In Microsoft Windows, almost all events are logged to the event log.
This how-to applies to two versions of the agent NSClient++, due to changes in the command used, and describes the process for monitoring a specific event log ID, which can help you detect changes and behavior patterns on your system.
- The NSClient++ monitoring agent version 0.4.4.15 installed on the target host
- Permissions to add check commands and services in op5 Monitor
Adding the check command
- Hover over the "Manage" menu and select "Configure"
- Click on “Commands” in the "Core Configuration" section
Add a new command with the following settings:
Option Value command_name check_nrpe_windows_eventlog_id command_line
- Click the “Submit” button and save the configuration changes.
Using the check command in a service
The check command that we created above takes 5 user supplied arguments:
|$ARG1$||Log Name ("Application", "Security", "System", "Directory Service", "DFS Replication" or similar)|
|$ARG2$||Warning threshold for number of events|
Critical threshold for number of events
|$ARG4$||Event Source ("ActiveDirectory_DomainService", "DFSR", "ADWS" or similar )|
|$ARG5$||Event ID to match against|
Example use case 1
In the following example we will add a service monitoring an event ID telling us that the Active Directory Web Services doesn't have a valid TLS Certificate.
This event has the ID "1400" and is located in the "Active Directory Web Services" file.
- Open up your target host in the configuration utility, go to the services section and select “Add new service”.
Change the following configuration options:
Option Value service_description Active Directory Web Services TLS Certificate check_command check_nrpe_windows_eventlog_id check_command_args Active Directory Web Services!1!2!ADWS!1400
- Click on the “Submit” button and save the configuration changes
For more advanced information have a look at the NSClient++ 0.4.4 check_eventlog documentation