CheckEventLog
Check for errors and warnings in the event log.

CheckEventLog — CheckEventLog

Check for errors and warnings in the event log.

Queries (Overview):

A list of all available queries (check commands)

Command Description
check_eventlog Check for errors in the event log.
checkeventlog Legacy version of check_eventlog

Commands (Overview):

TODO: Add a list of all external commands (this is not check commands)

Configuration (Overview):

Common Keys:

Path / Section Key Description
/settings/eventlog buffer size BUFFER_SIZE
/settings/eventlog debug DEBUG
/settings/eventlog lookup names LOOKUP NAMES
/settings/eventlog syntax SYNTAX
/settings/eventlog/real-time debug DEBUG
/settings/eventlog/real-time enabled REAL TIME CHECKING
/settings/eventlog/real-time log LOGS TO CHECK
/settings/eventlog/real-time startup age STARTUP AGE
/settings/eventlog/real-time/filters/default command COMMAND NAME
/settings/eventlog/real-time/filters/default critical CRITICAL FILTER
/settings/eventlog/real-time/filters/default destination DESTINATION
/settings/eventlog/real-time/filters/default detail syntax SYNTAX
/settings/eventlog/real-time/filters/default empty message EMPTY MESSAGE
/settings/eventlog/real-time/filters/default filter FILTER
/settings/eventlog/real-time/filters/default log FILE
/settings/eventlog/real-time/filters/default maximum age MAGIMUM AGE
/settings/eventlog/real-time/filters/default ok OK FILTER
/settings/eventlog/real-time/filters/default ok syntax SYNTAX
/settings/eventlog/real-time/filters/default severity SEVERITY
/settings/eventlog/real-time/filters/default target DESTINATION
/settings/eventlog/real-time/filters/default top syntax SYNTAX
/settings/eventlog/real-time/filters/default warning WARNING FILTER

Advanced keys:

Path / Section Key Default Value Description
/settings/eventlog/real-time/filters/default debug DEBUG  
/settings/eventlog/real-time/filters/default escape html ESCAPE HTML  
/settings/eventlog/real-time/filters/default logs FILES  
/settings/eventlog/real-time/filters/default perf config PERF CONFIG  
/settings/eventlog/real-time/filters/default source id SOURCE ID  
/settings/eventlog/real-time/filters/default target id TARGET ID  

Sample keys:

Path / Section Key Default Value Description
/settings/eventlog/real-time/filters/sample command COMMAND NAME  
/settings/eventlog/real-time/filters/sample critical CRITICAL FILTER  
/settings/eventlog/real-time/filters/sample debug DEBUG  
/settings/eventlog/real-time/filters/sample destination DESTINATION  
/settings/eventlog/real-time/filters/sample detail syntax SYNTAX  
/settings/eventlog/real-time/filters/sample empty message EMPTY MESSAGE  
/settings/eventlog/real-time/filters/sample escape html ESCAPE HTML  
/settings/eventlog/real-time/filters/sample filter FILTER  
/settings/eventlog/real-time/filters/sample log FILE  
/settings/eventlog/real-time/filters/sample logs FILES  
/settings/eventlog/real-time/filters/sample maximum age MAGIMUM AGE  
/settings/eventlog/real-time/filters/sample ok OK FILTER  
/settings/eventlog/real-time/filters/sample ok syntax SYNTAX  
/settings/eventlog/real-time/filters/sample perf config PERF CONFIG  
/settings/eventlog/real-time/filters/sample severity SEVERITY  
/settings/eventlog/real-time/filters/sample source id SOURCE ID  
/settings/eventlog/real-time/filters/sample target DESTINATION  
/settings/eventlog/real-time/filters/sample target id TARGET ID  
/settings/eventlog/real-time/filters/sample top syntax SYNTAX  
/settings/eventlog/real-time/filters/sample warning WARNING FILTER  

Samples

Realtime monitoring

Setting up real time monitoring can be a bit daunting for first time users. But it is not as difficult as it might seem.

The basic idea is depict in the following figure.

