Windows Event logs monitor added to Xymonton
list David Baldwin
This is my solution for the deficiencies of both BBNT's msgs and BBwin (broken in central mode) windows event log reporting. Neither effectively work for Vista/2008 to my knowledge. http://xymonton.trantor.org/doku.php/monitors:winevtmsgs.pl Reports on Windows Event logs forwarded with SNARE (a free Windows event log forwarder over syslog) http://www.intersectalliance.com/projects/SnareWindows/index.html Each Windows server needs the appropriate version of Snare installed (Vista/2008 different from older versions of Windows) and configured to forward to central syslog server. Install on central syslog server. Assumed this is the same as xymon server (need to use bb-hosts 'evt' tag to denote tested hosts). Sample config for using rsyslog documented. Can also report on cluster nodes and cluster resources (e.g. SQL or Exchange) - in such cases each cluster node forwards all events for all nodes. Highly configurable alerting on various event log fields by exact string match or regexp. Sample rule: # sample rule: # DCs (Domain Controllers) # host name specified by regexp # ignore System:MRxSMB 8003 messages about Browser service # yellow on System:KDC 26 messages (often Error, but not that significant) # green on System:NETLOGON (various) messages (often Error) about deleted/disabled/etc computer accounts # # "DCs" => { # "host" => qr/^(dc\d+)/i, # "ignore" => { # "Browser" => { # "src" => "System", # "cat" => "MRxSmb", # "evn" => qr/^(8003)$/, # }, # }, # "yellow" => { # "KDC" => { # "src" => "System", # "cat" => "KDC", # "evn" => "26", # }, # }, # "green" => { # "NoCompAcct" => { # "src" => "System", # "cat" => "NETLOGON", # "evn" => qr/^(5719|572[23]|5805)$/, # }, # }, # }, Any questions, suggestions, problems drop me a line. David. -- David Baldwin - IT Unit Australian Sports Commission www.ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 user-cbbf693f2c89@xymon.invalid Leverrier Street Bruce ACT 2617 Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
list TJ Yang
On Tue, Aug 17, 2010 at 4:09 AM, David Baldwin
▸
<user-cbbf693f2c89@xymon.invalid> wrote:This is my solution for the deficiencies of both BBNT's msgs and BBwin (broken in central mode) windows event log reporting.
I am preparing to deploy BBWin 0.12 at work. Would you please elaborate more how BBWin central mode msgs reporting is broken ? Thanks for your time -- T.J. Yang
list David Baldwin
▸
TJ Yang wrote:
On Tue, Aug 17, 2010 at 4:09 AM, David Baldwin <user-cbbf693f2c89@xymon.invalid> wrote:This is my solution for the deficiencies of both BBNT's msgs and BBwin (broken in central mode) windows event log reporting.I am preparing to deploy BBWin 0.12 at work. Would you please elaborate more how BBWin central mode msgs reporting is broken ?
The ignore filtering and size limiting has no effect. I currently have the following in /etc/hobbit/client-local.cfg - doesn't do anything useful. [win32] log:eventlog_security:10240 ignore .* ignore . msgs:eventlog_security:10240 ignore .* ignore . eventlog:security:10240 ignore Windows Filter ignore handle ignore .* ignore . eventlog:System:10240 ignore .* ignore . eventlog:application:10240 ignore .* ignore . I also have success and failure auditing turned on - which means the event log reports can be very big. Too big for hobbitd to handle even with MAXMSG_DATA set at values like 15242880 (i.e. 15MB), so I get "flooding" client errors. Also, the event log subsystem has changed in Vista and Server 2008. Neither BBNT or BBWin seems to handle event log processing properly for these. Thanks, David.
