2

In Nagios it is easy to check that a log message happened in the last 48 hours and sound alarm.

But how can I configure Nagios that it should sound alarm when a message did not occur in the last 48 hours? Why is this so hard?

I'm using the "Check WMI Plus" plugin (no agent required) to check the event log on a windows box.

buckley
  • 61
  • 7
  • Not to go too deep into things I don't use, but most of the Check WMI Plus documentation states that the queries are pretty similar to SQL, what's stopping you from doing a `Select` and testing the output? If it returns positive, great, if it returns negative, send an alarm. – NickW May 29 '13 at 11:42

3 Answers3

2

I think the question is really about how to structure the WMI query so that it returns true when no results are returned. (I would add "WQL" or "WMI" or both as tags to the question).

One of the best ways to get some experience with WMI querying is to download the WMI Code Creator from Microsoft. Of course you have to run this on a windows box, but you'll be able to zero in on the query you need to feed into the Nagios plugin using the GUI.

http://www.microsoft.com/en-us/download/confirmation.aspx?id=8572

The querying language used for WMI is WMI Query Language (WQL), similar to SQL you can query whether a particular eventcode exists within the last 48 hours. Here are some useful links about syntax that is acceptable for WQL.

WQL Keywords: link

WQL Operators: link

WQL Supported Date Formats: link

Namespace: root\CIMV2
Event Class: [depends on what you're looking for specifically]
TargetClass: Win32_NTLogEvent link

You'll be using the most common root\CIMV2 namespace, and the class you'll need is the Win32_NTLogEvent class to obtain the information you're looking for. The rest is just the structure of the query.

Since we don't know which particular event you're looking for there are a couple of properties you can use to change up the query.

Logfile = Which Event log do you want to look in? "Application" or "System" etc...
User = Who generated the event? "NT AUTHORITY\SYSTEM" or maybe you're looking for someone specifically.

You can narrow the query using the WHERE clause, just like in SQL, using the TimeGenerated property. TimeGenerated is in IntervalFormat (or UTC format) link.

Here is a quick guide on working with Dates and Times using WMI. link

WHERE DateDiff("hh",TimeGenerated,GetDate()) < 48

So to put all that together it should look something like this.

SELECT * FROM Win32_NTLogEvent WHERE EventCode=4001 
  AND DateDiff(hh,TimeGenerated,GetDate()) < 48

4001 is just a made-up number, look up the event ID for what you're wanting to query on. ;)

You can add additional AND statements to include properties to narrow the results as needed. This in addition to Phil's answer should get you where you need to be.

Lucretius
  • 459
  • 1
  • 4
  • 14
0

I don't have a lot of experience with WMI, so I'm not sure how the queries for getting things from the event log go, but assuming you can write that part (and you indicate that you can), you can use Check WMI Plus to set a lower threshold for the number of matching log messages with something like this:

[section check]
query=SELECT * FROM <your query here ...>
test=_ItemCount
display=_DisplayMsg||~|~| - ||
display=_ItemCount|#
perf=_ItemCount||Log Entries

With that in place, you can run check_wmi_plus.pl with -c 1: to return a CRITICAL status if there are fewer than one log entries found. (More information about thresholds in Check WMI Plus is at "Can you show me some example warning/critical criteria?".)

asciiphil
  • 3,086
  • 3
  • 28
  • 53
  • Didn't have time to check your solution yet but the bounty was ending. Your answer addresses the Nagios part of the question so was the most relevant for me. – buckley Jun 04 '13 at 07:02
0

It's not hard. You can just combine your typical log check with the standard negate plugin to achieve this.

Keith
  • 4,637
  • 15
  • 25