CheckEventLog
Check for errors and warnings in the event log.

CheckEventLog — CheckEventLog

Check for errors and warnings in the event log.

Queries (Overview):

A list of all avalible queries (check commands)

Command Description
check_eventlog Check for errors in the event log.
checkeventlog Legacy version of check_eventlog

Commands (executable): TODO: Add command list

Configuration (Overview):

A list of all configuration options

Path / Section Key Default value Description
/settings/eventlog debug 0 DEBUG
/settings/eventlog lookup names 1 LOOKUP NAMES
/settings/eventlog buffer size 131072 BUFFER_SIZE
/settings/eventlog syntax   SYNTAX
/settings/eventlog/real-time debug 0 DEBUG
/settings/eventlog/real-time enabled 0 REAL TIME CHECKING
/settings/eventlog/real-time log application,system LOGS TO CHECK
/settings/eventlog/real-time startup age 30m STARTUP AGE
/settings/eventlog/real-time/filters     REALTIME FILTERS

Queries

A quick reference for all avalible queries (check commands) in the CheckEventLog module.

check_eventlog

CheckEventLogcheck_eventlog
Check for errors in the event log.

Usage:

Option Default value Description
help N/A Show help screen (this screen)
help-csv N/A Show help screen as a comma separated list.
help-short N/A Show help screen (short format).
debug N/A Show debugging information in the log
show-all N/A Show debugging information in the log
filter N/A Filter which marks interesting items.
warning N/A Filter which marks items which generates a warning state.
warn N/A Short alias for warning
critical N/A Filter which marks items which generates a critical state.
crit N/A Short alias for critical.
ok N/A Filter which marks items which generates an ok state.
empty-syntax No matches Message to display when nothing matched filter.
empty-state unknown Return status to use when nothing matched filter.
perf-config N/A Performance data generation configuration
unique-index N/A Unique syntax.
top-syntax ${status}: ${problem_count}/${count} ${problem_list} Top level syntax.
detail-syntax ${file} ${source} (${message}) Detail level syntax.
perf-syntax ${file}_${source} Performance alias syntax.
file N/A File to read (can be specified multiple times to check multiple files.
scan-range N/A Date range to scan.
truncate-message N/A Maximum length of message for each event log message text.
unique 1 Shorthand for setting default unique index: ${log}-${source}-${id}.

Arguments

help (CheckEventLog, check_eventlog)
Show help screen (this screen)
help-csv (CheckEventLog, check_eventlog)
Show help screen as a comma separated list.
This is useful for parsing the output in scripts and generate documentation etc
help-short (CheckEventLog, check_eventlog)
Show help screen (short format).
debug (CheckEventLog, check_eventlog)
Show debugging information in the log
show-all (CheckEventLog, check_eventlog)
Show debugging information in the log
filter (CheckEventLog, check_eventlog)
Filter which marks interesting items.
Interesting items are items which will be included in the check.
They do not denote warning or critical state but they are checked use this to filter out unwanted items.
Avalible options:
Key Value
category TODO
computer Which computer generated the message
customer TODO
file The logfile name
id Eventlog id
level Severity level (error, warning, info, success, auditSucess, auditFailure)
log alias for file
message The message rendered as a string.
rawid Raw message id (contains many other fields all baked into a single number)
source Source system.
type alias for level (old, deprecated)
written When the message was written to file
count Number of items matching the filter
total Total number of items
ok_count Number of items matched the ok criteria
warn_count Number of items matched the warning criteria
crit_count Number of items matched the critical criteria
problem_count Number of items matched either warning or critical criteria
list A list of all items which matched the filter
ok_list A list of all items which matched the ok criteria
warn_list A list of all items which matched the warning criteria
crit_list A list of all items which matched the critical criteria
problem_list A list of all items which matched either the critical or the warning criteria
status The returned status (OK/WARN/CRIT/UNKNOWN)


