-
Windows Agent Configuration information, Options, Examples?
Hi All,
I have been testing the Pandora FMS and I like what I see so far.. I don’t however see allot of information out there about configuring the Windows Agent and modules, etc…
One example is checking for an event in the Event Logs – I’m sure sure if the agent supports this – but when I add this to the configuration file (and turn on debug) – the agent ignores this directive altogether:
# Event 5774
module_begin
module_name Event5774
module_type generic_data
module_event_id 5774
module_description Netlogon Errors
module_endSo, I wonder how to pull info out of the event log or look for various events? Some other things I look to do are checking the success or failure of a Scheduled Task, Checking for backup success or failure, Listing Installed Applications, getting the size of a database, getting the size of a file, getting hardware info (smart, etc.)..
Are there examples out there of how others have gone about some of these things?
Another things I’ve found – the following check:
# Free space on disk C:
module_begin
module_name FreeDiskC
module_type generic_data
module_freedisk C:
module_description Free space on drive C:
module_end..returns the free disk space but the number is always off by a few gigs, no big deal – I wonder why? Second thing is that it’s always listed as XX.XX K – if this is a listing of Gigabytes, why “K”? and where does that label come from or where is it set?
Another module that I have struggled with is the generic_proc one. What exactly defines wether 1 (or running) is a good thing?
# Is SQL Server running ?
module_begin
module_name SQL_Server
module_type generic_proc
module_proc sqlservr.exe
module_description SQl Server Check
module_endWhat if I wanted to check to make sure the process was OFF and assign a green to that in the web interface?
Thanks again,
Kevin -
17 Replies
-
Hi,
We are not Windows experts, so many of the features need a extra job of documenting, testing and hard work. Based on that, all the functionallities are implemented based on our needs. This is the main reason that some things are not implemented, just because we don’t need them, or we do not know about them…
I have been testing the Pandora FMS and I like what I see so far.. I don’t however see allot of information out there about configuring the Windows Agent and modules, etc…
Documenting is one of our problems, we do not have a documentation team, but we try to work hard about that
One example is checking for an event in the Event Logs – I’m sure sure if the agent supports this – but when I add this to the configuration file (and turn on debug) – the agent ignores this directive altogether:
# Event 5774
module_begin
module_name Event5774
module_type generic_data
module_event_id 5774
module_description Netlogon Errors
module_endThere’s no support for Windows events right now. Of course, that module will be ignored, since it’s not recognized. It’s not magical 🙂
Are there examples out there of how others have gone about some of these things?
I really don’t know… Anyway, do not forget that you can execute everything you want using module_exec. If there’s a command line utility that you can use to get info about those events, you can get what you want…
Here is a theorical example.
module_begin
module_name Event whatever
module_type generic_data
module_exec GetEventsInfo.exe –id 5774 –any-other-option
module_description Check event 5574 that occurs when something was wrong with my favourite application
module_endYou can use pipes (like in Unix) to parse the output of imaginary application GetEventsInfo.exe
Another things I’ve found – the following check:
# Free space on disk C:
module_begin
module_name FreeDiskC
module_type generic_data
module_freedisk C:
module_description Free space on drive C:
module_end..returns the free disk space but the number is always off by a few gigs, no big deal – I wonder why? Second thing is that it’s always listed as XX.XX K – if this is a listing of Gigabytes, why “K”? and where does that label come from or where is it set?
It’s a simple visualization in the console, Pandora Agent return free space in MB. If the console finds a big number, it just transform it to be more easy readable. These number are not KiloBytes (1024 bytes) are just Kilos (1000 units of whatever), it’s simply because everything in this life are not bytes 🙂
You can see this transformation by yourself in format_for_graph() function in file include/functions.php. Of course, you can change it to fits your needs. Feel free to send your changes to us if you think they may be useful.
Another module that I have struggled with is the generic_proc one. What exactly defines wether 1 (or running) is a good thing?
