Nagios EventLog

For support, try the following:
-------------------------------

	Discussion and support forum
	http://www.steveshipway.org/forum/  and find the 'Nagios EventLog' group.

	Application web page (helpful detailed install doc available here)
	http://www.steveshipway.org/software/  and click on the 'Nagios' link on the left menu.

	Join the support mailing list 
	http://steveshipway.org/mailman/listinfo/support_steveshipway.org/

	Email me.
	steve@steveshipway.org 

If you like this program, then please show your appreciation by sending me a gift!  I have a wishlist at Amazon.co.uk, and you can send me a DVD.   Check this URL for information -

	http://www.steveshipway.org/software/wishlist.html


How to configure this agent:
----------------------------

The EventLog Agent configuration tool has been installed.  You can run this, and it will allow you to define the details of the Nagios NSCA server, and the filters.

You can define any number of filters, but when checking a particular log entry, ONLY THE FIRST MATCH WILL BE USED.  So, make sure they are ordered correctly.

Each Filter definition should give the Service_Description of the service you want to alert on, and the status of the alert (ie, Warn, Critical, Unknown or OK).  The host_name is set in the section with the Nagios NSCA server definitions.

The two debug mode flags in the Server definitions can generate a lot of eventlog messages, but are useful for finding out why a particular log is not being forwarded (or which filter is matching if it is being forwarded).  Under normal operation, ensure that both flags are OFF.


How to connect this agent to Nagios:
------------------------------------

1) NagiosEventLog uses NSCA to send passive alerts.  Therefore, you need to have NSCA installed and running on your Nagios server.  You also need to define Passive Services in Nagios for anything that you want to send an alert on.

2) Although the default filter set consists of one filter per event log, and each filter sends an alert to a different Nagios service, you do not have to do it this way.  You can have several filters sending to the same service, or several filters on each eventlog or one filter over all eventlogs, or anything else you care to have.

3) Here is an example of how to define the services in the Nagios configuration files.  Note that active checks are disabled, and the freshness check is used to 'reset' to OK after a set period of time.

define service{
        service_description             EventLog
        active_checks_enabled           0
        passive_checks_enabled          1
        flap_detection_enabled          0
        register                        0
        is_volatile                     0
        check_period                    24x7
        max_check_attempts              1
        normal_check_interval           5
        retry_check_interval            1
        check_freshness                 1
        freshness_threshold             1800
        check_command                   check_dummy!0!No messages in last 30mins
        contact_groups                  YOUR_CONTACT_GROUP
        notification_interval           120
        notification_period             24x7
        notification_options            w,u,c,r
        stalking_options                w,c,u
        name                            EventLog
	register 			0
        }

define service{
        use                             EventLog
        service_description             Application EventLog
        host_name                       YOUR_HOSTNAME
        }
define service{
        use                             EventLog
        service_description             System EventLog
        host_name                       YOUR_HOSTNAME
        }
define service{
        use                             EventLog
        service_description             Security EventLog
        host_name                       YOUR_HOSTNAME
        }

4) You need to have the check_command 'check_dummy' defined:  This should call a script which resets status to OK.

define command {
	command_name	check_dummy
	command_line	$USER1$/check_dummy $ARG1$ "$ARG2$"
}

The check_dummy plugin should already be shipped with the Nagios plugins.


Heartbeat Function
------------------

You can tell the agent to send a periodic heartbeat alert to the Nagios server, to confirm it is still running.  Define the service in this way:

define service{
        service_description             EventLog Agent
        active_checks_enabled           0
        passive_checks_enabled          1
        flap_detection_enabled          0
        check_period                    24x7
        max_check_attempts              1
        normal_check_interval           15
        retry_check_interval            1
        check_command                   check_dummy!3!Check agent is running
        contact_groups                  YOUR_CONTACT_GROUP
        notification_interval           120
        notification_period             24x7
        notification_options            c,r
        }

If you change the default heartbeat option in the agent, you will need to give a different service_description.


Problems
--------

If you are not getting alerts, check the following:

1) Make sure the hostname defined in Nagios EXACTLY matches the hostname defined in the agent, INCLUDING upper/lower case, and spaces.
2) Make sure the service description used in the agent EXACTLY matches the Nagios service description, including case, embedded spaces, etc.
3) Check the NSCA log (syslog?) to make sure that the messages are being received by NSCA.
4) Check the nagios.log file to make sure they are being processed by Nagios.  Have you enabled the external command file in the nagios.cfg?
5) Check the nagios.log file.  Are the NSCA messages being ignored because you have the wrong hostname or service description?
6) Send a test NSCA message from the agent.  Did it work?  Maybe there is a firewall or encryption setting problem.