warning (CheckEventLog, check_eventlog)
Filter which marks items which generates a warning state.
If anything matches this filter the return status will be escalated to warning.
Avalible options:
Key Value
category TODO
computer Which computer generated the message
customer TODO
file The logfile name
id Eventlog id
level Severity level (error, warning, info, success, auditSucess, auditFailure)
log alias for file
message The message rendered as a string.
rawid Raw message id (contains many other fields all baked into a single number)
source Source system.
type alias for level (old, deprecated)
written When the message was written to file
count Number of items matching the filter
total Total number of items
ok_count Number of items matched the ok criteria
warn_count Number of items matched the warning criteria
crit_count Number of items matched the critical criteria
problem_count Number of items matched either warning or critical criteria
list A list of all items which matched the filter
ok_list A list of all items which matched the ok criteria
warn_list A list of all items which matched the warning criteria
crit_list A list of all items which matched the critical criteria
problem_list A list of all items which matched either the critical or the warning criteria
status The returned status (OK/WARN/CRIT/UNKNOWN)


warn (CheckEventLog, check_eventlog)
Short alias for warning
critical (CheckEventLog, check_eventlog)
Filter which marks items which generates a critical state.
If anything matches this filter the return status will be escalated to critical.
Avalible options:
Key Value
category TODO
computer Which computer generated the message
customer TODO
file The logfile name
id Eventlog id
level Severity level (error, warning, info, success, auditSucess, auditFailure)
log alias for file
message The message rendered as a string.
rawid Raw message id (contains many other fields all baked into a single number)
source Source system.
type alias for level (old, deprecated)
written When the message was written to file
count Number of items matching the filter
total Total number of items
ok_count Number of items matched the ok criteria
warn_count Number of items matched the warning criteria
crit_count Number of items matched the critical criteria
problem_count Number of items matched either warning or critical criteria
list A list of all items which matched the filter
ok_list A list of all items which matched the ok criteria
warn_list A list of all items which matched the warning criteria
crit_list A list of all items which matched the critical criteria
problem_list A list of all items which matched either the critical or the warning criteria
status The returned status (OK/WARN/CRIT/UNKNOWN)


crit (CheckEventLog, check_eventlog)
Short alias for critical.
ok (CheckEventLog, check_eventlog)
Filter which marks items which generates an ok state.
If anything matches this any previous state for this item will be reset to ok.
Avalible options:
Key Value
category TODO
computer Which computer generated the message
customer TODO
file The logfile name
id Eventlog id
level Severity level (error, warning, info, success, auditSucess, auditFailure)
log alias for file
message The message rendered as a string.
rawid Raw message id (contains many other fields all baked into a single number)
source Source system.
type alias for level (old, deprecated)
written When the message was written to file
count Number of items matching the filter
total Total number of items
ok_count Number of items matched the ok criteria
warn_count Number of items matched the warning criteria
crit_count Number of items matched the critical criteria
problem_count Number of items matched either warning or critical criteria
list A list of all items which matched the filter
ok_list A list of all items which matched the ok criteria
warn_list A list of all items which matched the warning criteria
crit_list A list of all items which matched the critical criteria
problem_list A list of all items which matched either the critical or the warning criteria
status The returned status (OK/WARN/CRIT/UNKNOWN)