# Is SQL Server running ?
module_begin
module_name SQL_Server
module_type generic_proc
module_proc sqlservr.exe
module_description SQl Server Check
module_endThe module does not return only 1 or 0, it can returns the number of application instances. If there are many sqlserv.exe running, it will say how many there are. Anyway, with that configuration it will return 1 or 0 because you set module_type to be generic_proc. Try changing it with generic_data and it will change its behaviour.
Why 1 is up and 0 is down? It’s obvious, isn’t it?
What if I wanted to check to make sure the process was OFF and assign a green to that in the web interface?
KevinI don’t know how to do this whitout changing the agent… Maybe in next versions we will do something about it.
Thanks for your comments and I hope you could find some answers here.
Greetings
-
Interesting, you speak with a fascinating mix of condescension, helpfulness and indifference. But it is great that you’ve responded – I do appreciate that. I imagine we are in the “same boat” if you will, in that we want whatever Pandora FMS is – to be better. I was simply asking if any more information was out there – not that I EXPECTED it, or that it SHOULD be available. I think I can better help you understand my questions if I clarify a few things:
Hi,
We are not Windows experts, so many of the features need a extra job of documenting, testing and hard work. Based on that, all the functionallities are implemented based on our needs. This is the main reason that some things are not implemented, just because we don’t need them, or we do not know about them…I understand, what I don’t understand is your position in this “we” – are you a developer for Pandora FMS?
One example is checking for an event in the Event Logs – I’m sure sure if the agent supports this – but when I add this to the configuration file (and turn on debug) – the agent ignores this directive altogether:
module_event_id 5774There’s no support for Windows events right now. Of course, that module will be ignored, since it’s not recognized. It’s not magical 🙂
I sense a bit of sarcasm there…. haha.. perhaps your not familiar with what documentation DOES exist for Pandora? If you will, take a loook at this page close to the bottom:
sourceforge page/en/index.php?sec=docs/directives
To save you a bit of time, this is what the page says:
module_event_id
– Gets the number of times an event is shown in the event log.The title of the is page is “Pandora Agents configuration – Quick Guide”, not “Wish List”, or “To Do”, or “Magical stuff we thought we’d talk about but decided we’d not add to the agent in the end”. As you might imagine, I wondered why this would be ignored – in your own smarmy way you have answered my question, thank you.. 🙂
You can use pipes (like in Unix) to parse the output of imaginary application GetEventsInfo.exe
I had thought of that, and I started to look for such a utility like get eventsinfo.exe – I wonder about how the module_exec process gets this information and is there a limit to what I could get? Am I limited to console applications? I imagine a scenario where I might theoretically list all the connections on a computer:
module_exec net use
Would all output be viewable in the web console? Is there a limit to how much string data can be transfered?
It’s a simple visualization in the console, Pandora Agent return free space in MB. If the console finds a big number, it just transform it to be more easy readable. These number are not KiloBytes (1024 bytes) are just Kilos (1000 units of whatever), it’s simply because everything in this life are not bytes 🙂
You can see this transformation by yourself in format_for_graph() function in file include/functions.php. Of course, you can change it to fits your needs. Feel free to send your changes to us if you think they may be useful.
I imagined that it was simply the conversion – that is cool. The free space on a drive is (by default) listed as (for example) 54.88 K, and free memory is listed as something like 1.65 K . These of course would make more sense as gb in this context. i will check out the file you mentioned and see what it looks like.
Then, we talk about a running process:
The module does not return only 1 or 0, it can returns the number of application instances. If there are many sqlserv.exe running, it will say how many there are. Anyway, with that configuration it will return 1 or 0 because you set module_type to be generic_proc. Try changing it with generic_data and it will change its behaviour.
Why 1 is up and 0 is down? It’s obvious, isn’t it?
What I don’t think is obvious to you is the context of the data. I understand that if the process IS running I might get 1 or more (depending on the number of them running), and I might get 0 if the process is not running. BUT, the use and context of that data is what’s important. 1 does not ALWAYS indicate a positive (or green) thing. Take, if you will, the example of the MSN Messenger client. Having it running (or returned as a 1) would be positive on a client computer where the Messenger client is a useful tool, however, having the value of 1 returned for that of a DATA SERVER (with a seriously limited number of resources), this would be considered bad (and thus may be indicated as RED in the web console and possibly requiring an alert sent). You see, its not important whether we agree on 1 being “up” or “on” – it is important to place that information in a context that will define whether its good, up, on or bad.
