×
![]()
Back to OP5 Monitor FAQ
How to monitor Microsoft Windows Eventlog ID
Introduction Copied
In Microsoft Windows, almost all events are logged to the event log. This “how-to” describes the process for monitoring a specific event log ID, which can help you detect changes and behaviour patterns on your system.
NSClient++ 0.4.4.15 Copied
Prerequisites Copied
- The NSClient++ monitoring agent version 0.4.4.15 or higher installed on the target host
- Permissions to add check commands and services in op5 Monitor
Adding the check command Copied
- Hover over the “Manage” menu and select “Configure”
- Click on “Commands” in the “Core Configuration” section
- Add a new command with the following settings:
| Option | Value |
|---|---|
| command_name | check_nrpe_windows_eventlog_id |
| command_line | $USER1$/check_nrpe -s -H $HOSTADDRESS$ -c check_eventlog -a file="$ARG1$" "warning=count = $ARG2$" "critical=count = $ARG3$" "filter=source like '$ARG4$' AND id = '$ARG5$'" unique truncate-message=300 'top-syntax=The status is: ${status}: with ${count} entries matching the ID the last 24h Log message:"${list}"' |
- Click the “Submit” button and save the configuration changes.
Using the check command in a service Copied
The check command that we created above takes 5 user-supplied arguments:
| Argument | Description |
|---|---|
| $ARG1$ | Log Name (“Application”, “Security”, “System”, “Directory Service”, “DFS Replication” or similar) |
| $ARG2$ | Warning threshold for number of events |
| $ARG3$ | Critical threshold for number of events |
| $ARG4$ | Event Source (“ActiveDirectory_DomainService”, “DFSR”, “ADWS” or similar ) |
| $ARG5$ | Event ID to match against |
Example use case 1 Copied
In the following example we will add a service monitoring an event ID telling us that the Active Directory Web Services doesn’t have a valid TLS Certificate. This event has the ID “1400” and is located in the “Active Directory Web Services” file.
Configuration instructions:
- Open up your target host in the configuration utility, go to the services section and select “Add new service”.
- Change the following configuration options:
| Option | Value |
|---|---|
| service_description | Active Directory Web Services TLS Certificate |
| check_command | check_nrpe_windows_eventlog_id |
| check_command_args | Active Directory Web Services!1!2!ADWS!1400 |
- Click on the “Submit” button and save the configuration changes
Additional information Copied
For more advanced information, see the NSClient++ 0.4.4 check_eventlog documentation
["Geneos"]
["FAQ"]