The Industry Standard in IT Infrastructure Monitoring Purpose This document describes how to monitor Windows event logs using Nagios XI and the NagEventLog addon. Target Audience This document is intended for use by Nagios XI Administrators. Prerequisites You must have completed the following steps before you can monitor Windows event logs using this documentation: Configure NSCA on the Nagios XI Server You must have configured the NSCA agent on your Nagios XI server in order to monitor Windows event logs with NagEventLog. Instructions for configuring NSCA can be found in a separate document titled Using NSCA With XI: https://assets.nagios.com/downloads/nagiosxi/docs/using_nsca_with_xi.pdf Overview In order to monitor Windows event logs using Nagios XI and the NagEventLog agent, you must complete the following: 1. Install the NagEventLog agent on the Windows machine 2. Configure the NagEventLog agent and define event log filters/patterns to monitor 3. Run the Windows Event Log monitoring wizard in Nagios XI The following pages will take you through each of these steps. Note: If you are installing NagEventLog on 64-bit versions of Microsoft Windows, you will need to install the following first: Microsoft Visual C++ 2005 Redistributable Package (x86) https://www.microsoft.com/en-us/download/details.aspx?id=3387 Once this has been installed, proceed with the steps below. Page 1
Installing NagEventLog In order to monitor Windows event logs with Nagios XI, you must install the NagEventLog agent on the Windows machine. You can get the latest version of NagEventLog from Steve Shipway's website (http://www.steveshipway.org/software/) or download a copy of the latest version (1.9.2 as of the time of writing) from: http://assets.nagios.com/downloads/addons/nageventlog/nagevlog-setup-1.9.2.exe Launch the NagEventLog installer on the Windows machine and click Next to get started. Read the program and license information and click Next to continue. When prompted for the installation directory, click Next to accept the default and continue. Page 2
When prompted for which components to install, click Next to accept the defaults and continue. When prompted for the start menu folder name, click Next to accept the default and continue. On the configuration screen, make sure you specify: The host name (as currently defined, or as you will define it in Nagios XI) for the Windows machine you are installing the agent on in the Host name for this computer field. The IP address of the Nagios XI server in the Nagios NSCA Server name field. The port that NSCA is running on (defaults to 5667) on the Nagios XI server in the Nagios NSCA Server port field. The password that you have configured NSCA to use on the Nagios XI server in the Nagios NSCA Server password field. Click Next to continue. Page 3
On the next screen, optionally select the option to create a desktop icon for the NagEventLog agent (recommended). Click Next to continue. Click Install to begin the installation. Note: On 64-bit versions of Microsoft Windows, you will receive the following error four times. Simply click OK each time and the installation will complete. NagEventLog will work regardless of this error. Page 4
Click Next to continue once the installation is completed. Note: You're not finished yet! You still need to configure the agent. Instructions for doing so are found on the following pages. Make sure the Configure the EventLog monitor option is selected and click Finish. The main configuration screen for the agent will appear. Click the NSCA Daemons button to finish configuration of the NSCA settings. Page 5
Note: On 64-bit versions of Microsoft Windows, you will see the following error on the screen Service is not installed or error encountered!. You will need to close the Nagios EventLog Service Control Manager and reopen it with Administrator privileges. This can be done by right clicking the Configure EventLog Agent icon and selecting Run as Administrator. Continuing from the last step, click the NSCA Daemons button to finish configuration of the NSCA settings. The NSCA Server Settings screen will appear. The Primary NSCA Daemon field needs to be the address of your Nagios XI server. The Host Name in Nagios field is the host object that will be targeted in Nagios XI for the services that will be receiving the event logs. Make sure you selected the same encryption method in the Encryption option as what is used to decrypt data in the NSCA configuration on the Nagios XI server. Important: If the NSCA password and/or encryption method do not match the settings used by the NSCA agent on the Nagios XI server, event log monitoring will not work! Click OK to continue. Select Yes when prompted if you want to save the NSCA settings. Page 6
Important: If you changed NSCA settings, you will have to restart the NagiosEventLog service on the Windows machine. You can do this by using the Computer Management console, or by issuing the following commands from a command prompt: net stop NagiosEventLog net start NagiosEventLog Configuring Event Log Monitoring To configure how event logs are monitored, you defined one or more filters in the Nagios Eventlog Control Manager. How Filters Work When an event log item matches a filter you defined, the NagEventLog agent will send an alert to the Nagios server using the NSCA protocol. Default Filters There are three default filters that get defined one each for the System, Application, and Security event logs. Prioritizing Matches Filters are matched by priority in the order they are defined. You can change the priority of filters by using the Move up and Move down buttons. Creating New Filters To create a new filter, click the Create New button. Editing Existing Filters To edit an existing filter, select the filter from the drop-down list and click the Edit button. Page 7
Defining Filter Settings When defining or changing each filter's settings, you are able to specify: 1. What Windows Event Log the filter applies to 2. What type of events match the filter rules, including: a. Event type (Error, Warning, Audit Failure, etc.) b. Event Ids (optional) c. String matches (optional) d. Event sources (optional) 3. The service name (as defined in Nagios XI) that alerts for the filter will be associated with. 4. The service status (e.g. criticality) of a filter match. Important: The service name you define in each filter must correspond to a service in Nagios XI. You will define the services using the Nagios XI wizard on the following pages of the documentation. Using The Configuration Wizard Once you have finished defining event log filters on the Windows machine, you need to run the Windows Event Log wizard in Nagios XI. Navigate via the top menu bar to Configure > Run a configuring wizard, and select the Windows Event Log wizard. In the following screenshot you can see how the search field allows you to quickly find a wizard. Page 8
On Step 1 you will be asked to supply the address of the machine running the NagEventLog client. This must match the Host Name you specified in the NSCA Server Settings screen of the NagEventLog agent. Click Next to progress to step 2. On Step 2 you need to make sure the Host Name field matches the NagEventLog setting Host Name in Nagios. The Event Log Service Names you specify in the wizard match the Service Names you specified when defining filters in the NagEventLog agent. The default entries you see in the wizard match the default settings in NagEventLog. Click Next and then complete the wizard by choosing the required options in Step 3 Step 5. To finish up, click on Finish in the final step of the wizard. This will create the new hosts and services and begin monitoring. Page 9
Once the wizard applies the configuration, click the View status details for xxxxx link to see the new host and services that were created. Note: A special EventLog Agent service is created to handle heartbeat information sent from the NagEventLog agent. This screenshot gives an example of how things might look after event log alerts start to arrive from the NagEventLog agent. Finishing Up If you have any issues with monitoring event logs with your Nagios XI system, please post your questions on the Nagios Support Forums at the following URL: https://support.nagios.com/ Page 10