Anyway, I will continue to work with this and any ideas I gather from using the Windows Agent to get data I will pass back to you guys. I see quite alot of potential in this. My recent issue seems to be clients that fail to connect to the FTP server because of a resolution problem (both others on the same network can connect). Unusual. Also, I was unable to get the FTP connection working properly at all and an update of the libcurl.dll file to version 7.17.1.0 fixed that problem…
Anyway, thanks again – I appreciate you taking the time!
Kevin -
Interesting, you speak with a fascinating mix of condescension, helpfulness and indifference. But it is great that you’ve responded – I do appreciate that. I imagine we are in the “same boat” if you will, in that we want whatever Pandora FMS is – to be better. I was simply asking if any more information was out there – not that I EXPECTED it, or that it SHOULD be available. I think I can better help you understand my questions if I clarify a few things:
Stay clam please, I think you both are right. steve-o don’t know that this feature really exists, two years ago, in an old agent based on VBS that currently don’t exist anymore and that feature is not supported in newest agents. Steve-o is main developer for windows agent, and probably has been surprised with a “existed” feature that he does not coded yet ! 🙂
Hi,
We are not Windows experts, so many of the features need a extra job of documenting, testing and hard work. Based on that, all the functionallities are implemented based on our needs. This is the main reason that some things are not implemented, just because we don’t need them, or we do not know about them…I understand, what I don’t understand is your position in this “we” – are you a developer for Pandora FMS?
One example is checking for an event in the Event Logs – I’m sure sure if the agent supports this – but when I add this to the configuration file (and turn on debug) – the agent ignores this directive altogether:
module_event_id 5774There’s no support for Windows events right now. Of course, that module will be ignored, since it’s not recognized. It’s not magical 🙂
I sense a bit of sarcasm there…. haha.. perhaps your not familiar with what documentation DOES exist for Pandora? If you will, take a loook at this page close to the bottom:
This is actually MY fault because it’s a very old documentation that should not be there. Newest documentation are on our wiki at http://www.openideas.info/wiki
sourceforge page/en/index.php?sec=docs/directives
To save you a bit of time, this is what the page says:
module_event_id
– Gets the number of times an event is shown in the event log.The title of the is page is “Pandora Agents configuration – Quick Guide”, not “Wish List”, or “To Do”, or “Magical stuff we thought we’d talk about but decided we’d not add to the agent in the end”. As you might imagine, I wondered why this would be ignored – in your own smarmy way you have answered my question, thank you.. 🙂
You can use pipes (like in Unix) to parse the output of imaginary application GetEventsInfo.exe
I had thought of that, and I started to look for such a utility like get eventsinfo.exe – I wonder about how the module_exec process gets this information and is there a limit to what I could get? Am I limited to console applications? I imagine a scenario where I might theoretically list all the connections on a computer:
module_exec net use
Would all output be viewable in the web console? Is there a limit to how much string data can be transfered?
You need to parse it before with command line tools provided with agent (or your own tools, of course) to return numeric results or single text lines (for generic_string type).
It’s a simple visualization in the console, Pandora Agent return free space in MB. If the console finds a big number, it just transform it to be more easy readable. These number are not KiloBytes (1024 bytes) are just Kilos (1000 units of whatever), it’s simply because everything in this life are not bytes 🙂
You can see this transformation by yourself in format_for_graph() function in file include/functions.php. Of course, you can change it to fits your needs. Feel free to send your changes to us if you think they may be useful.
I imagined that it was simply the conversion – that is cool. The free space on a drive is (by default) listed as (for example) 54.88 K, and free memory is listed as something like 1.65 K . These of course would make more sense as gb in this context. i will check out the file you mentioned and see what it looks like.
