CheckEventLog

Check for errors and warnings in the event log.

List of commands

A list of all available queries (check commands)

Command	Description
check_eventlog	Check for errors in the event log.
checkeventlog	Legacy version of check_eventlog

List of Configuration

Common Keys

Path / Section	Key	Description
/settings/eventlog	[buffer size](#/settings/eventlog_buffer size)	BUFFER_SIZE
/settings/eventlog	debug	DEBUG
/settings/eventlog	[lookup names](#/settings/eventlog_lookup names)	LOOKUP NAMES
/settings/eventlog	syntax	SYNTAX
/settings/eventlog/real-time	debug	DEBUG
/settings/eventlog/real-time	enabled	REAL TIME CHECKING
/settings/eventlog/real-time	log	LOGS TO CHECK
/settings/eventlog/real-time	[startup age](#/settings/eventlog/real-time_startup age)	STARTUP AGE
/settings/eventlog/real-time/filters/default	command	COMMAND NAME
/settings/eventlog/real-time/filters/default	critical	CRITICAL FILTER
/settings/eventlog/real-time/filters/default	destination	DESTINATION
/settings/eventlog/real-time/filters/default	[detail syntax](#/settings/eventlog/real-time/filters/default_detail syntax)	SYNTAX
/settings/eventlog/real-time/filters/default	[empty message](#/settings/eventlog/real-time/filters/default_empty message)	EMPTY MESSAGE
/settings/eventlog/real-time/filters/default	filter	FILTER
/settings/eventlog/real-time/filters/default	log	FILE
/settings/eventlog/real-time/filters/default	[maximum age](#/settings/eventlog/real-time/filters/default_maximum age)	MAGIMUM AGE
/settings/eventlog/real-time/filters/default	ok	OK FILTER
/settings/eventlog/real-time/filters/default	[ok syntax](#/settings/eventlog/real-time/filters/default_ok syntax)	SYNTAX
/settings/eventlog/real-time/filters/default	severity	SEVERITY
/settings/eventlog/real-time/filters/default	target	DESTINATION
/settings/eventlog/real-time/filters/default	[top syntax](#/settings/eventlog/real-time/filters/default_top syntax)	SYNTAX
/settings/eventlog/real-time/filters/default	warning	WARNING FILTER

Advanced keys

Path / Section	Key	Description
/settings/eventlog/real-time/filters/default	debug	DEBUG
/settings/eventlog/real-time/filters/default	[escape html](#/settings/eventlog/real-time/filters/default_escape html)	ESCAPE HTML
/settings/eventlog/real-time/filters/default	logs	FILES
/settings/eventlog/real-time/filters/default	[perf config](#/settings/eventlog/real-time/filters/default_perf config)	PERF CONFIG
/settings/eventlog/real-time/filters/default	[source id](#/settings/eventlog/real-time/filters/default_source id)	SOURCE ID
/settings/eventlog/real-time/filters/default	[target id](#/settings/eventlog/real-time/filters/default_target id)	TARGET ID

Sample keys

Path / Section	Key	Description
/settings/eventlog/real-time/filters/sample	command	COMMAND NAME
/settings/eventlog/real-time/filters/sample	critical	CRITICAL FILTER
/settings/eventlog/real-time/filters/sample	debug	DEBUG
/settings/eventlog/real-time/filters/sample	destination	DESTINATION
/settings/eventlog/real-time/filters/sample	[detail syntax](#/settings/eventlog/real-time/filters/sample_detail syntax)	SYNTAX
/settings/eventlog/real-time/filters/sample	[empty message](#/settings/eventlog/real-time/filters/sample_empty message)	EMPTY MESSAGE
/settings/eventlog/real-time/filters/sample	[escape html](#/settings/eventlog/real-time/filters/sample_escape html)	ESCAPE HTML
/settings/eventlog/real-time/filters/sample	filter	FILTER
/settings/eventlog/real-time/filters/sample	log	FILE
/settings/eventlog/real-time/filters/sample	logs	FILES
/settings/eventlog/real-time/filters/sample	[maximum age](#/settings/eventlog/real-time/filters/sample_maximum age)	MAGIMUM AGE
/settings/eventlog/real-time/filters/sample	ok	OK FILTER
/settings/eventlog/real-time/filters/sample	[ok syntax](#/settings/eventlog/real-time/filters/sample_ok syntax)	SYNTAX
/settings/eventlog/real-time/filters/sample	[perf config](#/settings/eventlog/real-time/filters/sample_perf config)	PERF CONFIG
/settings/eventlog/real-time/filters/sample	severity	SEVERITY
/settings/eventlog/real-time/filters/sample	[source id](#/settings/eventlog/real-time/filters/sample_source id)	SOURCE ID
/settings/eventlog/real-time/filters/sample	target	DESTINATION
/settings/eventlog/real-time/filters/sample	[target id](#/settings/eventlog/real-time/filters/sample_target id)	TARGET ID
/settings/eventlog/real-time/filters/sample	[top syntax](#/settings/eventlog/real-time/filters/sample_top syntax)	SYNTAX
/settings/eventlog/real-time/filters/sample	warning	WARNING FILTER

