Updating NagEventLog Filters via GPO

When you have alot of Windows Servers and would like to add an EventID to the Filter, it is a real pain to update on a server by server basis.  So using a GPO object, you can control the filters directly from a policy without having to manually update each individual server.

Assumptions

  • You install NagEventLog in a consistent fashion on all servers
  • You want to filter the same items across ALL your servers
  • All your servers are members of the local domain

Instructions

  1. Create a custom administrative policy template.  Below is the "nageventlog.adm" file I used to filter out select Event IDs.
    ; nageventlog.adm
    ;;;;;;;;;;;;;;;;;;;;;
    CLASS MACHINE  ;;;;;;
    ;;;;;;;;;;;;;;;;;;;;;
     
    CATEGORY !!nagiosfilter
    KEYNAME "SOFTWARE\Wow6432Node\Cheshire Cat\Nagios\Filter0"
        POLICY !!changenagiosfilter
            PART !!NotEventID CHECKBOX
                VALUENAME "notID"
                VALUEON NUMERIC 1
                VALUEOFF NUMERIC 0
            END PART
            PART !!ChangeFilter0IDs EDITTEXT REQUIRED
                VALUENAME "ID"
                DEFAULT !!filterdefault    
            END PART
            PART !!changefilter0IDstext TEXT END PART
        END POLICY
    END CATEGORY

    [STRINGS]
    nagiosfilter="Nagios Filtering"
    changenagiosfilter="Change Nagios Filter0"
    ChangeFilter0IDs="Event IDs that are ignored by Nagios"
    changefilter0IDstext="Comma seperated list of Event IDs to exclude"
    filterdefault="21293,21248,26020,26009"

  2. Add the new nageventlog.adm file to C:\windows\inf folder of your domain controller.
  3. Next, we need to add the template to our default policy.  Launch the GPO Editor by clicking Start > Run > mmc.   Add the "Group Policy Object Editor" Snap-in, click Browse, and choose the Default Domain Policy.
  4. Right-click "Administrative Templates" and choose Add/Remove templates.  Select the template file, nageventlog.adm, we created.
  5. You should now see an item appear as "Nagios Filtering".  If you select it and the "Change Nagios Filter0" does not appear, click View > Filtering and DE-select the "Only show policy settings that can be fully managed".
  6. Select "Enabled" option, click the checkbox to enable the EXCLUSION of the IDs and enter the comma delimited list of EventIDs.
  7. Servers will update automatically with their regular policy refresh.  To force a policy update, you can use "gpupdate" from the command line.

You can use the technique above to do a variety of things and tweak things from a central location across the domain environment.

References