Then, we talk about a running process:
The module does not return only 1 or 0, it can returns the number of application instances. If there are many sqlserv.exe running, it will say how many there are. Anyway, with that configuration it will return 1 or 0 because you set module_type to be generic_proc. Try changing it with generic_data and it will change its behaviour.
Why 1 is up and 0 is down? It’s obvious, isn’t it?
What I don’t think is obvious to you is the context of the data. I understand that if the process IS running I might get 1 or more (depending on the number of them running), and I might get 0 if the process is not running. BUT, the use and context of that data is what’s important. 1 does not ALWAYS indicate a positive (or green) thing. Take, if you will, the example of the MSN Messenger client. Having it running (or returned as a 1) would be positive on a client computer where the Messenger client is a useful tool, however, having the value of 1 returned for that of a DATA SERVER (with a seriously limited number of resources), this would be considered bad (and thus may be indicated as RED in the web console and possibly requiring an alert sent). You see, its not important whether we agree on 1 being “up” or “on” – it is important to place that information in a context that will define whether its good, up, on or bad.
Anyway, I will continue to work with this and any ideas I gather from using the Windows Agent to get data I will pass back to you guys. I see quite alot of potential in this. My recent issue seems to be clients that fail to connect to the FTP server because of a resolution problem (both others on the same network can connect). Unusual. Also, I was unable to get the FTP connection working properly at all and an update of the libcurl.dll file to version 7.17.1.0 fixed that problem…
Anyway, thanks again – I appreciate you taking the time!
KevinThanks to you, you’ve discovered a bug in our documentation listed at our home web site ! 🙂
-
Hi,
Interesting, you speak with a fascinating mix of condescension, helpfulness and indifference. But it is great that you’ve responded – I do appreciate that. I imagine we are in the “same boat” if you will, in that we want whatever Pandora FMS is – to be better. I was simply asking if any more information was out there – not that I EXPECTED it, or that it SHOULD be available. I think I can better help you understand my questions if I clarify a few things:
I’m sorry about the misunderstood, keep in mind that English is not my language, so expressing and comprehensing it is not natural to me.
I understand, what I don’t understand is your position in this “we” – are you a developer for Pandora FMS?
Sorry again, yes I am the developer of Windows agent. Although it’s not a great piece of computer engineering, it can (sometimes) do its job 🙂
I sense a bit of sarcasm there…. haha.. perhaps your not familiar with what documentation DOES exist for Pandora? If you will, take a loook at this page close to the bottom:
sourceforge page/en/index.php?sec=docs/directives
To save you a bit of time, this is what the page says:
module_event_id
– Gets the number of times an event is shown in the event log.The title of the is page is “Pandora Agents configuration – Quick Guide”, not “Wish List”, or “To Do”, or “Magical stuff we thought we’d talk about but decided we’d not add to the agent in the end”. As you might imagine, I wondered why this would be ignored – in your own smarmy way you have answered my question, thank you.. 🙂
As Nil pointed (that sounds nerdy hilarious! hehe) in his reply, there’s a problem with the documentation. I usually do not work documentation or Pandora homepage, so I could not be aware of that. I’m not in Pandora development since the beginnings, so I don’t know that something like that could be done.
I had thought of that, and I started to look for such a utility like get eventsinfo.exe – I wonder about how the module_exec process gets this information and is there a limit to what I could get? Am I limited to console applications? I imagine a scenario where I might theoretically list all the connections on a computer:
module_exec net use
Would all output be viewable in the web console? Is there a limit to how much string data can be transfered?
I think we have no tests about it. Probably, the limit will be in the field that will store this result in the database.
I imagined that it was simply the conversion – that is cool. The free space on a drive is (by default) listed as (for example) 54.88 K, and free memory is listed as something like 1.65 K . These of course would make more sense as gb in this context. i will check out the file you mentioned and see what it looks like.
Ok, so these numbers are really strange on that scenario, because they will be “kilos of megas”, a.k.a. gigas. You are (again) completely right.