Usage

To edit the usage section please edit this page

Monitoring event-log

Monitoring the event-log is a single command away in the form of check_eventlog. The default command will monitor the application/system/security logs which usually have the generic errors.

check_eventlog
L        cli CRITICAL: CRITICAL: 5 message(s) Application Bonjour Service (Task Scheduling Error: ... e DNS-servrarna svarade.)
L        cli  Performance data: 'problem_count'=5;0;0

Time and date

The default time frame is 24 hours. This can be configured via the scan-range which specifies the number of hours from now to look. This might seem a bit off at first but all date and time ranges which reflect past times are "negative" in NSClient++. Thus the default is: check_eventlog scan-range=-24h

If you instead wish to check the past week you would change this to: check_eventlog scan-range=-1w

The other option you can use for defining time is the filter keyword written. This can be used much the same but is used if you wish to use the time in the filter so you still need to specify scan-range. But if you for instance want to get an error if the message is 24 hours old and a warning if it is 1 week you would do:

check_eventlog scan-range=-1w "warn=count gt 0" "critical=written > -24h"

Checking for specific messages

There are many ways to find messages but the optimum solution is to filter on log, source (provider), and id. This is as this combination is guaranteed to be unique and still quick to look for. Another option it so look for messages which will obviously work as well but it will be magnitudes slower in terms of performance.

To find the source and event id you can easily look at the messages property in the event viewer.

With this information in hand we can easily create a filter for a specific message like so:

check_eventlog "filter=provider = 'Microsoft-Windows-Security-SPP' and id = 903"

Sometimes, rarely, the message is important and then it is best to add that as a last check to the above filter as it will be faster.

check_eventlog "filter=provider = 'Microsoft-Windows-Security-SPP' and id = 903 and message like 'foo'"

Modern windows (channels)

Since version 0.4.2 NSClient++ has had the ability to check all logs on modern windows machines. This works out of the box and you specify the path of the channel you want to look for with the file command. A slight snag here is that the separator for "folders" is - not \ r / as one might expect this is unfortunately a windows flaw most likely related to the fact that event logs can also be read from the file system.

A simple way to find the actual name of an event log channel is to view its properties (right-click the channel and click properties):

check_eventlog scan-range=-100w show-all filter=none "file=Microsoft-Windows-AAD/Operational"

Checking for non errors

The default filters are filtering out only warnings, errors and critical messages:

Property	Default value
filter	level in ('warning', 'error', 'critical')
warning	level = 'warning' or problem_count > 0
critical	level in ('error', 'critical')

Thus if you want to find a message which is not warnings, errors and critical messages you need to either change or disable the default filter like so:

check_eventlog filter=none

Severity/Level/Error

In the previous event-log API it was common for people to use severity to filter out errors. This has never worked as severity was never message severity, it remains however, a common thing. Regardless of version of API and version of NSClient++ the proper way to find errors is to use the level keyword like so:

check_eventlog "filter=level = 'error'"

While we have never been able to find an official list of the meaning of the level this is how NSClient++ interprets the values:

Level	Keyword in NSClient++
1	critical
2	error
3	warning, warn
4	informational, info, information, success, auditSuccess
5	debug, verbose
#	Specify any number for other values

Thus if you run into a non standard level you can check this like so:

check_eventlog "filter=level = 42"

Using Real-time monitoring

The benefit of real-time monitoring of the event-log is that it is often significantly faster and more resources efficient. The drawback is that it is more complex to setup and normally requires passive monitoring (via NSCA/NRDP)

The basic idea is depict in the following figure.

