Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invoke-IcingaCheckEventlog - ExcludeEventId not working #19

Closed
i3astian opened this issue Mar 9, 2020 · 2 comments
Closed

Invoke-IcingaCheckEventlog - ExcludeEventId not working #19

i3astian opened this issue Mar 9, 2020 · 2 comments
Assignees
@LordHepipud
Labels
bug Something isn't working
Milestone
v1.1.0

Comments

@i3astian
Copy link

i3astian commented Mar 9, 2020

When you use "Invoke-IcingaCheckEventlog" with only "LogName" and "ExcludeEventId" you get 0 as output.

In "Get-IcingaEventLog.psm1" is one foreach loop, which is used to check the Exclude Arguments and the "IncludeMessage" Argument. Without the "IncludeMessage" Argument $skip is always true and Line 109 $filteredEvents += $event; won't be reached.

For testing I disabled the Lines 95-107:

            [bool]$skip = $TRUE;

            foreach ($inMessage in $IncludeMessage) {
                # Filter for specific message content
                if ([string]$event.Message -like [string]$inMessage) {
                    $skip = $FALSE;
                    break;
                }
            }

            if ($skip) {
                continue;
            }

Now I received EventID's but the output also contained the excluded EventID's.
There seems to be an syntax error for the if checks in Lines 68, 73 and 78.

Syntax -contains:

"Reference-values" -contains "Test-value"

if ($ExcludeEventId.Count -ne 0 -And $event.InstanceID -contains $ExcludeEventId) {
should be
if ($ExcludeEventId.Count -ne 0 -And $ExcludeEventId -contains $event.InstanceID) {
@LordHepipud LordHepipud self-assigned this Mar 16, 2020
@LordHepipud LordHepipud added the bug Something isn't working label Mar 16, 2020
@LordHepipud
Copy link
Collaborator

Hello and thank you for the report. I will have a look on this tomorrow and report back with a hopefully fixed result.

Could you please add your check configuration here? Then I could properly test with your case if the issue is fixed or if it persists.

Thank you in advance!

@i3astian
Copy link
Author

i3astian commented Apr 8, 2020

Hi,

a little bit late, but here's the configuration:

commands.conf:

object CheckCommand "windows_check_cpu" {
    import "plugin-check-command"
    command = [
        "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
    ]
    timeout = 3m
    arguments += {
        "-C" = {
            order = 0
            value = "Use-Icinga; exit Invoke-IcingaCheckCPU"
        }
        "-Critical" = {
            order = 2
            value = "$PowerShell_Critical$"
        }
        "-NoPerfData" = {
            order = 6
            set_if = "$PowerShell_NoPerfData$"
        }
        "-Verbosity" = {
            order = 4
            value = "$PowerShell_Verbosity$"
        }
        "-Warning" = {
            order = 1
            value = "$PowerShell_Warning$"
        }
        "-Core" = {
            order = 3
            value = "$PowerShell_Core$"
        }
    }
    vars.PowerShell_Critical = "$$null"
    vars.PowerShell_NoPerfData = "0"
    vars.PowerShell_Verbosity = "0"
    vars.PowerShell_Warning = "$$null"
    vars.PowerShell_Core = "*"
}

object CheckCommand "windows_check_memory" {
    import "plugin-check-command"
    command = [
        "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
    ]
    timeout = 3m
    arguments += {
        "-C" = {
            order = 0
            value = "Use-Icinga; exit Invoke-IcingaCheckMemory"
        }
        "-Critical" = {
            order = 3
            value = "$PowerShell_Critical$"
        }
		"-CriticalPercent" = {
            order = 4
            value = "$PowerShell_CriticalPercent$"
        }
        "-NoPerfData" = {
            order = 6
            set_if = "$PowerShell_NoPerfData$"
        }
        "-Verbosity" = {
            order = 5
            value = "$PowerShell_Verbosity$"
        }
        "-Warning" = {
            order = 1
            value = "$PowerShell_Warning$"
        }
		"-WarningPercent" = {
            order = 2
            value = "$PowerShell_WarningPercent$"
        }
    }
    vars.PowerShell_Critical = "$$null"
    vars.PowerShell_CriticalPercent = "$$null"
    vars.PowerShell_NoPerfData = "0"
    vars.PowerShell_Verbosity = "0"
    vars.PowerShell_Warning = "$$null"
    vars.PowerShell_WarningPercent = "$$null"
}

