3/18, so that is clearly older than 60 minutes. Are the -C and -W options required? And If so, does using 0 mess this check up?

grberk commented 5 years ago

Last comment on this, I promise. If I use the options -W1 and -C1, no matter what time period I use, the result always comes back OK, even when the log period should include an event that is in there.

km-netgroup commented 5 years ago

HI Can you give me out put with option -d

/Kenneth

grberk commented 5 years ago 
[nagios@nagiosxi.cefcu.com ~]$ /usr/local/nagios/libexec/check_wmi_eventid.sh -H <IP OBFUSCATED> -u <USER/PASSWORD OBFUSCATED> -l setup -e 4 -t 3 -w 1 -c 1 -m20000 -d
Select EventCode,EventIdentifier,EventType,SourceName from Win32_NTLogEvent where ( Logfile = "setup" ) and ( eventcode = "4" ) and ( EventType = "3" ) and TimeGenerated > "20181126203443.000000-000"
/bin/wmic --namespace root/cimv2 -U <USER/PASSWORD OBFUSCATED> --option='client ntlmv2 auth'=Yes //<IP OBFUSCATED> '--delimiter="|"' 'Select EventCode,EventIdentifier,EventType,SourceName from Win32_NTLogEvent where ( Logfile = "setup" ) and ( eventcode = "4" ) and ( EventType = "3" ) and TimeGenerated > "20181126203443.000000-000"'
OK 0 with Severity Level Information in setup with in the last 13 Days, 21 hour 20 min|eventid4=0;1;1;;
km-netgroup commented 5 years ago

Have you tried running this command , directly on the Nagios server ?

/bin/wmic --namespace root/cimv2 -U <USER/PASSWORD OBFUSCATED> --option='client ntlmv2 auth'=Yes // '--delimiter="|"' 'Select EventCode,EventIdentifier,EventType,SourceName from Win32_NTLogEvent where ( Logfile = "setup" ) and ( eventcode = "4" ) and ( EventType = "3" ) and TimeGenerated > "20181126203443.000000-000"' OK 0 with Severity Level Information in setup with in the last 13 Days, 21 hour 20 min|eventid4=0;1;1;;

Fra: grberk notifications@github.com Svar til: pulsejets/check_wmi_eventid reply@reply.github.com Dato: mandag den 10. december 2018 kl. 19.01 Til: pulsejets/check_wmi_eventid check_wmi_eventid@noreply.github.com Cc: Kenneth Møller km@netgroup.dk, Comment comment@noreply.github.com Emne: Re: [pulsejets/check_wmi_eventid] No luck getting this to work with the Setup event log (#5)

[nagios@nagiosxi.cefcu.com ~]$ /usr/local/nagios/libexec/check_wmi_eventid.sh -H -u <USER/PASSWORD OBFUSCATED> -l setup -e 4 -t 3 -w 1 -c 1 -m20000 -d

Select EventCode,EventIdentifier,EventType,SourceName from Win32_NTLogEvent where ( Logfile = "setup" ) and ( eventcode = "4" ) and ( EventType = "3" ) and TimeGenerated > "20181126203443.000000-000"

/bin/wmic --namespace root/cimv2 -U <USER/PASSWORD OBFUSCATED> --option='client ntlmv2 auth'=Yes // '--delimiter="|"' 'Select EventCode,EventIdentifier,EventType,SourceName from Win32_NTLogEvent where ( Logfile = "setup" ) and ( eventcode = "4" ) and ( EventType = "3" ) and TimeGenerated > "20181126203443.000000-000"'

OK 0 with Severity Level Information in setup with in the last 13 Days, 21 hour 20 min|eventid4=0;1;1;;

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/pulsejets/check_wmi_eventid/issues/5#issuecomment-445911468, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AqXtjPTWydFt72-dMFDuvQ1ELm1vXNTYks5u3qFhgaJpZM4YaMrg.

grberk commented 5 years ago

I see the same behavior running it directly on the Nagios server - same results.

grberk commented 5 years ago

Any possible fix or solution for this? I'm not sure what else to do or try. I'm looking at other options, but everything I see that would look at event logs in greater detail would involve installing agents on all of my servers, and I really don't want to go that route.

km-netgroup commented 5 years ago

Hi not yet I have been very busy, and I am not a windows guy, but linux , so it takes a bit longer .. I am of for 14 week vacation ,so I will have more time after new year , if it can wait Br Kenneth

Fra: grberk notifications@github.com Svar til: pulsejets/check_wmi_eventid reply@reply.github.com Dato: mandag den 17. december 2018 kl. 16.09 Til: pulsejets/check_wmi_eventid check_wmi_eventid@noreply.github.com Cc: Kenneth Møller km@netgroup.dk, Comment comment@noreply.github.com Emne: Re: [pulsejets/check_wmi_eventid] No luck getting this to work with the Setup event log (#5)

Any possible fix or solution for this? I'm not sure what else to do or try. I'm looking at other options, but everything I see that would look at event logs in greater detail would involve installing agents on all of my servers, and I really don't want to go that route.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/pulsejets/check_wmi_eventid/issues/5#issuecomment-447878317, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AqXtjFJam1R-p059VEWo6wSfqvdf6rODks5u57O5gaJpZM4YaMrg.

grberk commented 5 years ago

Oh, there is no rush. It's just something we would like to have working in our Nagios system. We don't need it right away.

Enjoy your holidays. :-)

On Mon, Dec 17, 2018 at 9:12 AM km-netgroup notifications@github.com wrote:

Hi not yet I have been very busy, and I am not a windows guy, but linux , so it takes a bit longer .. I am of for 14 week vacation ,so I will have more time after new year , if it can wait Br Kenneth

Fra: grberk notifications@github.com Svar til: pulsejets/check_wmi_eventid reply@reply.github.com Dato: mandag den 17. december 2018 kl. 16.09 Til: pulsejets/check_wmi_eventid check_wmi_eventid@noreply.github.com Cc: Kenneth Møller km@netgroup.dk, Comment comment@noreply.github.com Emne: Re: [pulsejets/check_wmi_eventid] No luck getting this to work with the Setup event log (#5)

Any possible fix or solution for this? I'm not sure what else to do or try. I'm looking at other options, but everything I see that would look at event logs in greater detail would involve installing agents on all of my servers, and I really don't want to go that route.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub< https://github.com/pulsejets/check_wmi_eventid/issues/5#issuecomment-447878317>, or mute the thread< https://github.com/notifications/unsubscribe-auth/AqXtjFJam1R-p059VEWo6wSfqvdf6rODks5u57O5gaJpZM4YaMrg>.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/pulsejets/check_wmi_eventid/issues/5#issuecomment-447879220, or mute the thread https://github.com/notifications/unsubscribe-auth/APbdJnL8U6mDoAc9HWznH95SLfY-wbSUks5u57RUgaJpZM4YaMrg .