We have a filter which listens to event log entries. These entries are (when they matched) turned into messages and statuses which is then sent onward to various channels. On the other end of these channels are (hopefully) someone who is interested in the message.

In most cases the first channel you are interested in is NSCA which is the default name where the NSCAClient listens. It will in turn forward all incoming messages on to Nagios via NSCA.

So in short we need to configure three things

Activate real time filtering
Add a filter which listens for events
Setup a destination

Enabling real-time filtering

To setup real time filtering we only need a single flag (as well as the eventlog module).

configuration:

[/modules]
CheckEventLog=enabled

[/settings/eventlog/real-time]
realtime = enabled

Adding this will not do much since we don't have a filter yet but adding one is pretty simple as well so lets go ahead and do that.

configuration:

[/settings/eventlog/real-time/filters/foo]
#... TODO

If we were to test this (and please do go ahead) we would start getting warning on the console about no one listening to our events.

But no we end up in a strange situation, how can we actually test this configuration? How can we generate messages in the windows eventlog? Fortunately NSClient++ can help us there as well.

execute the following to insert an error into the eventlog:

# TODO

Enabling cache to check actively

TODO

Queries

A quick reference for all available queries (check commands) in the CheckEventLog module.

check_eventlog

Check for errors in the event log.

Usage

Option	Default Value	Description
filter	level in ('warning', 'error', 'critical')	Filter which marks interesting items.
warning	level = 'warning', problem_count > 0	Filter which marks items which generates a warning state.
warn		Short alias for warning
critical	level in ('error', 'critical')	Filter which marks items which generates a critical state.
crit		Short alias for critical.
ok		Filter which marks items which generates an ok state.
debug	N/A	Show debugging information in the log
show-all	N/A	Show details for all matches regardless of status (normally details are only showed for warnings and criticals).
empty-state	ok	Return status to use when nothing matched filter.
perf-config	level(ignored:true)	Performance data generation configuration
escape-html	N/A	Escape any < and > characters to prevent HTML encoding
help	N/A	Show help screen (this screen)
help-pb	N/A	Show help screen as a protocol buffer payload
show-default	N/A	Show default values for a given command
help-short	N/A	Show help screen (short format).
unique-index		Unique syntax.
top-syntax	${status}: ${count} message(s) ${problem_list}	Top level syntax.
ok-syntax	%(status): Event log seems fine	ok syntax.
empty-syntax	%(status): No entries found	Empty syntax.
detail-syntax	${file} ${source} (${message})	Detail level syntax.
perf-syntax	${file}_${source}	Performance alias syntax.
file		File to read (can be specified multiple times to check multiple files.
log		Same as file
scan-range		Date range to scan.
truncate-message		Maximum length of message for each event log message text.
unique	1	Shorthand for setting default unique index: ${log}-${source}-${id}.

### filter

Deafult Value: level in ('warning', 'error', 'critical')

Description: Filter which marks interesting items. Interesting items are items which will be included in the check. They do not denote warning or critical state instead it defines which items are relevant and you can remove unwanted items.

### warning

Deafult Value: level = 'warning', problem_count > 0

Description: Filter which marks items which generates a warning state. If anything matches this filter the return status will be escalated to warning.

### warn

Description: Short alias for warning

### critical

Deafult Value: level in ('error', 'critical')

Description: Filter which marks items which generates a critical state. If anything matches this filter the return status will be escalated to critical.

### crit

Description: Short alias for critical.

