|
View previous topic :: View next topic |
Author |
Message |
pgobat
Joined: 25 Nov 2008 Posts: 22
|
Posted: Mon Aug 31, 2009 2:01 am Post subject: NT log test : if 60 same entries in an hour : bad |
|
|
Good morning
I try to make a test with NT logs but seems difficult ( from myself) to do
I have to say :
If i recieve an entry in the application log 60 times in an hour :it is bad condition
If i recieve less ( 30 for instance ) it is ok
Is it possible to do that ?
Thank you for your feedback
Best regards
Philippe |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12797 Location: USA
|
Posted: Mon Aug 31, 2009 1:21 pm Post subject: |
|
|
Difficult question.
If "bad condition" == "lets start alerts", I think you may do the following
1) setup 2 schedules usign "Tune" button. 1st schedule should be used for "NT Event Log" test. E.g. it should allow test to be executed every day between 00:00 and 00:05, 01:00-01:05, ... 23:00-23:05
Use 2nd schedule to execute auxiliary test, e.g. ping localhost every day between 00:06 and 00:09, 01:06-01:09, ... 23:06-23:09 (right after 1st test)
2) Set both tests to be performed every 50 min, use "Report about all event" test property for NT Event Log test.
3) Setup action that you need to be started after 60 consecutive bad results, assign this alert profile to 1st NT Event Log test;
4) create another auxiliary action profile, use "Execute HM Script" action and script with single command "ResetRecurrencesTest nt_log_test_name"; assign this profile to 2nd test (ping localhost). So this action will be executed after NT Event Log test checked
http://www.ks-soft.net/hostmon.eng/mframe.htm#actions.htm#actScript
Regards
Alex |
|
Back to top |
|
|
pgobat
Joined: 25 Nov 2008 Posts: 22
|
Posted: Tue Sep 01, 2009 3:11 am Post subject: |
|
|
gloops....
I'll try but seems very complicated...
Thank you Alex |
|
Back to top |
|
|
greyhat64
Joined: 14 Mar 2008 Posts: 246 Location: USA
|
Posted: Sat Sep 05, 2009 1:18 pm Post subject: |
|
|
Has anyone thought about writing a shell script to extract this info? A sample query below: Code: | strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _
& "EventCode = '9999'")
Wscript.Echo "Count for EventCode 9999: " & colLoggedEvents.Count
| This would need to be modified to limit based on the 'TimeGenerated' or 'TimePosted' variable in order to limit it to the number of events in the last hour. It also needs to be modified to include AHM script conventions.
If you get it working, please post it in the Library. |
|
Back to top |
|
|
pgobat
Joined: 25 Nov 2008 Posts: 22
|
Posted: Mon Sep 07, 2009 12:36 am Post subject: |
|
|
Thank you for this idea
I'll do further research about that
Regards
Philippe |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12797 Location: USA
|
Posted: Mon Sep 14, 2009 9:19 pm Post subject: |
|
|
The following script will select event records from last day and today (2 arguments: target host name and log name, e.g: localhost system)
Code: |
Option Explicit
const statusAlive = "scriptRes:Host is alive:"
const statusDead = "scriptRes:No answer:"
const statusUnknown = "scriptRes:Unknown:"
const statusNotResolved = "scriptRes:Unknown host:"
const statusOk = "scriptRes:Ok:"
const statusBad = "scriptRes:Bad:"
const statusBadContents = "scriptRes:Bad contents:"
'---- entry point ----
dim objArgs, strComputer, strLogfile, Date1, strDate
dim objWMIService, colLoggedEvents, strWMIQuery
Set objArgs = WScript.Arguments
if objArgs.Count>1 then
strComputer = objArgs(0)
strLogfile = objArgs(1)
Date1 = DateAdd("d",-1,Now)
strDate = CStr(Year(Date1))
if Month(Date1)<10 then strDate = strDate & "0" & CStr(Month(Date1)) else strDate = strDate & CStr(Month(Date1)) end if
