Cheshire Cat Computing

hi steve,
of course its possible that i'm al little bit stupid but i cant set a working syntax in the regex / string field to avoid to many alerts in the nagios console.

Ex. there are these warning messages which i try to filter out:

[warning] [eTrust ITM #137]: [Uhrzeit 17.11.2010 14:21:34: ID 137: Rechner XXX: Antwort 17.11.2010 14:21:54] Die Vet-Signatur ist veraltet. Sie wurde seit 2 Tagen nicht aktualisiert.
[warning] [Print #8]: Der Drucker XXX auf YYYY (von ZZZZZZ) in Sitzung 2 wurde geräumt

Based on a older post from you i defined the followed regex for NOT hinting (to filter out) these messages:

(eTrust|Print)

but it dont work. The perfect solution should be able to defined the strings [eTrust ITM #137] and [Print #8]
Can you help me with a example ?

Regards

The match string is a Regular Expression, and is matched against the message as appears in the Windows eventlog, not the final message as sent to Nagios (which has additional information added for the eventstatus, eventSource and eventID).

Looking at your messages, it seems to me you could use "NOT eventsource 'eTrust ITM'" (you can only specify ONE source string) to avoid these, or maybe "NOT eventid '8,137'"?

Also, these are Warning messages, it may be that you can use the status checkboxes to match just Errors if that is what you want?

Alternatively, you could set up two higher priority filters that match eventsource 'eTrust ITM' and eventsource 'Print' (possibly with the appropriate eventIDs as well) and set the service status to '4 Ignore' which simply drops the message without forwarding it on.

Which method you use depends on which messages you want to be forwarded on to Nagios and with what status. If you can be more specific about your requirements here I can let you know what I though would work best for you.

Steve

_________________
Steve Shipway
UNIX Systems, ITSS, University of Auckland, NZ
Woe unto them that rise up early in the morning... -- Isaiah 5:11

hi steve,
thanks a lot for your fast answer.

I will try the alternative method with high-priority drop filters and come again with the (hopefully success) results.

Hi steve,

here i'am again with not really success ... Of course, you have understand me right in my goal: to avoid to many alerts forwarded from the Nagevlog Agent to Nagios and send this warning / alerts to admins respec. supporters via E-Mail.

What have i do since last time: First of all i have installed v 1.9.2 and vcredist_x86 (yes, even here with the regedit mistake at the installation process and i must use this version caused by state level 4) and proof to work without any filter or filters strings. Everything works as expected.

Here is the registry part ...

[ H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C h e s h i r e C a t \ N a g i o s \ F i l t e r 7 ]
" f i l t e r D e s c " = " F e h l e r "
" e v e n t L o g " = d w o r d : 0 0 0 0 0 0 0 0
" e v e n t L o g N a m e " = " A l l L o g s "
" s e r v i c e N a m e " = " F e h l e r "
" I D " = " "
" m a t c h S t r i n g " = " "
" s o u r c e " = " "
" I n f o r m a t i o n " = d w o r d : 0 0 0 0 0 0 0 0
" s t a t u s " = d w o r d : 0 0 0 0 0 0 0 2
" W a r n i n g " = d w o r d : 0 0 0 0 0 0 0 0
" E r r o r " = d w o r d : 0 0 0 0 0 0 0 1
" A u d i t S u c c e s s " = d w o r d : 0 0 0 0 0 0 0 0
" A u d i t F a i l u r e " = d w o r d : 0 0 0 0 0 0 0 0
" n o t I D " = d w o r d : 0 0 0 0 0 0 0 0
" n o t M a t c h " = d w o r d : 0 0 0 0 0 0 0 0
" n o t S o u r c e " = d w o r d : 0 0 0 0 0 0 0 0

Followed by this i create a "filter chain" and moved this two filters (registry part below) prior Filter 7.
Here is the registry part ...