empty-syntax (CheckEventLog, check_eventlog)
Message to display when nothing matched filter.
If no filter is specified this will never happen unless the file is empty.
empty-state (CheckEventLog, check_eventlog)
Return status to use when nothing matched filter.
If no filter is specified this will never happen unless the file is empty.
perf-config (CheckEventLog, check_eventlog)
Performance data generation configuration
TODO: obj ( key: value; key: value) obj (key:valuer;key:value)
unique-index (CheckEventLog, check_eventlog)
Unique syntax.
Used to filter unique items (counted will still increase but messages will not repeaters:
Key Value
%(category) TODO
%(computer) Which computer generated the message
%(customer) TODO
%(file) The logfile name
%(id) Eventlog id
%(level) Severity level (error, warning, info, success, auditSucess, auditFailure)
%(log) alias for file
%(message) The message rendered as a string.
%(rawid) Raw message id (contains many other fields all baked into a single number)
%(source) Source system.
%(type) alias for level (old, deprecated)
%(written) When the message was written to file
${count} Number of items matching the filter
${total} Total number of items
${ok_count} Number of items matched the ok criteria
${warn_count} Number of items matched the warning criteria
${crit_count} Number of items matched the critical criteria
${problem_count} Number of items matched either warning or critical criteria
${list} A list of all items which matched the filter
${ok_list} A list of all items which matched the ok criteria
${warn_list} A list of all items which matched the warning criteria
${crit_list} A list of all items which matched the critical criteria
${problem_list} A list of all items which matched either the critical or the warning criteria
${status} The returned status (OK/WARN/CRIT/UNKNOWN)

top-syntax (CheckEventLog, check_eventlog)
Top level syntax.
Used to format the message to return can include strings as well as special keywords such as:
Key Value
%(category) TODO
%(computer) Which computer generated the message
%(customer) TODO
%(file) The logfile name
%(id) Eventlog id
%(level) Severity level (error, warning, info, success, auditSucess, auditFailure)
%(log) alias for file
%(message) The message rendered as a string.
%(rawid) Raw message id (contains many other fields all baked into a single number)
%(source) Source system.
%(type) alias for level (old, deprecated)
%(written) When the message was written to file
${count} Number of items matching the filter
${total} Total number of items
${ok_count} Number of items matched the ok criteria
${warn_count} Number of items matched the warning criteria
${crit_count} Number of items matched the critical criteria
${problem_count} Number of items matched either warning or critical criteria
${list} A list of all items which matched the filter
${ok_list} A list of all items which matched the ok criteria
${warn_list} A list of all items which matched the warning criteria
${crit_list} A list of all items which matched the critical criteria
${problem_list} A list of all items which matched either the critical or the warning criteria
${status} The returned status (OK/WARN/CRIT/UNKNOWN)

detail-syntax (CheckEventLog, check_eventlog)
Detail level syntax.
This is the syntax of each item in the list of top-syntax (see above).
Possible values are:
Key Value
%(category) TODO
%(computer) Which computer generated the message
%(customer) TODO
%(file) The logfile name
%(id) Eventlog id
%(level) Severity level (error, warning, info, success, auditSucess, auditFailure)
%(log) alias for file
%(message) The message rendered as a string.
%(rawid) Raw message id (contains many other fields all baked into a single number)
%(source) Source system.
%(type) alias for level (old, deprecated)
%(written) When the message was written to file
${count} Number of items matching the filter
${total} Total number of items
${ok_count} Number of items matched the ok criteria
${warn_count} Number of items matched the warning criteria
${crit_count} Number of items matched the critical criteria
${problem_count} Number of items matched either warning or critical criteria
${list} A list of all items which matched the filter
${ok_list} A list of all items which matched the ok criteria
${warn_list} A list of all items which matched the warning criteria
${crit_list} A list of all items which matched the critical criteria
${problem_list} A list of all items which matched either the critical or the warning criteria
${status} The returned status (OK/WARN/CRIT/UNKNOWN)

perf-syntax (CheckEventLog, check_eventlog)
Performance alias syntax.
This is the syntax for the base names of the performance data.
Possible values are:
Key Value
%(category) TODO
%(computer) Which computer generated the message
%(customer) TODO
%(file) The logfile name
%(id) Eventlog id
%(level) Severity level (error, warning, info, success, auditSucess, auditFailure)
%(log) alias for file
%(message) The message rendered as a string.
%(rawid) Raw message id (contains many other fields all baked into a single number)
%(source) Source system.
%(type) alias for level (old, deprecated)
%(written) When the message was written to file
${count} Number of items matching the filter
${total} Total number of items
${ok_count} Number of items matched the ok criteria
${warn_count} Number of items matched the warning criteria
${crit_count} Number of items matched the critical criteria
${problem_count} Number of items matched either warning or critical criteria
${list} A list of all items which matched the filter
${ok_list} A list of all items which matched the ok criteria
${warn_list} A list of all items which matched the warning criteria
${crit_list} A list of all items which matched the critical criteria
${problem_list} A list of all items which matched either the critical or the warning criteria
${status} The returned status (OK/WARN/CRIT/UNKNOWN)

