0

I am using the basic NRPE plugins for Nagios to passively monitor Windows Eventlog. The plugin allows for an EventID exception list as a command argument. So, for instance, I can block any event that has an EventID of 1024.

Of course, this doesn't look at the source of the event.

What I am wondering is on the chance of two Sources using the same EventID. Some spot checking(googling the eventid) has found only uniqueness, so it might be an acceptable risk, but I would like your thoughts. Have you ever come across two sources that use the same EventID?

MattUebel
  • 927
  • 4
  • 13
  • 32
  • Here's your answer - https://www.google.com/#output=search&sclient=psy-ab&q=event+id+1024&oq=event+id+1024&gs_l=hp.3..0l4.1444.4456.0.4673.13.12.0.1.1.0.142.1027.10j2.12.0....0...1c.1.23.psy-ab..0.13.975.JiBlfw612z4&pbx=1&bav=on.2,or.r_cp.r_qf.&bvm=bv.49967636,d.dmg&fp=6acc75de4afeeb84&biw=1680&bih=910 – joeqwerty Jul 31 '13 at 13:11
  • Have you ever come across two sources that use the same EventID? – MattUebel Jul 31 '13 at 15:01
  • 1
    My Google link shows at least four Sources that generate Event ID 1024, as just one example. – joeqwerty Jul 31 '13 at 16:49

1 Answers1

2

There's no restriction on event sources using any ID the programmer decides. To give a concrete example, my ts_block script (source "ts_block"), for example, uses event IDs 1, 2, 3, 256, and 257. A search of those event IDs in a public event database (like-- and I hold my nose as I say this-- eventid.net) will show you many, many other sources that use these same event IDs.

If you're comparing only on the event ID then you're not comparing on enough.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331