We have a filter which listens to event log entries. These entries are (when they matched) turned into messages and statuses which is then sent onward to various channels. On the other end of these channels are (hopefully) someone who is interested in the message.

In most cases the first channel you are interested in is NSCA which is the default name where the NSCACLient listenes. It will in turn foirward all incoming messages on to Nagios via NSCA.

So in short we need to configure three things # Activate real time filtering # Add a filter which listenes for events # Setup a destination

Enabling realtime filtering

To setup real time filtering we only need a single flag (as well as the eventlog module).

configuration:

[/mnodules]
ChecEventLog=enabled

[/.../]
realtime = enabled

Adding this will not do much since we dont have a filter yet but adding one is prettyb simple as well so lets gon ahead and do that.

configuration:

[/...]

If we were to test this (and please do go ahead) we would start getting warning on the concole about no one listening to our events.

But noe we wnd up in a strange situation, how can we actually test this configuration? How can we generate messages in the windows eventlog? Fortunetly NSClient++ can help us there as well.

execute the following to inser an error into the everntlog:

...

Queries

A quick reference for all available queries (check commands) in the CheckEventLog module.

check_eventlog

CheckEventLogcheck_eventlog
Check for errors in the event log.

Usage:

Option Default Value Description
filter level in (‘warning’, ‘error’, ‘critical’) Filter which marks interesting items.
warning level = ‘warning’, problem_count > 0 Filter which marks items which generates a warning state.
warn   Short alias for warning
critical level in (‘error’, ‘critical’) Filter which marks items which generates a critical state.
crit   Short alias for critical.
ok   Filter which marks items which generates an ok state.
debug N/A Show debugging information in the log
show-all N/A Show details for all matches regardless of status (normally details are only showed for warnings and criticals).
empty-state ok Return status to use when nothing matched filter.
perf-config level(ignored:true) Performance data generation configuration
escape-html N/A Escape any < and > characters to prevent HTML encoding
help N/A Show help screen (this screen)
help-pb N/A Show help screen as a protocol buffer payload
show-default N/A Show default values for a given command
help-short N/A Show help screen (short format).
unique-index   Unique syntax.
top-syntax ${status}: ${count} message(s) ${problem_list} Top level syntax.
ok-syntax %(status): Event log seems fine ok syntax.
empty-syntax %(status): No entries found Empty syntax.
detail-syntax ${file} ${source} (${message}) Detail level syntax.
perf-syntax ${file}_${source} Performance alias syntax.
file   File to read (can be specified multiple times to check multiple files.
log   Same as file
scan-range   Date range to scan.
truncate-message   Maximum length of message for each event log message text.
unique 1 Shorthand for setting default unique index: ${log}-${source}-${id}.
filter (CheckEventLog, check_eventlog)
Filter which marks interesting items.
Interesting items are items which will be included in the check.
They do not denote warning or critical state instead it defines which items are relevant and you can remove unwanted items.
warning (CheckEventLog, check_eventlog)
Filter which marks items which generates a warning state.
If anything matches this filter the return status will be escalated to warning.
warn (CheckEventLog, check_eventlog)
Short alias for warning
critical (CheckEventLog, check_eventlog)
Filter which marks items which generates a critical state.
If anything matches this filter the return status will be escalated to critical.
crit (CheckEventLog, check_eventlog)
Short alias for critical.
ok (CheckEventLog, check_eventlog)
Filter which marks items which generates an ok state.
If anything matches this any previous state for this item will be reset to ok.
Available options :
Key Value
count Number of items matching the filter. Common option for all checks.
total Total number of items. Common option for all checks.
ok_count Number of items matched the ok criteria. Common option for all checks.
warn_count Number of items matched the warning criteria. Common option for all checks.
crit_count Number of items matched the critical criteria. Common option for all checks.
problem_count Number of items matched either warning or critical criteria. Common option for all checks.
list A list of all items which matched the filter. Common option for all checks.
ok_list A list of all items which matched the ok criteria. Common option for all checks.
warn_list A list of all items which matched the warning criteria. Common option for all checks.
crit_list A list of all items which matched the critical criteria. Common option for all checks.
problem_list A list of all items which matched either the critical or the warning criteria. Common option for all checks.
detail_list A special list with critical, then warning and finally ok. Common option for all checks.
status The returned status (OK/WARN/CRIT/UNKNOWN). Common option for all checks.
category TODO
computer Which computer generated the message
customer TODO
file The logfile name
guid The logfile name
id Eventlog id
keyword The keyword associated with this event
level Severity level (error, warning, info, success, auditSucess, auditFailure)
log alias for file
message The message rendered as a string.
provider Source system.
rawid Raw message id (contains many other fields all baked into a single number)
source Source system.
task The type of event (task)
type alias for level (old, deprecated)
written When the message was written to file
debug (CheckEventLog, check_eventlog)
Show debugging information in the log
show-all (CheckEventLog, check_eventlog)
Show details for all matches regardless of status (normally details are only showed for warnings and criticals).
empty-state (CheckEventLog, check_eventlog)
Return status to use when nothing matched filter.
If no filter is specified this will never happen unless the file is empty.
perf-config (CheckEventLog, check_eventlog)
Performance data generation configuration
TODO: obj ( key: value; key: value) obj (key:valuer;key:value)
escape-html (CheckEventLog, check_eventlog)
Escape any < and > characters to prevent HTML encoding