file (CheckEventLog, check_eventlog)
File to read (can be specified multiple times to check multiple files.
Notice that specifying multiple files will create an aggregate set you will not check each file individually.In other words if one file contains an error the entire check will result in error.
scan-range (CheckEventLog, check_eventlog)
Date range to scan.
This is the approximate dates to search through this speeds up searching a lot but there is no guarantee messages are ordered.
truncate-message (CheckEventLog, check_eventlog)
Maximum length of message for each event log message text.
unique (CheckEventLog, check_eventlog)
Shorthand for setting default unique index: ${log}-${source}-${id}.

checkeventlog

CheckEventLogcheckeventlog
Legacy version of check_eventlog

Usage:

Option Default value Description
help N/A Show help screen (this screen)
help-csv N/A Show help screen as a comma separated list.
help-short N/A Show help screen (short format).
MaxWarn N/A Maximum value before a warning is returned.
MaxCrit N/A Maximum value before a critical is returned.
MinWarn N/A Minimum value before a warning is returned.
MinCrit N/A Minimum value before a critical is returned.
warn N/A Maximum value before a warning is returned.
crit N/A Maximum value before a critical is returned.
filter N/A The filter to use.
file N/A The file to check
debug 1 The file to check
truncate N/A Deprecated and has no meaning
descriptions 1 Deprecated and has no meaning
unique 1  
syntax %source%, %strings% The syntax string
top-syntax ${list} The top level syntax string
scan-range N/A TODO

Arguments

help (CheckEventLog, checkeventlog)
Show help screen (this screen)
help-csv (CheckEventLog, checkeventlog)
Show help screen as a comma separated list.
This is useful for parsing the output in scripts and generate documentation etc
help-short (CheckEventLog, checkeventlog)
Show help screen (short format).
MaxWarn (CheckEventLog, checkeventlog)
Maximum value before a warning is returned.
MaxCrit (CheckEventLog, checkeventlog)
Maximum value before a critical is returned.
MinWarn (CheckEventLog, checkeventlog)
Minimum value before a warning is returned.
MinCrit (CheckEventLog, checkeventlog)
Minimum value before a critical is returned.
warn (CheckEventLog, checkeventlog)
Maximum value before a warning is returned.
crit (CheckEventLog, checkeventlog)
Maximum value before a critical is returned.
filter (CheckEventLog, checkeventlog)
The filter to use.
file (CheckEventLog, checkeventlog)
The file to check
debug (CheckEventLog, checkeventlog)
The file to check
truncate (CheckEventLog, checkeventlog)
Deprecated and has no meaning
descriptions (CheckEventLog, checkeventlog)
Deprecated and has no meaning
unique (CheckEventLog, checkeventlog)

syntax (CheckEventLog, checkeventlog)
The syntax string
top-syntax (CheckEventLog, checkeventlog)
The top level syntax string
scan-range (CheckEventLog, checkeventlog)
TODO

Configuration

A quick reference for all avalible configuration options in the CheckEventLog module.

... / real-time

/settings/eventlog/real-time (CheckEventLog)
Key Default Value Description
debug 0 DEBUG
enabled 0 REAL TIME CHECKING
log application,system LOGS TO CHECK
startup age 30m STARTUP AGE

Sample:

# CONFIGURE REALTIME CHECKING
# A set of options to configure the real time checks
[/settings/eventlog/real-time]
# DEBUG
# Log missed records (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.
debug=0
# REAL TIME CHECKING
# Spawns a background thread which detects issues and reports them back instantly.
enabled=0
# LOGS TO CHECK
# Comma separated list of logs to check
log=application,system
# STARTUP AGE
# The initial age to scan when starting NSClient++
startup age=30m
debug (CheckEventLog, /settings/eventlog/real-time)

DEBUG

Log missed records (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.

