You are here

Windows EventID Filtering now working

4 posts / 0 new
Last post
indestructible
indestructible's picture
Windows EventID Filtering now working

Hi, All.

We want monitor specific eventid. We are use: -H $HOSTADDRESS$ -c nsc_checkeventlog -a 'filter=new file=application filter+generated=<1h filter+severity==info filter=in filter=all truncate=1023 descriptions unique MaxCrit=1 filter+eventID==12345'.

The result we are receive is OK, but its wrong. The result should be Critical.

There is 'שד no event id with this id=12345 in the last hour.

When we use filter-eventID==12345 instead filter+eventID==12345, we are receive OK result, with all info events that were happaned in the last hours. Its OK, becouse the "-" mean exlude all events like "12345".

The question is - why "+" not work.

We tried all options from "http://nsclient.org/nscp/wiki/CheckEventLog/CheckEventLog/old".

Pls HELP!!!!

Thank you.

smarsh
smarsh's picture
Re: Windows EventID Filtering now working

Im not a Windows expert, however one of the options jumps out at me:

 filter+severity==info

Shouldnt this be '==critical' or whatever the equivalent is in Windows?

indestructible
indestructible's picture
Re: Windows EventID Filtering now working

Hi,

We are not looking the ID of the "critical" event. We are looking the ID of the "info" event. Something that was complete successfully. Actually, we can remove this (filter+severity==info) filter and search only for the ID. The "severity" filter acually not matter here, because we are looking for specific ID.

Thank you.

indestructible
indestructible's picture
Re: Windows EventID Filtering now working

Anyone?