help (CheckEventLog, check_eventlog)
Show help screen (this screen)
help-pb (CheckEventLog, check_eventlog)
Show help screen as a protocol buffer payload
show-default (CheckEventLog, check_eventlog)
Show default values for a given command
help-short (CheckEventLog, check_eventlog)
Show help screen (short format).
unique-index (CheckEventLog, check_eventlog)
Unique syntax.
Used to filter unique items (counted will still increase but messages will not repeaters:
Key Value
category TODO
computer Which computer generated the message
customer TODO
file The logfile name
guid The logfile name
id Eventlog id
keyword The keyword associated with this event
level Severity level (error, warning, info, success, auditSucess, auditFailure)
log alias for file
message The message rendered as a string.
provider Source system.
rawid Raw message id (contains many other fields all baked into a single number)
source Source system.
task The type of event (task)
type alias for level (old, deprecated)
written When the message was written to file
top-syntax (CheckEventLog, check_eventlog)
Top level syntax.
Used to format the message to return can include text as well as special keywords which will include information from the checks.
To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to excpae on linux).
The available keywords are:
Key Value
count Number of items matching the filter. Common option for all checks.
total Total number of items. Common option for all checks.
ok_count Number of items matched the ok criteria. Common option for all checks.
warn_count Number of items matched the warning criteria. Common option for all checks.
crit_count Number of items matched the critical criteria. Common option for all checks.
problem_count Number of items matched either warning or critical criteria. Common option for all checks.
list A list of all items which matched the filter. Common option for all checks.
ok_list A list of all items which matched the ok criteria. Common option for all checks.
warn_list A list of all items which matched the warning criteria. Common option for all checks.
crit_list A list of all items which matched the critical criteria. Common option for all checks.
problem_list A list of all items which matched either the critical or the warning criteria. Common option for all checks.
detail_list A special list with critical, then warning and finally ok. Common option for all checks.
status The returned status (OK/WARN/CRIT/UNKNOWN). Common option for all checks.
ok-syntax (CheckEventLog, check_eventlog)
ok syntax.
DEPRECATED! This is the syntax for when an ok result is returned.
This value will not be used if your syntax contains %(list) or %(count).
empty-syntax (CheckEventLog, check_eventlog)
Empty syntax.
DEPRECATED! This is the syntax for when nothing matches the filter.
Possible values are:
Key Value
count Number of items matching the filter. Common option for all checks.
total Total number of items. Common option for all checks.
ok_count Number of items matched the ok criteria. Common option for all checks.
warn_count Number of items matched the warning criteria. Common option for all checks.
crit_count Number of items matched the critical criteria. Common option for all checks.
problem_count Number of items matched either warning or critical criteria. Common option for all checks.
list A list of all items which matched the filter. Common option for all checks.
ok_list A list of all items which matched the ok criteria. Common option for all checks.
warn_list A list of all items which matched the warning criteria. Common option for all checks.
crit_list A list of all items which matched the critical criteria. Common option for all checks.
problem_list A list of all items which matched either the critical or the warning criteria. Common option for all checks.
detail_list A special list with critical, then warning and finally ok. Common option for all checks.
status The returned status (OK/WARN/CRIT/UNKNOWN). Common option for all checks.
detail-syntax (CheckEventLog, check_eventlog)
Detail level syntax.
Used to format each resulting item in the message.
%(list) will be replaced with all the items formated by this syntax string in the top-syntax.
To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to excpae on linux).
The available keywords are:
Key Value
category TODO
computer Which computer generated the message
customer TODO
file The logfile name
guid The logfile name
id Eventlog id
keyword The keyword associated with this event
level Severity level (error, warning, info, success, auditSucess, auditFailure)
log alias for file
message The message rendered as a string.
provider Source system.
rawid Raw message id (contains many other fields all baked into a single number)
source Source system.
task The type of event (task)
type alias for level (old, deprecated)
written When the message was written to file
perf-syntax (CheckEventLog, check_eventlog)
Performance alias syntax.
This is the syntax for the base names of the performance data.
Possible values are:
Key Value
category TODO
computer Which computer generated the message
customer TODO
file The logfile name
guid The logfile name
id Eventlog id
keyword The keyword associated with this event
level Severity level (error, warning, info, success, auditSucess, auditFailure)
log alias for file
message The message rendered as a string.
provider Source system.
rawid Raw message id (contains many other fields all baked into a single number)
source Source system.
task The type of event (task)
type alias for level (old, deprecated)
written When the message was written to file
file (CheckEventLog, check_eventlog)
File to read (can be specified multiple times to check multiple files.
Notice that specifying multiple files will create an aggregate set you will not check each file individually.In other words if one file contains an error the entire check will result in error.
log (CheckEventLog, check_eventlog)
Same as file
scan-range (CheckEventLog, check_eventlog)
Date range to scan.
A negative value scans backward (historical events) and a positive value scans forwards (future events). This is the approximate dates to search through this speeds up searching a lot but there is no guarantee messages are ordered.
truncate-message (CheckEventLog, check_eventlog)
Maximum length of message for each event log message text.
unique (CheckEventLog, check_eventlog)
Shorthand for setting default unique index: ${log}-${source}-${id}.