### ok

Description: Filter which marks items which generates an ok state. If anything matches this any previous state for this item will be reset to ok. Available options :

Key	Value
count	Number of items matching the filter. Common option for all checks.
total	Total number of items. Common option for all checks.
ok_count	Number of items matched the ok criteria. Common option for all checks.
warn_count	Number of items matched the warning criteria. Common option for all checks.
crit_count	Number of items matched the critical criteria. Common option for all checks.
problem_count	Number of items matched either warning or critical criteria. Common option for all checks.
list	A list of all items which matched the filter. Common option for all checks.
ok_list	A list of all items which matched the ok criteria. Common option for all checks.
warn_list	A list of all items which matched the warning criteria. Common option for all checks.
crit_list	A list of all items which matched the critical criteria. Common option for all checks.
problem_list	A list of all items which matched either the critical or the warning criteria. Common option for all checks.
detail_list	A special list with critical, then warning and finally ok. Common option for all checks.
status	The returned status (OK/WARN/CRIT/UNKNOWN). Common option for all checks.
category	TODO
computer	Which computer generated the message
customer	TODO
file	The logfile name
guid	The logfile name
id	Eventlog id
keyword	The keyword associated with this event
level	Severity level (error, warning, info, success, auditSucess, auditFailure)
log	alias for file
message	The message rendered as a string.
provider	Source system.
rawid	Raw message id (contains many other fields all baked into a single number)
source	Source system.
task	The type of event (task)
type	alias for level (old, deprecated)
written	When the message was written to file

### debug

Description: Show debugging information in the log

### show-all

Description: Show details for all matches regardless of status (normally details are only showed for warnings and criticals).

### empty-state

Deafult Value: ok

Description: Return status to use when nothing matched filter. If no filter is specified this will never happen unless the file is empty.

### perf-config

Deafult Value: level(ignored:true)

Description: Performance data generation configuration TODO: obj ( key: value; key: value) obj (key:valuer;key:value)

### escape-html

Description: Escape any < and > characters to prevent HTML encoding

### help

Description: Show help screen (this screen)

### help-pb

Description: Show help screen as a protocol buffer payload

### show-default

Description: Show default values for a given command

### help-short

Description: Show help screen (short format).

### unique-index

Description: Unique syntax. Used to filter unique items (counted will still increase but messages will not repeaters:

Key	Value
category	TODO
computer	Which computer generated the message
customer	TODO
file	The logfile name
guid	The logfile name
id	Eventlog id
keyword	The keyword associated with this event
level	Severity level (error, warning, info, success, auditSucess, auditFailure)
log	alias for file
message	The message rendered as a string.
provider	Source system.
rawid	Raw message id (contains many other fields all baked into a single number)
source	Source system.
task	The type of event (task)
type	alias for level (old, deprecated)
written	When the message was written to file

### top-syntax

Deafult Value: ${status}: ${count} message(s) ${problem_list}

Description: Top level syntax. Used to format the message to return can include text as well as special keywords which will include information from the checks. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to excpae on linux). The available keywords are:

Key	Value
count	Number of items matching the filter. Common option for all checks.
total	Total number of items. Common option for all checks.
ok_count	Number of items matched the ok criteria. Common option for all checks.
warn_count	Number of items matched the warning criteria. Common option for all checks.
crit_count	Number of items matched the critical criteria. Common option for all checks.
problem_count	Number of items matched either warning or critical criteria. Common option for all checks.
list	A list of all items which matched the filter. Common option for all checks.
ok_list	A list of all items which matched the ok criteria. Common option for all checks.
warn_list	A list of all items which matched the warning criteria. Common option for all checks.
crit_list	A list of all items which matched the critical criteria. Common option for all checks.
problem_list	A list of all items which matched either the critical or the warning criteria. Common option for all checks.
detail_list	A special list with critical, then warning and finally ok. Common option for all checks.
status	The returned status (OK/WARN/CRIT/UNKNOWN). Common option for all checks.

### ok-syntax

Deafult Value: %(status): Event log seems fine

Description: ok syntax. DEPRECATED! This is the syntax for when an ok result is returned. This value will not be used if your syntax contains %(list) or %(count).