Then, we talk about a running process:
What I don’t think is obvious to you is the context of the data. I understand that if the process IS running I might get 1 or more (depending on the number of them running), and I might get 0 if the process is not running. BUT, the use and context of that data is what’s important. 1 does not ALWAYS indicate a positive (or green) thing. Take, if you will, the example of the MSN Messenger client. Having it running (or returned as a 1) would be positive on a client computer where the Messenger client is a useful tool, however, having the value of 1 returned for that of a DATA SERVER (with a seriously limited number of resources), this would be considered bad (and thus may be indicated as RED in the web console and possibly requiring an alert sent). You see, its not important whether we agree on 1 being “up” or “on” – it is important to place that information in a context that will define whether its good, up, on or bad.
I understand your problem, again it was an idiomatic problem. We thought about solutions, but I personally do not like them. Any idea or suggestion will be great.
Anyway, I will continue to work with this and any ideas I gather from using the Windows Agent to get data I will pass back to you guys. I see quite alot of potential in this. My recent issue seems to be clients that fail to connect to the FTP server because of a resolution problem (both others on the same network can connect). Unusual. Also, I was unable to get the FTP connection working properly at all and an update of the libcurl.dll file to version 7.17.1.0 fixed that problem…
Maybe the resolving issue could be a DNS problem? Just suggesting, I don’t know your network configuration…
So, everything with FTP is Ok? We will really appreciate any feedback about it, because this is one of the latest “features” on Windows agent.
Why did I ask to your post if it’s a matter of documentation/infrastructure, you might ask… Well, I do not read this forum very often, but my companion really do a great job here. When there’s a post about ANYTHING STRANGE related with Windows agent (and maybe it’s not a problem with the agent, as you can see) they ask to me to answer it. I (usually) do not like it, so my answers here could be with that mix of condescension, helpfulness and indifference, but (believe me) I’m trying to help 🙄
Nil: There is no fight at all, take it easy, pal!
Greetings Kevin,
Esteban -
I thank you both for the quick responses.. it was nice .. I have been busy as hell… but I’m trying to pull more out of this..
**Getting the status of the last Scheduled Task***
one thing I’ve been working on is to pull details of the scheduled tasks that run… I’ve come up with this:
[code:1]
# Schedule Task status
module_begin
module_name ScheduledTaskStatus
module_type generic_string
module_exec type c:WINDOWSTasksSchedLgU.Txt | grep -B1 “recent” | grep -v “recent” | tr -d “nt”
module_description Results of most recent scheduled task
module_endExample Log:
“Pandora Restart.job” (pandora.BAT)
Finished 11/16/2007 5:50:27 PM
Result: The task completed with an exit code of (0).
[ ***** Most recent entry is above this line ***** ]Returned Data:
Result: The task completed with an exit code of (0).Example Log:
“System State.job” (ntbackup) 11/15/2007 11:00:00 PM ** ERROR **
The attempt to log on to the account associated with the task failed, therefore, the task did not run.
The specific error is:
0x8007052e: Logon failure: unknown user name or bad password.
Verify that the task’s Run-as name and password are valid and try again.
[ ***** Most recent entry is above this line ***** ]Returned Data:
Verify that the task’s Run-as name and password are valid and try again.It’s not perfect, but that one line may lead to more investigation – it also does not take into account multiple scheduled tasks.. 🙁 it s a start.. I haven’t tested it either.. working on it.. 🙂
well.. more.. in its current form:
# Schedule Task status
module_begin
module_name STaskS
module_type generic_string
module_exec type c:WINDOWSTasksSchedLgU.Txt | grep -B1 “recent” | grep -v “recent” | tr -d “nt”
module_description Results of most recent scheduled task
module_endits ignored by the agent.. Ive tried changing generic_string to _data and a few other things.. the agent just keeps ignoring this.. I’m stumped..
*** DNS resolution error ****
I have been tracking the two (of 5) servers that I have on the same network that are all running the same version of the Windows Agent – two of these computers (at some point) fail to be able to resolve an IP address and thus aren’t able to connect to the FTP server and transfer data. The other 3 servers run fine..
If I go to one of those servers while it is failing and ping that host – the Operating System CAN ping and resolve it. If I restart the pandora agent service, the resolution works and the process continues.