checkeventlog

CheckEventLogcheckeventlog
Legacy version of check_eventlog

Usage:

Option Default Value Description
help N/A Show help screen (this screen)
help-pb N/A Show help screen as a protocol buffer payload
show-default N/A Show default values for a given command
help-short N/A Show help screen (short format).
MaxWarn   Maximum value before a warning is returned.
MaxCrit   Maximum value before a critical is returned.
MinWarn   Minimum value before a warning is returned.
MinCrit   Minimum value before a critical is returned.
warn   Maximum value before a warning is returned.
crit   Maximum value before a critical is returned.
filter   The filter to use.
file   The file to check
debug 1 The file to check
truncate   Deprecated and has no meaning
descriptions 1 Deprecated and has no meaning
unique 1  
syntax %source%, %strings% The syntax string
top-syntax ${list} The top level syntax string
scan-range   TODO
help (CheckEventLog, checkeventlog)
Show help screen (this screen)
help-pb (CheckEventLog, checkeventlog)
Show help screen as a protocol buffer payload
show-default (CheckEventLog, checkeventlog)
Show default values for a given command
help-short (CheckEventLog, checkeventlog)
Show help screen (short format).
MaxWarn (CheckEventLog, checkeventlog)
Maximum value before a warning is returned.
MaxCrit (CheckEventLog, checkeventlog)
Maximum value before a critical is returned.
MinWarn (CheckEventLog, checkeventlog)
Minimum value before a warning is returned.
MinCrit (CheckEventLog, checkeventlog)
Minimum value before a critical is returned.
warn (CheckEventLog, checkeventlog)
Maximum value before a warning is returned.
crit (CheckEventLog, checkeventlog)
Maximum value before a critical is returned.
filter (CheckEventLog, checkeventlog)
The filter to use.
file (CheckEventLog, checkeventlog)
The file to check
debug (CheckEventLog, checkeventlog)
The file to check
truncate (CheckEventLog, checkeventlog)
Deprecated and has no meaning
descriptions (CheckEventLog, checkeventlog)
Deprecated and has no meaning
unique (CheckEventLog, checkeventlog)
syntax (CheckEventLog, checkeventlog)
The syntax string
top-syntax (CheckEventLog, checkeventlog)
The top level syntax string
scan-range (CheckEventLog, checkeventlog)
TODO