### empty-syntax

Deafult Value: %(status): No entries found

Description: Empty syntax. DEPRECATED! This is the syntax for when nothing matches the filter. Possible values are:

Key	Value
count	Number of items matching the filter. Common option for all checks.
total	Total number of items. Common option for all checks.
ok_count	Number of items matched the ok criteria. Common option for all checks.
warn_count	Number of items matched the warning criteria. Common option for all checks.
crit_count	Number of items matched the critical criteria. Common option for all checks.
problem_count	Number of items matched either warning or critical criteria. Common option for all checks.
list	A list of all items which matched the filter. Common option for all checks.
ok_list	A list of all items which matched the ok criteria. Common option for all checks.
warn_list	A list of all items which matched the warning criteria. Common option for all checks.
crit_list	A list of all items which matched the critical criteria. Common option for all checks.
problem_list	A list of all items which matched either the critical or the warning criteria. Common option for all checks.
detail_list	A special list with critical, then warning and finally ok. Common option for all checks.
status	The returned status (OK/WARN/CRIT/UNKNOWN). Common option for all checks.

### detail-syntax

Deafult Value: ${file} ${source} (${message})

Description: Detail level syntax. Used to format each resulting item in the message. %(list) will be replaced with all the items formated by this syntax string in the top-syntax. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to excpae on linux). The available keywords are:

Key	Value
category	TODO
computer	Which computer generated the message
customer	TODO
file	The logfile name
guid	The logfile name
id	Eventlog id
keyword	The keyword associated with this event
level	Severity level (error, warning, info, success, auditSucess, auditFailure)
log	alias for file
message	The message rendered as a string.
provider	Source system.
rawid	Raw message id (contains many other fields all baked into a single number)
source	Source system.
task	The type of event (task)
type	alias for level (old, deprecated)
written	When the message was written to file

### perf-syntax

Deafult Value: ${file}_${source}

Description: Performance alias syntax. This is the syntax for the base names of the performance data. Possible values are:

Key	Value
category	TODO
computer	Which computer generated the message
customer	TODO
file	The logfile name
guid	The logfile name
id	Eventlog id
keyword	The keyword associated with this event
level	Severity level (error, warning, info, success, auditSucess, auditFailure)
log	alias for file
message	The message rendered as a string.
provider	Source system.
rawid	Raw message id (contains many other fields all baked into a single number)
source	Source system.
task	The type of event (task)
type	alias for level (old, deprecated)
written	When the message was written to file

### file

Description: File to read (can be specified multiple times to check multiple files. Notice that specifying multiple files will create an aggregate set you will not check each file individually.In other words if one file contains an error the entire check will result in error.

### log

Description: Same as file

### scan-range

Description: Date range to scan. A negative value scans backward (historical events) and a positive value scans forwards (future events). This is the approximate dates to search through this speeds up searching a lot but there is no guarantee messages are ordered.

### truncate-message

Description: Maximum length of message for each event log message text.

### unique

Deafult Value: 1

Description: Shorthand for setting default unique index: ${log}-${source}-${id}.

checkeventlog

Legacy version of check_eventlog

Usage

Option	Default Value	Description
help	N/A	Show help screen (this screen)
help-pb	N/A	Show help screen as a protocol buffer payload
show-default	N/A	Show default values for a given command
help-short	N/A	Show help screen (short format).
MaxWarn		Maximum value before a warning is returned.
MaxCrit		Maximum value before a critical is returned.
MinWarn		Minimum value before a warning is returned.
MinCrit		Minimum value before a critical is returned.
warn		Maximum value before a warning is returned.
crit		Maximum value before a critical is returned.
filter		The filter to use.
file		The file to check
debug	1	The file to check
truncate		Deprecated and has no meaning
descriptions	1	Deprecated and has no meaning
unique	1
syntax	%source%, %strings%	The syntax string
top-syntax	${list}	The top level syntax string
scan-range		TODO

### help

Description: Show help screen (this screen)

### help-pb

Description: Show help screen as a protocol buffer payload

### show-default

Description: Show default values for a given command

### help-short

Description: Show help screen (short format).

### MaxWarn

Description: Maximum value before a warning is returned.

### MaxCrit

Description: Maximum value before a critical is returned.

### MinWarn

Description: Minimum value before a warning is returned.

### MinCrit

Description: Minimum value before a critical is returned.

### warn

Description: Maximum value before a warning is returned.

### crit

Description: Maximum value before a critical is returned.

### filter

Description: The filter to use.