Path: /settings/eventlog/real-time

Key: debug

Default value: 0

Used by: CheckEventLog

Sample:

# DEBUG
# Log missed records (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.
[/settings/eventlog/real-time]
debug=0
enabled (CheckEventLog, /settings/eventlog/real-time)

REAL TIME CHECKING

Spawns a background thread which detects issues and reports them back instantly.

Path: /settings/eventlog/real-time

Key: enabled

Default value: 0

Used by: CheckEventLog

Sample:

# REAL TIME CHECKING
# Spawns a background thread which detects issues and reports them back instantly.
[/settings/eventlog/real-time]
enabled=0
log (CheckEventLog, /settings/eventlog/real-time)

LOGS TO CHECK

Comma separated list of logs to check

Path: /settings/eventlog/real-time

Key: log

Default value: application,system

Used by: CheckEventLog

Sample:

# LOGS TO CHECK
# Comma separated list of logs to check
[/settings/eventlog/real-time]
log=application,system
startup age (CheckEventLog, /settings/eventlog/real-time)

STARTUP AGE

The initial age to scan when starting NSClient++

Path: /settings/eventlog/real-time

Key: startup age

Default value: 30m

Used by: CheckEventLog

Sample:

# STARTUP AGE
# The initial age to scan when starting NSClient++
[/settings/eventlog/real-time]
startup age=30m

... / real-time / filters

/settings/eventlog/real-time/filters (CheckEventLog)

Sample:

# REALTIME FILTERS
# A set of filters to use in real-time mode
[/settings/eventlog/real-time/filters]

...

/settings/eventlog (CheckEventLog)
Key Default Value Description
buffer size 131072 BUFFER_SIZE
debug 0 DEBUG
lookup names 1 LOOKUP NAMES
syntax   SYNTAX

Sample:

# EVENT LOG SECTION
# Section for the EventLog Checker (CheckEventLog.dll).
[/settings/eventlog]
# DEBUG
# Log more information when filtering (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.
debug=0
# LOOKUP NAMES
# Lookup the names of eventlog files
lookup names=1
# BUFFER_SIZE
# The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.
buffer size=131072
# SYNTAX
# Set this to use a specific syntax string for all commands (that don't specify one).
syntax=
debug (CheckEventLog, /settings/eventlog)

DEBUG

Log more information when filtering (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.

Path: /settings/eventlog

Key: debug

Default value: 0

Used by: CheckEventLog

Sample:

# DEBUG
# Log more information when filtering (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.
[/settings/eventlog]
debug=0
lookup names (CheckEventLog, /settings/eventlog)

LOOKUP NAMES

Lookup the names of eventlog files

Path: /settings/eventlog

Key: lookup names

Default value: 1

Used by: CheckEventLog

Sample:

# LOOKUP NAMES
# Lookup the names of eventlog files
[/settings/eventlog]
lookup names=1
buffer size (CheckEventLog, /settings/eventlog)

BUFFER_SIZE

The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.

Path: /settings/eventlog

Key: buffer size

Default value: 131072

Used by: CheckEventLog

Sample:

# BUFFER_SIZE
# The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.
[/settings/eventlog]
buffer size=131072
syntax (CheckEventLog, /settings/eventlog)

SYNTAX

Set this to use a specific syntax string for all commands (that don’t specify one).

Path: /settings/eventlog

Key: syntax

Default value:

Used by: CheckEventLog

Sample:

# SYNTAX
# Set this to use a specific syntax string for all commands (that don't specify one).
[/settings/eventlog]
syntax=
comments powered by Disqus