if Day(Date1)<10 then strDate = strDate & "0" & CStr(Day(Date1)) else strDate = strDate & CStr(Day(Date1)) end if
strWMIQuery = "Select * from Win32_NTLogEvent Where (Logfile='" & strLogfile & "') and (timewritten>" & strDate & ")"
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery(strWMIQuery)
WScript.StdOut.WriteLine statusOk & colLoggedEvents.Count
else
WScript.StdOut.WriteLine statusUnknown & "Not enough parameters specified"
end if
|
Actually I was trying to create script that will select records added within last hour. Script like this
Code: |
Option Explicit
const statusAlive = "scriptRes:Host is alive:"
const statusDead = "scriptRes:No answer:"
const statusUnknown = "scriptRes:Unknown:"
const statusNotResolved = "scriptRes:Unknown host:"
const statusOk = "scriptRes:Ok:"
const statusBad = "scriptRes:Bad:"
const statusBadContents = "scriptRes:Bad contents:"
'---- entry point ----
dim objArgs, strComputer, strLogfile, Date1, strDate
dim objWMIService, colLoggedEvents, strWMIQuery
Set objArgs = WScript.Arguments
if objArgs.Count>1 then
strComputer = objArgs(0)
strLogfile = objArgs(1)
Date1 = DateAdd("h",-1,Now)
strDate = CStr(Year(Date1))
if Month(Date1)<10 then strDate = strDate & "0" & CStr(Month(Date1)) else strDate = strDate & CStr(Month(Date1)) end if
if Day(Date1)<10 then strDate = strDate & "0" & CStr(Day(Date1)) else strDate = strDate & CStr(Day(Date1)) end if
if Hour(Date1)<10 then strDate = strDate & "0" & CStr(Hour(Date1)) else strDate = strDate & CStr(Hour(Date1)) end if
if Minute(Date1)<10 then strDate = strDate & "0" & CStr(Minute(Date1)) else strDate = strDate & CStr(Minute(Date1)) end if
if Second(Date1)<10 then strDate = strDate & "0" & CStr(Second(Date1)) else strDate = strDate & CStr(Second(Date1)) end if
strWMIQuery = "Select * from Win32_NTLogEvent Where (Logfile='" & strLogfile & "') and (timewritten>" & strDate & ")"
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery(strWMIQuery)
WScript.StdOut.WriteLine statusOk & colLoggedEvents.Count
else
WScript.StdOut.WriteLine statusUnknown & "Not enough parameters specified"
end if
|
but somehow WMI provider does not accept condition like timewritten>20090914023000 while condition like timewritten>20090914 works just fine.
Not sure is there any workaroung
Regards
Alex |
|
Back to top |
|
|
pgobat
Joined: 25 Nov 2008 Posts: 22
|
Posted: Mon Sep 14, 2009 11:39 pm Post subject: |
|
|
GREAT !!!
Thank you very much |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12797 Location: USA
|
Posted: Wed Sep 16, 2009 3:26 pm Post subject: |
|
|
There is new script that can check number of records within last hour
Code: | Option Explicit
const statusAlive = "scriptRes:Host is alive:"
const statusDead = "scriptRes:No answer:"
const statusUnknown = "scriptRes:Unknown:"
const statusNotResolved = "scriptRes:Unknown host:"
const statusOk = "scriptRes:Ok:"
const statusBad = "scriptRes:Bad:"
const statusBadContents = "scriptRes:Bad contents:"
'---- entry point ----
dim objArgs, strComputer, strLogfile
dim objWMIService, colLoggedEvents, strWMIQuery, wbemDate
Set objArgs = WScript.Arguments
if objArgs.Count>1 then
strComputer = objArgs(0)
strLogfile = objArgs(1)
Set wbemDate = CreateObject("WbemScripting.SWbemDateTime")
wbemDate.SetVarDate(DateAdd("h",-1,Now))
strWMIQuery = "Select * from Win32_NTLogEvent Where (Logfile='" & strLogfile & "') and (timewritten>'" & wbemDate & "')"
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery(strWMIQuery)
WScript.StdOut.WriteLine statusOk & colLoggedEvents.Count
else
WScript.StdOut.WriteLine statusUnknown & "Not enough parameters specified"
end if |
Regards
Alex |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|