/ settings/ eventlog

/settings/eventlog (CheckEventLog)

EVENT LOG SECTION

Section for the EventLog Checker (CheckEventLog.dll).
Key Default Value Description
buffer size 131072 BUFFER_SIZE
debug 0 DEBUG
lookup names 1 LOOKUP NAMES
syntax   SYNTAX

Sample:

# EVENT LOG SECTION
# Section for the EventLog Checker (CheckEventLog.dll).
[/settings/eventlog]
buffer size=131072
debug=0
lookup names=1
syntax=
buffer size (CheckEventLog, /settings/eventlog)

BUFFER_SIZE

The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.

Path: /settings/eventlog

Key: buffer size

Default value: 131072

Used by: CheckEventLog

Sample:

[/settings/eventlog]
# BUFFER_SIZE
buffer size=131072
debug (CheckEventLog, /settings/eventlog)

DEBUG

Log more information when filtering (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.

Path: /settings/eventlog

Key: debug

Default value: 0

Used by: CheckEventLog

Sample:

[/settings/eventlog]
# DEBUG
debug=0
lookup names (CheckEventLog, /settings/eventlog)

LOOKUP NAMES

Lookup the names of eventlog files

Path: /settings/eventlog

Key: lookup names

Default value: 1

Used by: CheckEventLog

Sample:

[/settings/eventlog]
# LOOKUP NAMES
lookup names=1
syntax (CheckEventLog, /settings/eventlog)

SYNTAX

Set this to use a specific syntax string for all commands (that don’t specify one).

Path: /settings/eventlog

Key: syntax

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog]
# SYNTAX
syntax=

… / real-time

/settings/eventlog/real-time (CheckEventLog)

CONFIGURE REALTIME CHECKING

A set of options to configure the real time checks
Key Default Value Description
debug 0 DEBUG
enabled 0 REAL TIME CHECKING
log application,system LOGS TO CHECK
startup age 30m STARTUP AGE

Sample:

# CONFIGURE REALTIME CHECKING
# A set of options to configure the real time checks
[/settings/eventlog/real-time]
debug=0
enabled=0
log=application,system
startup age=30m
debug (CheckEventLog, /settings/eventlog/real-time)

DEBUG

Log missed records (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.

Path: /settings/eventlog/real-time

Key: debug

Default value: 0

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time]
# DEBUG
debug=0
enabled (CheckEventLog, /settings/eventlog/real-time)

REAL TIME CHECKING

Spawns a background thread which detects issues and reports them back instantly.

Path: /settings/eventlog/real-time

Key: enabled

Default value: 0

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time]
# REAL TIME CHECKING
enabled=0
log (CheckEventLog, /settings/eventlog/real-time)

LOGS TO CHECK

Comma separated list of logs to check

Path: /settings/eventlog/real-time

Key: log

Default value: application,system

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time]
# LOGS TO CHECK
log=application,system
startup age (CheckEventLog, /settings/eventlog/real-time)

STARTUP AGE

The initial age to scan when starting NSClient++

Path: /settings/eventlog/real-time

Key: startup age

Default value: 30m

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time]
# STARTUP AGE
startup age=30m

… / real-time / filters

/settings/eventlog/real-time/filters (CheckEventLog)

REALTIME FILTERS

A set of filters to use in real-time mode

Sample:

# REALTIME FILTERS
# A set of filters to use in real-time mode
[/settings/eventlog/real-time/filters]

… / real-time / filters / default

/settings/eventlog/real-time/filters/default (CheckEventLog)