### file

Description: The file to check

### debug

Deafult Value: 1

Description: The file to check

### truncate

Description: Deprecated and has no meaning

### descriptions

Deafult Value: 1

Description: Deprecated and has no meaning

### unique

Deafult Value: 1

Description:

### syntax

Deafult Value: %source%, %strings%

Description: The syntax string

### top-syntax

Deafult Value: ${list}

Description: The top level syntax string

### scan-range

Description: TODO

Configuration

## Eventlog configuration

Section for the EventLog Checker (CheckEventLog.dll).

# Section for the EventLog Checker (CheckEventLog.dll).
[/settings/eventlog]
buffer size=131072
debug=false
lookup names=true

Key	Default Value	Description
[buffer size](#/settings/eventlog_buffer size)	131072	BUFFER_SIZE
debug	false	DEBUG
[lookup names](#/settings/eventlog_lookup names)	true	LOOKUP NAMES
syntax		SYNTAX

### buffer size

BUFFER_SIZE

The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.

Key	Description
Path:	/settings/eventlog
Key:	buffer size
Default value:	`131072`
Used by:	CheckEventLog

Sample

[/settings/eventlog]
# BUFFER_SIZE
buffer size=131072

### debug

DEBUG

Log more information when filtering (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.

Key	Description
Path:	/settings/eventlog
Key:	debug
Default value:	`false`
Used by:	CheckEventLog

Sample

[/settings/eventlog]
# DEBUG
debug=false

### lookup names

LOOKUP NAMES

Lookup the names of eventlog files

Key	Description
Path:	/settings/eventlog
Key:	lookup names
Default value:	`true`
Used by:	CheckEventLog

Sample

[/settings/eventlog]
# LOOKUP NAMES
lookup names=true

### syntax

SYNTAX

Set this to use a specific syntax string for all commands (that don't specify one).

Key	Description
Path:	/settings/eventlog
Key:	syntax
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog]
# SYNTAX
syntax=

## Real-time monitoring

A set of options to configure the real time checks

# A set of options to configure the real time checks
[/settings/eventlog/real-time]
debug=false
enabled=false
log=application,system
startup age=30m

Key	Default Value	Description
debug	false	DEBUG
enabled	false	REAL TIME CHECKING
log	application,system	LOGS TO CHECK
[startup age](#/settings/eventlog/real-time_startup age)	30m	STARTUP AGE

### debug

DEBUG

Log missed records (useful to detect issues with filters) not useful in production as it is a bit of a resource hog.

Key	Description
Path:	/settings/eventlog/real-time
Key:	debug
Default value:	`false`
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time]
# DEBUG
debug=false

### enabled

REAL TIME CHECKING

Spawns a background thread which detects issues and reports them back instantly.

Key	Description
Path:	/settings/eventlog/real-time
Key:	enabled
Default value:	`false`
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time]
# REAL TIME CHECKING
enabled=false

### log

LOGS TO CHECK

Comma separated list of logs to check

Key	Description
Path:	/settings/eventlog/real-time
Key:	log
Default value:	`application,system`
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time]
# LOGS TO CHECK
log=application,system

### startup age

STARTUP AGE

The initial age to scan when starting NSClient++

Key	Description
Path:	/settings/eventlog/real-time
Key:	startup age
Default value:	`30m`
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time]
# STARTUP AGE
startup age=30m

## Real-time filters

A set of filters to use in real-time mode

# A set of filters to use in real-time mode
[/settings/eventlog/real-time/filters]

## Real time filter: default

Definition for real time filter: default

# Definition for real time filter: default
[/settings/eventlog/real-time/filters/default]
empty message=eventlog found no records
maximum age=5m

Key	Default Value	Description
command		COMMAND NAME
critical		CRITICAL FILTER
debug		DEBUG
destination		DESTINATION
[detail syntax](#/settings/eventlog/real-time/filters/default_detail syntax)		SYNTAX
[empty message](#/settings/eventlog/real-time/filters/default_empty message)	eventlog found no records	EMPTY MESSAGE
[escape html](#/settings/eventlog/real-time/filters/default_escape html)		ESCAPE HTML
filter		FILTER
log		FILE
logs		FILES
[maximum age](#/settings/eventlog/real-time/filters/default_maximum age)	5m	MAGIMUM AGE
ok		OK FILTER
[ok syntax](#/settings/eventlog/real-time/filters/default_ok syntax)		SYNTAX
[perf config](#/settings/eventlog/real-time/filters/default_perf config)		PERF CONFIG
severity		SEVERITY
[source id](#/settings/eventlog/real-time/filters/default_source id)		SOURCE ID
target		DESTINATION
[target id](#/settings/eventlog/real-time/filters/default_target id)		TARGET ID
[top syntax](#/settings/eventlog/real-time/filters/default_top syntax)		SYNTAX
warning		WARNING FILTER

