How to monitor Microsoft Windows Eventlog ID

Introduction

In the event-logs in Microsoft Windows almost all events are logged. Sometimes you might want to be notified when a certain event happens in the system. The purpose of this article is to describe how op5 Monitor can be used to monitor Microsoft Windows Event IDs. The monitoring is made by using check_nrpe with the agent NSClient++.

Prerequisites

Before we can start monitoring Microsoft Windows Event IDs we need to make sure NSClient++ is installed and configured to allow arguments.

Configuring NSClient++

When we are making changes to the NSClient++ configuration we shall make them in the file called:

custom.ini

It is found in the folder where NSClient++ is installed on the host.

To configure NSClient++ :

  1. Open up custom.ini in Notepad.
  2. Add the following lines to custom.ini:
    [NRPE]  allow_arguments=1  allow_nasty_meta_chars=1
  3. Restart the NSClient++ service

Adding a check_command to op5 Monitor

Now we will add a new check_command to op5 Monitor. This check_command will let you set a few arguments when adding a new service later on.

  1. Open up Configure in op5 Monitor.
  2. Click "Commands".
  3. Add a new check_command with the following settings:

    Option Value
    command_name check_nrpe_windows_eventlog_id
    command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c checkEventLog -a file=$ARG1$ MaxWarn=$ARG2$ MaxCrit=$ARG3$ filter-generated'=>$ARG4$' filter=out filter=all filter+eventID=="$ARG5$" truncate=1000 unique descriptions "syntax=%type%: %source%: (%count%)"

    $ARG1$: Eventlog File [Application | Security | System | ...]
    $ARG2$: Warning level
    $ARG3$: Critical level
    $ARG4$: How long time back to check, example 5d for five days.
    $ARG5$: The Event ID

  4. Click "Apply".

Adding a service to op5 Monitor

In this example we will add a service looking for an event saying that Windows cannot load the user's profile but has logged you on with the default profile for the system.

This event has got the id 1505 and is located in the Application file.

To add a new service to op5 Monitor.

  1. Open up the host you like to monitor and chose "Add new service".
  2. Set at least the following options:

    Option Value
    service_description Profile problems
    check_command check_nrpe_windows_eventlog_id
    check_command_args Application!1!1!2h!1505
  3. Click "Apply" and then "Save".