REAL TIME FILTER DEFENITION

Definition for real time filter:
Key Default Value Description
command   COMMAND NAME
critical   CRITICAL FILTER
debug 0 DEBUG
destination   DESTINATION
detail syntax   SYNTAX
empty message eventlog found no records EMPTY MESSAGE
escape html 0 ESCAPE HTML
filter   FILTER
log   FILE
logs   FILES
maximum age 5m MAGIMUM AGE
ok   OK FILTER
ok syntax   SYNTAX
perf config   PERF CONFIG
severity   SEVERITY
source id   SOURCE ID
target   DESTINATION
target id   TARGET ID
top syntax   SYNTAX
warning   WARNING FILTER

Sample:

# REAL TIME FILTER DEFENITION
# Definition for real time filter:
[/settings/eventlog/real-time/filters/default]
command=
critical=
debug=0
destination=
detail syntax=
empty message=eventlog found no records
escape html=0
filter=
log=
logs=
maximum age=5m
ok=
ok syntax=
perf config=
severity=
source id=
target=
target id=
top syntax=
warning=
command (CheckEventLog, /settings/eventlog/real-time/filters/default)

COMMAND NAME

The name of the command (think nagios service name) to report up stream (defaults to alias if not set)

Path: /settings/eventlog/real-time/filters/default

Key: command

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# COMMAND NAME
command=
critical (CheckEventLog, /settings/eventlog/real-time/filters/default)

CRITICAL FILTER

If any rows match this filter severity will escalated to CRITICAL

Path: /settings/eventlog/real-time/filters/default

Key: critical

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# CRITICAL FILTER
critical=
debug (CheckEventLog, /settings/eventlog/real-time/filters/default)

DEBUG

Enable this to display debug information for this match filter

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/default

Key: debug

Default value: 0

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# DEBUG
debug=0
destination (CheckEventLog, /settings/eventlog/real-time/filters/default)

DESTINATION

The destination for intercepted messages

Path: /settings/eventlog/real-time/filters/default

Key: destination

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# DESTINATION
destination=
detail syntax (CheckEventLog, /settings/eventlog/real-time/filters/default)

SYNTAX

Format string for dates

Path: /settings/eventlog/real-time/filters/default

Key: detail syntax

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# SYNTAX
detail syntax=
empty message (CheckEventLog, /settings/eventlog/real-time/filters/default)

EMPTY MESSAGE

The message to display if nothing matches the filter (generally considered the ok state).

Path: /settings/eventlog/real-time/filters/default

Key: empty message

Default value: eventlog found no records

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# EMPTY MESSAGE
empty message=eventlog found no records
escape html (CheckEventLog, /settings/eventlog/real-time/filters/default)

ESCAPE HTML

Escape HTML characters (< and >).

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/default

Key: escape html

Default value: 0

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# ESCAPE HTML
escape html=0
filter (CheckEventLog, /settings/eventlog/real-time/filters/default)

FILTER

Scan files for matching rows for each matching rows an OK message will be submitted

Path: /settings/eventlog/real-time/filters/default

Key: filter

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# FILTER
filter=
log (CheckEventLog, /settings/eventlog/real-time/filters/default)

FILE

The eventlog record to filter on (if set to ‘all’ means all enabled logs)

Path: /settings/eventlog/real-time/filters/default

Key: log

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# FILE
log=
logs (CheckEventLog, /settings/eventlog/real-time/filters/default)

FILES

The eventlog record to filter on (if set to ‘all’ means all enabled logs)

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/default

Key: logs

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# FILES
logs=
maximum age (CheckEventLog, /settings/eventlog/real-time/filters/default)

MAGIMUM AGE

How long before reporting “ok”.
If this is set to “false” no periodic ok messages will be reported only errors.

