AddOn - Nagios Event Log aka NagEventLog

NagEventLog is a windows agent that examines the EventLog, filters it, and forwards passive alerts to Nagios via NSCA. Now with encryption support! Supports Windows 2000 and later.

More information can be found here:

NagEventLog allows you to have windows event log entries filtered and passed back to your Nagios server.  Two methods I have used are:

  • Report ALL errors in ALL logs and filter select EventIDs we don't need to worry about.
  • Report a -specific- error that we use to trigger an event script.  Eg a "cleanup and restart" process upon a service failure.

Updating NagEventLog Filters via GPO

When you have alot of Windows Servers and would like to add an EventID to the Filter, it is a real pain to update on a server by server basis.  So using a GPO object, you can control the filters directly from a policy without having to manually update each individual server.

Assumptions

  • You install NagEventLog in a consistent fashion on all servers
  • You want to filter the same items across ALL your servers
  • All your servers are members of the local domain

Instructions

  1. Create a custom administrative policy template.  Below is the "nageventlog.adm" file I used to filter out select Event IDs.
    ; nageventlog.adm
    ;;;;;;;;;;;;;;;;;;;;;
    CLASS MACHINE  ;;;;;;
    ;;;;;;;;;;;;;;;;;;;;;
     
    CATEGORY !!nagiosfilter
    KEYNAME "SOFTWARE\Wow6432Node\Cheshire Cat\Nagios\Filter0"
        POLICY !!changenagiosfilter
            PART !!NotEventID CHECKBOX
                VALUENAME "notID"
                VALUEON NUMERIC 1
                VALUEOFF NUMERIC 0
            END PART
            PART !!ChangeFilter0IDs EDITTEXT REQUIRED
                VALUENAME "ID"
                DEFAULT !!filterdefault    
            END PART
            PART !!changefilter0IDstext TEXT END PART
        END POLICY
    END CATEGORY

    [STRINGS]
    nagiosfilter="Nagios Filtering"
    changenagiosfilter="Change Nagios Filter0"
    ChangeFilter0IDs="Event IDs that are ignored by Nagios"
    changefilter0IDstext="Comma seperated list of Event IDs to exclude"
    filterdefault="21293,21248,26020,26009"

  2. Add the new nageventlog.adm file to C:\windows\inf folder of your domain controller.
  3. Next, we need to add the template to our default policy.  Launch the GPO Editor by clicking Start > Run > mmc.   Add the "Group Policy Object Editor" Snap-in, click Browse, and choose the Default Domain Policy.
  4. Right-click "Administrative Templates" and choose Add/Remove templates.  Select the template file, nageventlog.adm, we created.
  5. You should now see an item appear as "Nagios Filtering".  If you select it and the "Change Nagios Filter0" does not appear, click View > Filtering and DE-select the "Only show policy settings that can be fully managed".
  6. Select "Enabled" option, click the checkbox to enable the EXCLUSION of the IDs and enter the comma delimited list of EventIDs.
  7. Servers will update automatically with their regular policy refresh.  To force a policy update, you can use "gpupdate" from the command line.

You can use the technique above to do a variety of things and tweak things from a central location across the domain environment.

References

Windows Server 2008 NagEventLog Compatibility

While the 64bit version of NagEventLog v1.9.1 installed on my 64bit Windows 2008 server, I was unable to use the GUI to configure the filters.  However if you visit Steve Shipway's NagEventLog site directly, you can download replacement executables that allow it to properly run in Server2008.  I replaced the files, restarted the service and then GUI tool worked correctly.