[ H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C h e s h i r e C a t \ N a g i o s \ F i l t e r 3 ]
" f i l t e r D e s c " = " D r o p F i l t e r - 1 "
" e v e n t L o g " = d w o r d : 0 0 0 0 0 0 0 0
" e v e n t L o g N a m e " = " A l l L o g s "
" s e r v i c e N a m e " = " F e h l e r "
" I D " = " 9 5 5 4 "
" m a t c h S t r i n g " = " "
" s o u r c e " = " M S E x c h a n g e I S "
" I n f o r m a t i o n " = d w o r d : 0 0 0 0 0 0 0 0
" s t a t u s " = d w o r d : 0 0 0 0 0 0 0 4
" W a r n i n g " = d w o r d : 0 0 0 0 0 0 0 1
" E r r o r " = d w o r d : 0 0 0 0 0 0 0 1
" A u d i t S u c c e s s " = d w o r d : 0 0 0 0 0 0 0 0
" A u d i t F a i l u r e " = d w o r d : 0 0 0 0 0 0 0 0
" n o t I D " = d w o r d : 0 0 0 0 0 0 0 1
" n o t M a t c h " = d w o r d : 0 0 0 0 0 0 0 0
" n o t S o u r c e " = d w o r d : 0 0 0 0 0 0 0 1

[ H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C h e s h i r e C a t \ N a g i o s \ F i l t e r 4 ]
" f i l t e r D e s c " = " D r o p F i l t e r - 2 "
" e v e n t L o g " = d w o r d : 0 0 0 0 0 0 0 0
" e v e n t L o g N a m e " = " A l l L o g s "
" s e r v i c e N a m e " = " W a r n u n g e n "
" I D " = " 1 3 4 , 1 3 5 , 1 3 7 "
" m a t c h S t r i n g " = " "
" s o u r c e " = " e T r u s t "
" I n f o r m a t i o n " = d w o r d : 0 0 0 0 0 0 0 0
" s t a t u s " = d w o r d : 0 0 0 0 0 0 0 4
" W a r n i n g " = d w o r d : 0 0 0 0 0 0 0 1
" E r r o r " = d w o r d : 0 0 0 0 0 0 0 1
" A u d i t S u c c e s s " = d w o r d : 0 0 0 0 0 0 0 0
" A u d i t F a i l u r e " = d w o r d : 0 0 0 0 0 0 0 0
" n o t I D " = d w o r d : 0 0 0 0 0 0 0 1
" n o t M a t c h " = d w o r d : 0 0 0 0 0 0 0 0
" n o t S o u r c e " = d w o r d : 0 0 0 0 0 0 0 1

So i hope (of course, after service restart ...) that all errors and warnings except "MSExchangeIS #9554" and "eTrust" (ITM) #134,#135 and #137 will be forwarded to Nagios by the NSCA Daemon. But - surprise - nothing will be forwarded to the NSCA agent. Then i remove the DropFilter chain and everything works well - of course with all errors and warnings.

You know, i am looking for a simple handling to reduce specific warning and errors in the windows eventlog ...

If you enable the 'debug' checkbox in the agent NSCA server settings, then it will log information as to which filter matches the incoming messages, and why. This will help to track down the problem.

Have you accidentally checked the 'not' boxes for the ID and source? This would make it match everything... eg
(NOT eventsource MSExchangeIS) AND (NOT eventID 9554)
this would match pretty much every message. If you are doing it this way, you should remove the 'NOT' checkboxes.

Steve

_________________
Steve Shipway
UNIX Systems, ITSS, University of Auckland, NZ
Woe unto them that rise up early in the morning... -- Isaiah 5:11

Hi steve,
yes, the double negation was the mistake ...

Now, without checkboxes and high-level "DropFilter" definition everythings works fine.

And i find out also a trick to avoid the recognition with Agent 1.8.x. Simply setting the loglevel in the dropfilter definition to "OK" or "Undefined" and make a modification in the service-definition section of the Nagios services.cfg file to alerting only for state "Warning" and "Critical" get also good results.

Thanks again and best regards

If you set the log level to 'OK' or 'Undefined' then this status will be sent to Nagios (and will possibly change the Nagios Service status), unlike the 'Ignore' status which sends nothing to Nagios. This may not be an issue, but could result in a critical message being overwritten with an OK or Unknown.

_________________
Steve Shipway
UNIX Systems, ITSS, University of Auckland, NZ
Woe unto them that rise up early in the morning... -- Isaiah 5:11

Hi steve,
of course, but if you forwarding your alerts/warnings via email as priority alerting procedure you can neglect this. Now there is a lot of work for me to adapt all the specifics in our configuration. But first of all i will try diffent filter settings to more understand this ...