I setup on both servers a scheduled task that restarted the pandora agent service at 11pm each night and came back the next day. Strangely enough there was a sort of pattern:
By the srv is not the name of the host, but phpbb restrictions force me to change the hostname – I had to guess that was the reason.. bah..
DATASERVER:
11-15-07 22:58:32: Pandora Agent: Failed when copying to srv (Couldn’t resolve host name)
11-15-07 23:01:01: Pandora agent stopped
11-15-07 23:01:02: Pandora agent started
11-16-07 04:43:52: Pandora Agent: Failed when copying to srv (Couldn’t connect to server)>>> The failure started close to 5 hours later..
on the second server REMOTE:
11-15-07 23:01:40: Pandora Agent: Failed when copying to srv (Couldn’t resolve host name)
11-15-07 23:04:01: Pandora agent stopped
11-15-07 23:04:01: Pandora agent started
11-16-07 04:44:07: Pandora Agent: Failed when copying to srv (Couldn’t connect to server)>>> The failure begins close to five hours later again.. thats pretty darned close!!
So, I’m still looking into it – but keep in mind all of the server’s IP configurations are the same, all of the 5 servers use the same DNS, all of the 5 servers are on the same local network and 3 of the servers have not failed to connect in three days… something to think about..
On and on..
Kevin -
.. an IP address in the pandora.conf instead of a hostname and restart the service. This might rule out or confirm name resolution as the problem. I guess name resolution is not performed by the agent but by the underlying Windows OS.
Also there might just be some FTP or SSH daemon log on the Pandora server which shows some useful info around the times of failure
-
Thanks TurricanII – I’ll give your ideas a shot…
An update to the Scheduled Tasks info… I’m running this on an win2k box:
# Schedule Task status
module_begin
module_name STaskS
module_type generic_string
module_exec type c:WINNTSchedLgU.Txt | grep.exe -B1 “recent” | grep.exe -v “recent” | tr -d “nt”
module_description Results of most recent scheduled task
module_end.. an in the pandora_debug.log I get the following:
11-16-07 20:44:56: Bad module type “generic_string” while parsing STaskS module
is the generic_string possibly not supported?
If I run this sucker directly, I get:
C:Program Filespandora_agentutil>type c:WINNTSchedLgU.Txt | grep.exe -B1 “recent” | grep.exe -v “recent” | tr -d “nt”
Result: The task completed with an exit code of (0).
C:Program Filespandora_agentutil>hmmm…
-
Thanks TurricanII – I’ll give your ideas a shot…
# Schedule Task status
module_begin
module_name STaskS
module_type generic_string
module_exec type c:WINNTSchedLgU.Txt | grep.exe -B1 “recent” | grep.exe -v “recent” | tr -d “nt”
module_description Results of most recent scheduled task
module_end.. an in the pandora_debug.log I get the following:
11-16-07 20:44:56: Bad module type “generic_string” while parsing STaskS module
is the generic_string possibly not supported?
If I run this sucker directly, I get:
C:Program Filespandora_agentutil>type c:WINNTSchedLgU.Txt | grep.exe -B1 “recent” | grep.exe -v “recent” | tr -d “nt”
Result: The task completed with an exit code of (0).
C:Program Filespandora_agentutil>hmmm…
Damm !!, I think I found another big bug on our docs. Correct config token is “generic_data_string”. I’ll fix documentation issue right now.
Thanks for posting!
-
Awesome!
This works:
# Schedule Task status
module_begin
module_name STaskS
module_type generic_data_string
module_exec type c:WINNTSchedLgU.Txt | grep.exe -B1 “recent” | grep.exe -v “recent” | tr -d “nt”
module_description Results of most recent scheduled task
module_end.. and I get this in the debug XML file:
STaskS
generic_data_string
Result: The task completed with an exit code of (2).
Results of most recent scheduled task
So far, the DNS resolution issues are sorted out by restarting the pandora_agent service every 5 hours… still working on that..
Kevin
-
One thing though, I’m looking at the reporting options.. I don’t seem to be able to make a report showing a string… so, I cant create a report showing all of the results fro each of the 5 computers in one report.. am I missing a function in the web console that lets me do this?