Path: /settings/eventlog/real-time/filters/default

Key: maximum age

Default value: 5m

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# MAGIMUM AGE
maximum age=5m
ok (CheckEventLog, /settings/eventlog/real-time/filters/default)

OK FILTER

If any rows match this filter severity will escalated down to OK

Path: /settings/eventlog/real-time/filters/default

Key: ok

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# OK FILTER
ok=
ok syntax (CheckEventLog, /settings/eventlog/real-time/filters/default)

SYNTAX

Format string for dates

Path: /settings/eventlog/real-time/filters/default

Key: ok syntax

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# SYNTAX
ok syntax=
perf config (CheckEventLog, /settings/eventlog/real-time/filters/default)

PERF CONFIG

Performance data configuration

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/default

Key: perf config

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# PERF CONFIG
perf config=
severity (CheckEventLog, /settings/eventlog/real-time/filters/default)

SEVERITY

THe severity of this message (OK, WARNING, CRITICAL, UNKNOWN)

Path: /settings/eventlog/real-time/filters/default

Key: severity

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# SEVERITY
severity=
source id (CheckEventLog, /settings/eventlog/real-time/filters/default)

SOURCE ID

The name of the source system, will automatically use the remote system if a remote system is called. Almost most sending systems will replace this with current systems hostname if not present. So use this only if you need specific source systems for specific schedules and not calling remote systems.

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/default

Key: source id

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# SOURCE ID
source id=
target (CheckEventLog, /settings/eventlog/real-time/filters/default)

DESTINATION

Same as destination

Path: /settings/eventlog/real-time/filters/default

Key: target

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# DESTINATION
target=
target id (CheckEventLog, /settings/eventlog/real-time/filters/default)

TARGET ID

The target to send the message to (will be resolved by the consumer)

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/default

Key: target id

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# TARGET ID
target id=
top syntax (CheckEventLog, /settings/eventlog/real-time/filters/default)

SYNTAX

Format string for dates

Path: /settings/eventlog/real-time/filters/default

Key: top syntax

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# SYNTAX
top syntax=
warning (CheckEventLog, /settings/eventlog/real-time/filters/default)

WARNING FILTER

If any rows match this filter severity will escalated to WARNING

Path: /settings/eventlog/real-time/filters/default

Key: warning

Default value:

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/default]
# WARNING FILTER
warning=

… / real-time / filters / sample

/settings/eventlog/real-time/filters/sample (CheckEventLog)

REAL TIME FILTER DEFENITION

Definition for real time filter:
Key Default Value Description
command   COMMAND NAME
critical   CRITICAL FILTER
debug 0 DEBUG
destination   DESTINATION
detail syntax   SYNTAX
empty message eventlog found no records EMPTY MESSAGE
escape html 0 ESCAPE HTML
filter   FILTER
log   FILE
logs   FILES
maximum age 5m MAGIMUM AGE
ok   OK FILTER
ok syntax   SYNTAX
perf config   PERF CONFIG
severity   SEVERITY
source id   SOURCE ID
target   DESTINATION
target id   TARGET ID
top syntax   SYNTAX
warning   WARNING FILTER

Sample:

# REAL TIME FILTER DEFENITION
# Definition for real time filter:
[/settings/eventlog/real-time/filters/sample]
command=
critical=
debug=0
destination=
detail syntax=
empty message=eventlog found no records
escape html=0
filter=
log=
logs=
maximum age=5m
ok=
ok syntax=
perf config=
severity=
source id=
target=
target id=
top syntax=
warning=
command (CheckEventLog, /settings/eventlog/real-time/filters/sample)

COMMAND NAME

The name of the command (think nagios service name) to report up stream (defaults to alias if not set)

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/sample

Key: command

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# COMMAND NAME
command=
critical (CheckEventLog, /settings/eventlog/real-time/filters/sample)

CRITICAL FILTER

If any rows match this filter severity will escalated to CRITICAL

Path: /settings/eventlog/real-time/filters/sample

Key: critical

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# CRITICAL FILTER
critical=
debug (CheckEventLog, /settings/eventlog/real-time/filters/sample)

DEBUG

Enable this to display debug information for this match filter

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/sample

Key: debug

Default value: 0

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# DEBUG
debug=0
destination (CheckEventLog, /settings/eventlog/real-time/filters/sample)

DESTINATION

The destination for intercepted messages

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/sample

Key: destination

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# DESTINATION
destination=
detail syntax (CheckEventLog, /settings/eventlog/real-time/filters/sample)

SYNTAX

Format string for dates

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/sample

Key: detail syntax

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# SYNTAX
detail syntax=
empty message (CheckEventLog, /settings/eventlog/real-time/filters/sample)

EMPTY MESSAGE

The message to display if nothing matches the filter (generally considered the ok state).

