Windows Event Log Monitoring
Windows Event Log Monitoring With Nagios
Nagios provides complete monitoring of Microsoft Windows event logs. Nagios is capable of monitoring Windows event logs and alerting you when a log pattern is detected.
Implementing effective Windows event log monitoring with Nagios offers the following benefits:
- Increased security
- Increased awareness of network infrastructure problems
- Increased server, services, and application availability
- Fast detection of network outages and protocol failures
- Fast detection of failed processes, services and batch jobs
- Audit compliance
- Regulatory compliance
Monitoring Windows Event Logs With NagEventLog
You must have completed the following steps before you can monitor Windows event logs using this documentation:
Configure NSCA on the Nagios XI Server
You must have configured the NSCA agent on your Nagios XI server in order to monitor Windows event logs with NagEventLog. Instructions for configuring NSCA can be found in a separate document titled “Using NSCA With XI”. This document can be found on the Nagios Library (http://library.nagios.com) or can be downloaded directly at:
Install the Windows Event Log Monitoring Wizard
You must install the Windows Event Log Monitoring Wizard on your Nagios XI server. The wizard can be downloaded from:
In order to monitor Windows event logs using Nagios XI and the NagEventLog agent, you must complete the following:
- Install the NagEventLog agent on the Windows machine
- Configure the NagEventLog agent and define event log filters/patterns to monitor
- Run the Windows Event Log monitoring wizard in Nagios XI
The following pages will take you through each of these steps.
In order to monitor Windows event logs with Nagios XI, you must install the NagEventLog agent on the Windows machine. You can get the latest version of NagEventLog from Steve Shipway’s website (http://www.steveshipway.org/software/) or download a copy of the latest version (1.9.2 as of the time of writing) from:
Launch the NagEventLog installer on the Windows machine and click Next to get started.
Read the program and license information and click Next to continue.
When prompted for the installation directory, click Next to accept the default and continue.
When prompted for which components to install, click Next to accept the defaults and continue.
When prompted for the start menu folder name, click Next to accept the default and continue.
On the configuration screen, make sure you specify:
- The host name (as currently defined, or as you will define it in Nagios XI) for the Windows machine you are installing the agent on in the “Host name for this computer” field.
- The IP address of the Nagios XI server in the “Nagios NSCA Server name” field.
- The port that NSCA is running on (defaults to 5667) on the Nagios XI server in the “Nagios NSCA Server port” field.
- The password that you have configured NSCA to use on the Nagios XI server in the “Nagios NSCA Server password” field.
Click Next to continue.
On the next screen, optionally select the option to create a desktop icon for the NagEventLog agent (recommended).
Click Next to continue.
Click Install to begin the installation.
Click Next to continue once the installation is completed.
Note: You’re not finished yet! You still need to configure the agent. Instructions for doing so are found on the following pages.
Make sure the “Configure the EventLog monitor” option is selected and click Finish.
The main configuration screen for the agent will appear.
Click the NSCA Daemons button to finish configuration of the NSCA settings.
The NSCA Server Settings screen will appear. Make sure you selected the same encryption method in the Encryption option as what is used to decrypt data in the NSCA configuration on the Nagios XI server.
Important: If the NSCA password and/or encryption method do not match the settings used by the NSCA agent on the Nagios XI server, event log monitoring will not work!
Click OK to continue.
Select Yes when prompted if you want to save the NSCA settings.
Important: If you changed NSCA settings, you will have to restart the NagiosEventLog service on the Windows machine.
You can do this by using the Computer Management console, or by issuing the following commands from a command prompt:
net stop NagiosEventLog
net start NagiosEventLog
Configuring Event Log Monitoring
To configure how event logs are monitored, you defined one or more filters in the Nagios Eventlog Control Manager.
How Filters Work
When an event log item matches a filter you defined, the NagEventLog agent will send an alert to the Nagios server using the NSCA protocol.
There are three default filters that get defined – one each for the System, Application, and Security event logs.
Filters are matched by priority in the order they are defined. You can change the priority of filters by using the Move up and Move down buttons.
Creating New Filters
To create a new filter, click the Create New button.
Editing Existing Filters
To edit an existing filter, select the filter from the drop-down list and click the Edit button.
Defining Filter Settings
When defining or changing each filter’s settings, you are able to specify:
- What Windows Event Log the filter applies to
- What type of events match the filter rules, including:
- Event type (Error, Warning, Audit Failure, etc.)
- Event Ids (optional)
- String matches (optional)
- Event sources (optional)
- The service name (as defined in Nagios XI) that alerts for the filter will be associated with.
- The service status (e.g. criticality) of a filter match.
Important: The service name you define in each filter must correspond to a service in Nagios XI. You will define the services using the Nagios XI wizard on the following pages of the documentation.
Using The Configuration Wizard
Once you have finished defining event log filters on the Windows machine, you need to run the Windows Event Log Monitoring wizard in Nagios XI.
When you run the wizard, make sure of the following:
- The Host Name you specify in the wizard matches the Host Name you specified in the NSCA Server Settings screen of the NagEventLog agent.
- The Event Log Service Names you specify in the wizard match the Service Names you specified when defining filters in the NagEventLog agent.
Once you finish using the wizard, Nagios XI will create the services for handling event log information.
Note: A special EventLog Agent service is created to handle heartbeat information sent from the NagEventLog agent.
This screenshot gives an example of how things might look after event log alerts start to arrive from the NagEventLog agent.
These Nagios solutions provide Windows event log monitoring capabilities and benefits:
Nagios Log Server - The Industry Standard Log Analysis, Log Monitoring, and Log Management Solution
Nagios Log Server is the most powerful IT log analysis solution on the market. Nagios Log Server extends on proven, enterprise-class Open Source components to deliver the best log monitoring and analysis solution for today's demanding organizational requirements.
Designed for scalability and flexibility, Nagios Log Server is designed to make problematic IT log analysis and monitoring tasks simple, while retaining the powerful attributes of its enterprise-class foundation blocks.
Nagios Log Server allows you to quickly and easily collect, analyze, monitor, and view log data from all systems in one centralized location. Nagios Log Server offers complete monitoring and management of:
- Windows Event Logs
- Linux/Unix Syslog Data
- Application Logs
- Apache and IIS Web Server Logs
- Custom Log Files
- Windows Event Log Monitoring Wizard
- Windows Server Monitoring Wizard
- Windows Desktop Monitoring Wizard
- Windows WMI Monitoring Wizard
- Using The Windows Event Log Monitoring Wizard
- Monitoring Windows Event Logs With Nagios XI
- Installing The NagEventLog Agent On Windows Machines
- Configuring Windows Event Log Filters
by Scott Wilkerson