-
Now on to Events… here’s what I’ve come up with so far. There is a utility called wevtutil.exe that ships with Windows Vista – but it won’t run on Windows 2000 Server – not much use to that since consistency is important here.
So, there is the Log Parser (Search for Log Parser 2.2 on Google. I can’t paste a link here),
To get, the last 5 Events from the event log on any of your windows servers, run this command:
“c:Program FilesLog Parser 2.2LogParser.exe” -i:EVT -o:NAT “SELECT TOP 5 TimeGenerated, EventID, EventTypeName, Message FROM System WHERE EventTypeName=’Error event'”
You’ll get an output similar to this:
TimeGenerated EventID EventTypeName Message
——————- ——- ————- ————————————–
——————————————————————————–
——————————————————————–
2007-09-14 14:53:48 6008 Error event The previous system shutdown at 2:50:0
7 PM on 9/14/2007 was unexpected.
2007-11-11 09:53:11 301 Error event {Out of Virtual Memory} Your system is
low on virtual memory. To ensure that Windows runs properly, increase the size
of your virtual memory paging file. For more information, see Help.
2007-11-18 15:13:36 8032 Error event The browser service has failed to retr
ieve the backup list too many times on transport DeviceNetBT_Tcpip_{5FDDED35-2
E23-4D71-9D87-87AD5F58BA39}. The backup browser is stopping.Statistics:
———–
Elements processed: 2348
Elements output: 3
Execution time: 1.09 secondsNow, I haven’t started to process this info into a one line useful thing that I might try to bring back to pandora… it would be sweet to get all of this back.. or even the stuff without the message?? :
TimeGenerated EventID EventTypeName
——————- ——- ————-
2007-09-14 14:53:48 6008 Error event
2007-11-11 09:53:11 301 Error event
2007-11-18 15:13:36 8032 Error eventStatistics:
———–
Elements processed: 2348
Elements output: 3
Execution time: 0.33 secondsIt just seems that 255 characters wouldn’t do this information justice, what do you guys think?
Thanks,
Kevin -
One thing though, I’m looking at the reporting options.. I don’t seem to be able to make a report showing a string… so, I cant create a report showing all of the results fro each of the 5 computers in one report.. am I missing a function in the web console that lets me do this?
You want to generate a new report type by reporting all string data in X time ?. This is very easy to implement, please add to feature request on our sourceforge page to keep it tracked for future development !
-
Now on to Events… here’s what I’ve come up with so far. There is a utility called wevtutil.exe that ships with Windows Vista – but it won’t run on Windows 2000 Server – not much use to that since consistency is important here.
So, there is the Log Parser (Search for Log Parser 2.2 on Google. I can’t paste a link here),
To get, the last 5 Events from the event log on any of your windows servers, run this command:
“c:Program FilesLog Parser 2.2LogParser.exe” -i:EVT -o:NAT “SELECT TOP 5 TimeGenerated, EventID, EventTypeName, Message FROM System WHERE EventTypeName=’Error event'”
You’ll get an output similar to this:
TimeGenerated EventID EventTypeName Message
——————- ——- ————- ————————————–
——————————————————————————–
——————————————————————–
2007-09-14 14:53:48 6008 Error event The previous system shutdown at 2:50:0
7 PM on 9/14/2007 was unexpected.
2007-11-11 09:53:11 301 Error event {Out of Virtual Memory} Your system is
low on virtual memory. To ensure that Windows runs properly, increase the size
of your virtual memory paging file. For more information, see Help.
2007-11-18 15:13:36 8032 Error event The browser service has failed to retr
ieve the backup list too many times on transport DeviceNetBT_Tcpip_{5FDDED35-2
E23-4D71-9D87-87AD5F58BA39}. The backup browser is stopping.Statistics:
———–
Elements processed: 2348
Elements output: 3
Execution time: 1.09 secondsNow, I haven’t started to process this info into a one line useful thing that I might try to bring back to pandora… it would be sweet to get all of this back.. or even the stuff without the message?? :
TimeGenerated EventID EventTypeName
——————- ——- ————-
2007-09-14 14:53:48 6008 Error event
2007-11-11 09:53:11 301 Error event
2007-11-18 15:13:36 8032 Error eventStatistics:
———–
Elements processed: 2348
Elements output: 3
Execution time: 0.33 secondsIt just seems that 255 characters wouldn’t do this information justice, what do you guys think?