▸
-- David Baldwin - IT Unit Australian Sports Commission www.ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 user-cbbf693f2c89@xymon.invalid Leverrier Street Bruce ACT 2617 Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
list TJ Yang
Thanks, David I added your report as a bug here https://sourceforge.net/tracker/?func=detail&aid=3047417&group_id=136450&atid=735923 tj On Tue, Aug 17, 2010 at 6:23 PM, David Baldwin
▸
<user-cbbf693f2c89@xymon.invalid> wrote:TJ Yang wrote:On Tue, Aug 17, 2010 at 4:09 AM, David Baldwin <user-cbbf693f2c89@xymon.invalid> wrote:This is my solution for the deficiencies of both BBNT's msgs and BBwin (broken in central mode) windows event log reporting.I am preparing to deploy BBWin 0.12 at work. Would you please elaborate more how BBWin central mode msgs reporting is broken ?The ignore filtering and size limiting has no effect. I currently have the following in /etc/hobbit/client-local.cfg - doesn't do anything useful. [win32] log:eventlog_security:10240 ignore .* ignore . msgs:eventlog_security:10240 ignore .* ignore . eventlog:security:10240 ignore Windows Filter ignore handle ignore .* ignore . eventlog:System:10240 ignore .* ignore . eventlog:application:10240 ignore .* ignore . I also have success and failure auditing turned on - which means the event log reports can be very big. Too big for hobbitd to handle even with MAXMSG_DATA set at values like 15242880 (i.e. 15MB), so I get "flooding" client errors. Also, the event log subsystem has changed in Vista and Server 2008. Neither BBNT or BBWin seems to handle event log processing properly for these. Thanks, David. -- David Baldwin - IT Unit Australian Sports Commission www.ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 user-cbbf693f2c89@xymon.invalid Leverrier Street Bruce ACT 2617 Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
--
T.J. Yang
list TJ Yang
David, Do you have windows XP client monitored in central mode ? Does those XP clients have same issue ? BBWin is only tested in NT/2000/XP Windows OS, according to the SF project site(R1). tj R1: http://sourceforge.net/projects/bbwin/
▸
On Tue, Aug 17, 2010 at 9:14 PM, TJ Yang <user-61afc885aa73@xymon.invalid> wrote:Thanks, David I added your report as a bug here https://sourceforge.net/tracker/?func=detail&aid=3047417&group_id=136450&atid=735923 tj On Tue, Aug 17, 2010 at 6:23 PM, David Baldwin <user-cbbf693f2c89@xymon.invalid> wrote:TJ Yang wrote:On Tue, Aug 17, 2010 at 4:09 AM, David Baldwin <user-cbbf693f2c89@xymon.invalid> wrote:This is my solution for the deficiencies of both BBNT's msgs and BBwin (broken in central mode) windows event log reporting.I am preparing to deploy BBWin 0.12 at work. Would you please elaborate more how BBWin central mode msgs reporting is broken ?The ignore filtering and size limiting has no effect. I currently have the following in /etc/hobbit/client-local.cfg - doesn't do anything useful. [win32] log:eventlog_security:10240 ignore .* ignore . msgs:eventlog_security:10240 ignore .* ignore . eventlog:security:10240 ignore Windows Filter ignore handle ignore .* ignore . eventlog:System:10240 ignore .* ignore . eventlog:application:10240 ignore .* ignore . I also have success and failure auditing turned on - which means the event log reports can be very big. Too big for hobbitd to handle even with MAXMSG_DATA set at values like 15242880 (i.e. 15MB), so I get "flooding" client errors. Also, the event log subsystem has changed in Vista and Server 2008. Neither BBNT or BBWin seems to handle event log processing properly for these. Thanks, David. -- David Baldwin - IT Unit Australian Sports Commission www.ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 user-cbbf693f2c89@xymon.invalid Leverrier Street Bruce ACT 2617 Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.-- T.J. Yang
--
T.J. Yang
list David Baldwin
TJ,
▸
Do you have windows XP client monitored in central mode ? Does those XP clients have same issue ? BBWin is only tested in NT/2000/XP Windows OS, according to the SF project site(R1).
I'm running it on 2003 and 2008 servers. Other report sections are all OK in general operation, [msgs] that is the problem.The [route] report is different on the first report after startup, but OK after that. I'm wondering if writing a perl-based Windows client and then packaging as a .EXE using pp under Strawberry perl might be an alternative. hobbit-client.sh on Unix is pretty simple - just wraps the output of a few different commands into a single client report. Could give a bit more impetus to getting the perl libraries sorted too. Hope people have taken a look at the Wiki page: https://sourceforge.net/apps/mediawiki/xymon/index.php?title=Perl_Library_Discussion Thanks, David.
▸
tj R1: http://sourceforge.net/projects/bbwin/ On Tue, Aug 17, 2010 at 9:14 PM, TJ Yang <user-61afc885aa73@xymon.invalid> wrote:Thanks, David I added your report as a bug here https://sourceforge.net/tracker/?func=detail&aid=3047417&group_id=136450&atid=735923 tj On Tue, Aug 17, 2010 at 6:23 PM, David Baldwin <user-cbbf693f2c89@xymon.invalid> wrote:TJ Yang wrote:On Tue, Aug 17, 2010 at 4:09 AM, David Baldwin <user-cbbf693f2c89@xymon.invalid> wrote:This is my solution for the deficiencies of both BBNT's msgs and BBwin (broken in central mode) windows event log reporting.I am preparing to deploy BBWin 0.12 at work. Would you please elaborate more how BBWin central mode msgs reporting is broken ?The ignore filtering and size limiting has no effect. I currently have the following in /etc/hobbit/client-local.cfg - doesn't do anything useful. [win32] log:eventlog_security:10240 ignore .* ignore . msgs:eventlog_security:10240 ignore .* ignore . eventlog:security:10240 ignore Windows Filter ignore handle ignore .* ignore . eventlog:System:10240 ignore .* ignore . eventlog:application:10240 ignore .* ignore . I also have success and failure auditing turned on - which means the event log reports can be very big. Too big for hobbitd to handle even with MAXMSG_DATA set at values like 15242880 (i.e. 15MB), so I get "flooding" client errors. Also, the event log subsystem has changed in Vista and Server 2008. Neither BBNT or BBWin seems to handle event log processing properly for these. Thanks, David. -- David Baldwin - IT Unit Australian Sports Commission www.ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 user-cbbf693f2c89@xymon.invalid Leverrier Street Bruce ACT 2617 Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.-- T.J. Yang
-- David Baldwin - IT Unit Australian Sports Commission www.ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 user-cbbf693f2c89@xymon.invalid Leverrier Street Bruce ACT 2617