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/sample

Key: empty message

Default value: eventlog found no records

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# EMPTY MESSAGE
empty message=eventlog found no records
escape html (CheckEventLog, /settings/eventlog/real-time/filters/sample)

ESCAPE HTML

Escape HTML characters (< and >).

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/sample

Key: escape html

Default value: 0

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# ESCAPE HTML
escape html=0
filter (CheckEventLog, /settings/eventlog/real-time/filters/sample)

FILTER

Scan files for matching rows for each matching rows an OK message will be submitted

Path: /settings/eventlog/real-time/filters/sample

Key: filter

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# FILTER
filter=
log (CheckEventLog, /settings/eventlog/real-time/filters/sample)

FILE

The eventlog record to filter on (if set to ‘all’ means all enabled logs)

Path: /settings/eventlog/real-time/filters/sample

Key: log

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# FILE
log=
logs (CheckEventLog, /settings/eventlog/real-time/filters/sample)

FILES

The eventlog record to filter on (if set to ‘all’ means all enabled logs)

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/sample

Key: logs

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# FILES
logs=
maximum age (CheckEventLog, /settings/eventlog/real-time/filters/sample)

MAGIMUM AGE

How long before reporting “ok”.
If this is set to “false” no periodic ok messages will be reported only errors.

Path: /settings/eventlog/real-time/filters/sample

Key: maximum age

Default value: 5m

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# MAGIMUM AGE
maximum age=5m
ok (CheckEventLog, /settings/eventlog/real-time/filters/sample)

OK FILTER

If any rows match this filter severity will escalated down to OK

Path: /settings/eventlog/real-time/filters/sample

Key: ok

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# OK FILTER
ok=
ok syntax (CheckEventLog, /settings/eventlog/real-time/filters/sample)

SYNTAX

Format string for dates

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/sample

Key: ok syntax

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# SYNTAX
ok syntax=
perf config (CheckEventLog, /settings/eventlog/real-time/filters/sample)

PERF CONFIG

Performance data configuration

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/sample

Key: perf config

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# PERF CONFIG
perf config=
severity (CheckEventLog, /settings/eventlog/real-time/filters/sample)

SEVERITY

THe severity of this message (OK, WARNING, CRITICAL, UNKNOWN)

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/sample

Key: severity

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# SEVERITY
severity=
source id (CheckEventLog, /settings/eventlog/real-time/filters/sample)

SOURCE ID

The name of the source system, will automatically use the remote system if a remote system is called. Almost most sending systems will replace this with current systems hostname if not present. So use this only if you need specific source systems for specific schedules and not calling remote systems.

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/sample

Key: source id

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# SOURCE ID
source id=
target (CheckEventLog, /settings/eventlog/real-time/filters/sample)

DESTINATION

Same as destination

Path: /settings/eventlog/real-time/filters/sample

Key: target

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# DESTINATION
target=
target id (CheckEventLog, /settings/eventlog/real-time/filters/sample)

TARGET ID

The target to send the message to (will be resolved by the consumer)

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/sample

Key: target id

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# TARGET ID
target id=
top syntax (CheckEventLog, /settings/eventlog/real-time/filters/sample)

SYNTAX

Format string for dates

Advanced (means it is not commonly used)

Path: /settings/eventlog/real-time/filters/sample

Key: top syntax

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# SYNTAX
top syntax=
warning (CheckEventLog, /settings/eventlog/real-time/filters/sample)

WARNING FILTER

If any rows match this filter severity will escalated to WARNING

Path: /settings/eventlog/real-time/filters/sample

Key: warning

Default value:

Sample key: This key is provided as a sample to show how to configure objects

Used by: CheckEventLog

Sample:

[/settings/eventlog/real-time/filters/sample]
# WARNING FILTER
warning=
comments powered by Disqus