### command

COMMAND NAME

The name of the command (think nagios service name) to report up stream (defaults to alias if not set)

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	command
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# COMMAND NAME
command=

### critical

CRITICAL FILTER

If any rows match this filter severity will escalated to CRITICAL

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	critical
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# CRITICAL FILTER
critical=

### debug

DEBUG

Enable this to display debug information for this match filter

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	debug
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# DEBUG
debug=

### destination

DESTINATION

The destination for intercepted messages

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	destination
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# DESTINATION
destination=

### detail syntax

SYNTAX

Format string for dates

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	detail syntax
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# SYNTAX
detail syntax=

### empty message

EMPTY MESSAGE

The message to display if nothing matches the filter (generally considered the ok state).

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	empty message
Default value:	`eventlog found no records`
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# EMPTY MESSAGE
empty message=eventlog found no records

### escape html

ESCAPE HTML

Escape HTML characters (< and >).

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	escape html
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# ESCAPE HTML
escape html=

### filter

FILTER

Scan files for matching rows for each matching rows an OK message will be submitted

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	filter
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# FILTER
filter=

### log

FILE

The eventlog record to filter on (if set to 'all' means all enabled logs)

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	log
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# FILE
log=

### logs

FILES

The eventlog record to filter on (if set to 'all' means all enabled logs)

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	logs
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# FILES
logs=

### maximum age

MAGIMUM AGE

How long before reporting "ok". If this is set to "false" no periodic ok messages will be reported only errors.

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	maximum age
Default value:	`5m`
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# MAGIMUM AGE
maximum age=5m

### ok

OK FILTER

If any rows match this filter severity will escalated down to OK

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	ok
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# OK FILTER
ok=

### ok syntax

SYNTAX

Format string for dates

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	ok syntax
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# SYNTAX
ok syntax=

### perf config

PERF CONFIG

Performance data configuration

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	perf config
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# PERF CONFIG
perf config=

### severity

SEVERITY

THe severity of this message (OK, WARNING, CRITICAL, UNKNOWN)

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	severity
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# SEVERITY
severity=

### source id

SOURCE ID

The name of the source system, will automatically use the remote system if a remote system is called. Almost most sending systems will replace this with current systems hostname if not present. So use this only if you need specific source systems for specific schedules and not calling remote systems.

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	source id
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# SOURCE ID
source id=

### target

DESTINATION

Same as destination

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	target
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# DESTINATION
target=

### target id

TARGET ID

The target to send the message to (will be resolved by the consumer)

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	target id
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# TARGET ID
target id=

### top syntax

SYNTAX

Format string for dates

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	top syntax
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# SYNTAX
top syntax=

### warning

WARNING FILTER

If any rows match this filter severity will escalated to WARNING

Key	Description
Path:	/settings/eventlog/real-time/filters/default
Key:	warning
Default value:	N/A
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/default]
# WARNING FILTER
warning=

## Real time filter: sample

Definition for real time filter: sample

# Definition for real time filter: sample
[/settings/eventlog/real-time/filters/sample]
empty message=eventlog found no records
maximum age=5m

Key	Default Value	Description
command		COMMAND NAME
critical		CRITICAL FILTER
debug		DEBUG
destination		DESTINATION
[detail syntax](#/settings/eventlog/real-time/filters/sample_detail syntax)		SYNTAX
[empty message](#/settings/eventlog/real-time/filters/sample_empty message)	eventlog found no records	EMPTY MESSAGE
[escape html](#/settings/eventlog/real-time/filters/sample_escape html)		ESCAPE HTML
filter		FILTER
log		FILE
logs		FILES
[maximum age](#/settings/eventlog/real-time/filters/sample_maximum age)	5m	MAGIMUM AGE
ok		OK FILTER
[ok syntax](#/settings/eventlog/real-time/filters/sample_ok syntax)		SYNTAX
[perf config](#/settings/eventlog/real-time/filters/sample_perf config)		PERF CONFIG
severity		SEVERITY
[source id](#/settings/eventlog/real-time/filters/sample_source id)		SOURCE ID
target		DESTINATION
[target id](#/settings/eventlog/real-time/filters/sample_target id)		TARGET ID
[top syntax](#/settings/eventlog/real-time/filters/sample_top syntax)		SYNTAX
warning		WARNING FILTER