Thanks,
KevinYou obviously want to use Pandora FMS as a log grabber :). Pandora FMS have a different approach, BUT, some people have worked on several approach to this problem.
First one, is a log agent for Pandora FMS, but written in Perl and this require that you install some kind of Perl support for your windows server. You can find here:
Unfortunately is not well documented (because that is not part of official project) but sure can help you because it basicly “parses” log files and report data in serveral lines, so many as needed.
-
Hey nil,
Thanks for the response… so far as parsing the logs, and formatting them down to something that is useful.. I could use the grep and tr utils to rip out anything from the above examples and gather maybe the last error..it just seems Pandora is more suited for numeric data than it is string data (event logs are probably the biggest indicators of coming issues on a windows box). Now, I could even get JUST the number of returned errors from the event log and present that as numeric information that could be graphed too – it works on one level, but those messages are what takes a whole lot more of the legwork out of the picture… By the way, that log parser utility is able to parse ANY windows log by way of SQL statements and probably can handle any sort of log querying on windows (that might need to be passed back to the Pandora FMS)… I’m going to try and build a few examples of this stuff..
Kevin
-
Hey nil,
Thanks for the response… so far as parsing the logs, and formatting them down to something that is useful.. I could use the grep and tr utils to rip out anything from the above examples and gather maybe the last error..it just seems Pandora is more suited for numeric data than it is string data (event logs are probably the biggest indicators of coming issues on a windows box). Now, I could even get JUST the number of returned errors from the event log and present that as numeric information that could be graphed too – it works on one level, but those messages are what takes a whole lot more of the legwork out of the picture… By the way, that log parser utility is able to parse ANY windows log by way of SQL statements and probably can handle any sort of log querying on windows (that might need to be passed back to the Pandora FMS)… I’m going to try and build a few examples of this stuff..
Kevin
You have also another interesting option. There is a very good software application called “SNARE” that currently has an opensource component called Windows Snare Log Agent, that grabs windows event logs and could write on a remote syslog that could be easily parsed by pandora log agent or using a custom script.
Another interesting option is to query Windows using WMI directly or using another windows machine. Try links and information on:
http://www.openideas.info/wiki/index.php?title=Pandora:WMI
We know that Windows servers and workstations are actually very used on commercial companies, so we want to improve as much we can, support and functionalities for that platforms, so please if you discover new ways to get data local or remotelly, help us telling about that.
-
I see.. Snare looks really cool actually.. I like their approach but it lacks one thing I find myself looking for. It’s the differences….
I’ll explain, lots of stuff in windows can be gathered and I could even possibly send out every day the last error events – but the best of all these things is to send out information (or alerts) if something has changed – for example – a new patch becomes available for a server, alert – an application has been added or removed, alert, a new error has shown up in the event log, alert.. this is the kind of thing that Kasyea seems able to do…. I like that concept.. but, anything I learn from all this I will definitely be passing along..
Thanks for all your help,
Kevin -
I see.. Snare looks really cool actually.. I like their approach but it lacks one thing I find myself looking for. It’s the differences….
I’ll explain, lots of stuff in windows can be gathered and I could even possibly send out every day the last error events – but the best of all these things is to send out information (or alerts) if something has changed – for example – a new patch becomes available for a server, alert – an application has been added or removed, alert, a new error has shown up in the event log, alert.. this is the kind of thing that Kasyea seems able to do…. I like that concept.. but, anything I learn from all this I will definitely be passing along..
Thanks for all your help,
KevinI dont know kaseya until now, but it has some problems: is not opensource, its only for windows and makes too many things 🙂
If you want a solution for patch management and software inventory, you should try another FLOSS project: babel.sf.net