object CheckCommand "windows_check_disk" {
    import "plugin-check-command"
    command = [
        "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
    ]
    timeout = 3m
    arguments += {
        "-C" = {
            order = 0
            value = "Use-Icinga; exit Invoke-IcingaCheckUsedPartitionSpace"
        }
        "-Critical" = {
            order = 2
            value = "$PowerShell_Critical$"
        }
        "-NoPerfData" = {
            order = 6
            set_if = "$PowerShell_NoPerfData$"
        }
        "-Verbosity" = {
            order = 5
            value = "$PowerShell_Verbosity$"
        }
        "-Warning" = {
            order = 1
            value = "$PowerShell_Warning$"
        }
        "-Include" = {
            order = 3
            value = "$PowerShell_Include$"
        }
        "-Exclude" = {
            order = 4
            value = "$PowerShell_Exclude$"
        }
    }
    vars.PowerShell_Critical = "$$null"
    vars.PowerShell_NoPerfData = "0"
    vars.PowerShell_Verbosity = "0"
    vars.PowerShell_Warning = "$$null"
    vars.PowerShell_Include = "$$null"
    vars.PowerShell_Exclude = "$$null"
}

object CheckCommand "windows_check_uptime" {
    import "plugin-check-command"
    command = [
        "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
    ]
    timeout = 3m
    arguments += {
        "-C" = {
            order = 0
            value = "Use-Icinga; exit Invoke-IcingaCheckUptime"
        }
        "-Critical" = {
            order = 2
            value = "$PowerShell_Critical$"
        }
        "-NoPerfData" = {
            order = 6
            set_if = "$PowerShell_NoPerfData$"
        }
        "-Verbosity" = {
            order = 5
            value = "$PowerShell_Verbosity$"
        }
        "-Warning" = {
            order = 1
            value = "$PowerShell_Warning$"
        }
    }
    vars.PowerShell_Critical = "$$null"
    vars.PowerShell_NoPerfData = "0"
    vars.PowerShell_Verbosity = "0"
    vars.PowerShell_Warning = "$$null"
}

object CheckCommand "windows_check_eventlog" {
    import "plugin-check-command"
    command = [
        "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
    ]
    timeout = 3m
    arguments += {
        "-C" = {
            order = 0
            value = "Use-Icinga; exit Invoke-IcingaCheckEventlog"
        }
        "-Critical" = {
            order = 2
            value = "$PowerShell_Critical$"
        }
        "-NoPerfData" = {
            order = 4
            set_if = "$PowerShell_NoPerfData$"
        }
        "-Verbosity" = {
            order = 3
            value = "$PowerShell_Verbosity$"
        }
        "-Warning" = {
            order = 1
            value = "$PowerShell_Warning$"
        }
        "-LogName" = {
            order = 5
            value = "$PowerShell_LogName$"
        }
        "-IncludeEventId" = {
            order = 6
            value = "$PowerShell_IncludeEventId$"
        }
        "-ExcludeEventId" = {
            order = 7
            value = "$PowerShell_ExcludeEventId$"
        }
        "-IncludeUsername" = {
            order = 8
            value = "$PowerShell_IncludeUsername$"
        }
        "-ExcludeUsername" = {
            order = 9
            value = "$PowerShell_ExcludeUsername$"
        }
        "-IncludeEntryType" = {
            order = 10
            value = "$PowerShell_IncludeEntryType$"
        }
        "-ExcludeEntryType" = {
            order = 11
            value = "$PowerShell_ExcludeEntryType$"
        }
        "-IncludeMessage" = {
            order = 12
            value = "$PowerShell_IncludeMessage$"
        }
        "-ExcludeMessage" = {
            order = 13
            value = "$PowerShell_ExcludeMessage$"
        }
        "-After" = {
            order = 14
            value = "$PowerShell_After$"
        }
        "-Before" = {
            order = 15
            value = "$PowerShell_Before$"
        }
        "-DisableTimeCache" = {
            order = 16
            value = "$PowerShell_DisableTimeCache$"
        }
    }
    vars.PowerShell_Critical = "$$null"
    vars.PowerShell_NoPerfData = "0"
    vars.PowerShell_Verbosity = "0"
    vars.PowerShell_Warning = "$$null"
    vars.PowerShell_DisableTimeCache = "0"
    vars.PowerShell_Before = "$$null"
    vars.PowerShell_After = "$$null"
    vars.PowerShell_ExcludeMessage = "$$null"
    vars.PowerShell_IncludeMessage = "$$null"
    vars.PowerShell_ExcludeEntryType = "$$null"
    vars.PowerShell_IncludeEntryType = "$$null"
    vars.PowerShell_ExcludeUsername = "$$null"
    vars.PowerShell_IncludeUsername = "$$null"
    vars.PowerShell_ExcludeEventId = "$$null"
    vars.PowerShell_IncludeEventId = "$$null"
    vars.PowerShell_LogName = "$$null"
}