### command

COMMAND NAME

The name of the command (think nagios service name) to report up stream (defaults to alias if not set)

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	command
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# COMMAND NAME
command=

### critical

CRITICAL FILTER

If any rows match this filter severity will escalated to CRITICAL

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	critical
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# CRITICAL FILTER
critical=

### debug

DEBUG

Enable this to display debug information for this match filter

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	debug
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# DEBUG
debug=

### destination

DESTINATION

The destination for intercepted messages

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	destination
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# DESTINATION
destination=

### detail syntax

SYNTAX

Format string for dates

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	detail syntax
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# SYNTAX
detail syntax=

### empty message

EMPTY MESSAGE

The message to display if nothing matches the filter (generally considered the ok state).

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	empty message
Advanced:	Yes (means it is not commonly used)
Default value:	`eventlog found no records`
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# EMPTY MESSAGE
empty message=eventlog found no records

### escape html

ESCAPE HTML

Escape HTML characters (< and >).

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	escape html
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# ESCAPE HTML
escape html=

### filter

FILTER

Scan files for matching rows for each matching rows an OK message will be submitted

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	filter
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# FILTER
filter=

### log

FILE

The eventlog record to filter on (if set to 'all' means all enabled logs)

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	log
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# FILE
log=

### logs

FILES

The eventlog record to filter on (if set to 'all' means all enabled logs)

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	logs
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# FILES
logs=

### maximum age

MAGIMUM AGE

How long before reporting "ok". If this is set to "false" no periodic ok messages will be reported only errors.

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	maximum age
Default value:	`5m`
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# MAGIMUM AGE
maximum age=5m

### ok

OK FILTER

If any rows match this filter severity will escalated down to OK

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	ok
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# OK FILTER
ok=

### ok syntax

SYNTAX

Format string for dates

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	ok syntax
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# SYNTAX
ok syntax=

### perf config

PERF CONFIG

Performance data configuration

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	perf config
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# PERF CONFIG
perf config=

### severity

SEVERITY

THe severity of this message (OK, WARNING, CRITICAL, UNKNOWN)

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	severity
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# SEVERITY
severity=

### source id

SOURCE ID

The name of the source system, will automatically use the remote system if a remote system is called. Almost most sending systems will replace this with current systems hostname if not present. So use this only if you need specific source systems for specific schedules and not calling remote systems.

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	source id
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# SOURCE ID
source id=

### target

DESTINATION

Same as destination

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	target
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# DESTINATION
target=

### target id

TARGET ID

The target to send the message to (will be resolved by the consumer)

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	target id
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# TARGET ID
target id=

### top syntax

SYNTAX

Format string for dates

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	top syntax
Advanced:	Yes (means it is not commonly used)
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# SYNTAX
top syntax=

### warning

WARNING FILTER

If any rows match this filter severity will escalated to WARNING

Key	Description
Path:	/settings/eventlog/real-time/filters/sample
Key:	warning
Default value:	N/A
Sample key:	Yes (This section is only to show how this key is used)
Used by:	CheckEventLog

Sample

[/settings/eventlog/real-time/filters/sample]
# WARNING FILTER
warning=

Files

CheckEventLog.md

Latest commit

History

CheckEventLog.md

File metadata and controls

CheckEventLog

List of commands

List of Configuration

Common Keys

Advanced keys

Sample keys

Usage

Monitoring event-log

Time and date

Checking for specific messages

Modern windows (channels)

Checking for non errors

Severity/Level/Error

Using Real-time monitoring

Enabling real-time filtering

Enabling cache to check actively

Queries

check_eventlog

Usage

checkeventlog

Usage

Configuration

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample

Sample