services.conf:

apply Service "Windows Check CPU" {
  import "generic-service"
  check_command = "windows_check_cpu"
  command_endpoint = host.name
  if (host.vars.windows_check_cpu) {
    vars += host.vars.windows_check_cpu
  }
  assign where host.vars.os == "Windows"
  ignore where host.vars.noagent
  ignore where !host.vars.powershell
}

apply Service "Windows Check Memory" {
  import "generic-service"
  check_command = "windows_check_memory"
  command_endpoint = host.name
  if (host.vars.windows_check_memory) {
    vars += host.vars.windows_check_memory
  }
  assign where host.vars.os == "Windows"
  ignore where host.vars.noagent
  ignore where !host.vars.powershell
}

apply Service "Windows Check Disk" {
  import "generic-service"
  check_command = "windows_check_disk"
  command_endpoint = host.name
  if (host.vars.windows_check_disk) {
    vars += host.vars.windows_check_disk
  }
  assign where host.vars.os == "Windows"
  ignore where host.vars.noagent
  ignore where !host.vars.powershell
}

apply Service "Windows Check Uptime" {
  import "generic-service"
  check_command = "windows_check_uptime"
  command_endpoint = host.name
  if (host.vars.windows_check_uptime) {
    vars += host.vars.windows_check_uptime
  }
  assign where host.vars.os == "Windows"
  ignore where host.vars.noagent
  ignore where !host.vars.powershell
}

apply Service "Windows Check EventLog" for (eventlog => config in host.vars.windows_check_eventlog) {
  import "generic-service"
  check_command = "windows_check_eventlog"
  command_endpoint = host.name  
  display_name = config.PowerShell_LogName
  vars += config

  assign where host.vars.os == "Windows"
  ignore where host.vars.noagent
  ignore where !host.vars.powershell
}

templates.conf:

template Host "windows-with-powershell" {
  import "generic-host"

  vars.os = "Windows"
  vars.noagent = false
  vars.powershell = true
  
  vars.windows_check_cpu = {
	PowerShell_Critical  = "95"
	PowerShell_Warning  = "85"
  }
  
  vars.windows_check_memory = {
	PowerShell_CriticalPercent  = "80"
	PowerShell_WarningPercent  = "60"
  }
  
  vars.windows_check_disk = {
	PowerShell_Critical  = "95"
	PowerShell_Warning  = "90"
  }
  
  vars.windows_check_uptime = {
	PowerShell_Critical  = "1d:"
	PowerShell_Warning  = "2d:"
  }
  
  vars.windows_check_eventlog = {
	Application = { 
		PowerShell_LogName = "Application"
		PowerShell_IncludeEntryType = "Warning,Error"
		PowerShell_ExcludeEventId = "1002,1008,1022,1023,2004,902,903,2001,76,220,211,212,221,222,223"
		PowerShell_Warning = "2"
		PowerShell_Critical = "5"
		PowerShell_Verbosity = "3"
		PowerShell_After = "(Get-Date).AddDays(-1).ToString('dd.MM.yyyy')" }
	System = { 
		PowerShell_LogName = "System"
		PowerShell_IncludeEntryType = "Warning,Error"
		PowerShell_ExcludeEventId = "10016,10010,4227"
		PowerShell_Warning = "2"
		PowerShell_Critical = "5"
		PowerShell_Verbosity = "3"
		PowerShell_After = "(Get-Date).AddDays(-1).ToString('dd.MM.yyyy')" }
	Security = { 
		PowerShell_LogName = "Security"
		PowerShell_IncludeEntryType = "FailureAudit"
		PowerShell_ExcludeEventId = "4625"
		PowerShell_Warning = "2"
		PowerShell_Critical = "5"
		PowerShell_Verbosity = "3"
		PowerShell_After = "(Get-Date).AddDays(-1).ToString('dd.MM.yyyy')" }
  } 
}

host.conf:

object Endpoint "xxxxx.xxxxx.xxx" {
  host = "xxxxx.xxxxx.xxx"
}

object Zone "xxxxx.xxxxx.xxx" {
  endpoints = [ "xxxxx.xxxxx.xxx" ];
  parent = "master"
}

object Host "xxxxx.xxxxx.xxx" {
  import "windows-with-powershell"
  display_name = "xxxxx"
  address = "192.168.xxx.xxx"
  
}

@LordHepipud LordHepipud added this to the v1.1.0 milestone May 8, 2020
@i3astian i3astian mentioned this issue Feb 5, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LordHepipud LordHepipud

Labels
bug Something isn't working
Projects
None yet
Milestone
v1.1.0
Development

No branches or pull requests
2 participants
@LordHepipud @i3astian