Using the CheckEventLog module of NSClient++, how do I properly filter in two different eventTypes?
Use the new syntax which is similar to SQL...
The new sample command contains the following filter:
..."filter=generated gt -2d AND severity NOT IN ('success', 'informational') AND source != 'SideBySide'"...
And in your case I guess you want to have ...source = 'DFS Replication' OR source = 'DFSR'...
Related videos on Youtube
Comments
-
mbrownnyc almost 2 years
I'm having an odd amount of trouble deducing the proper syntax to "filter=in" two eventTypes, warning and error.
The line I am using is as follows:
CheckEventLog -a truncate=1023 MaxWarn=1 MaxCrit=1 file='DFS Replication' filter=in "filter.eventSource='DFS Replication'" "filter.eventSource='DFSR'" "filter.eventType==error" "filter.eventType==warning" "filter+generated=\<5m" descriptions unique syntax='%message%'
The "filter=in" means "include" all of the filters listed in the condition; versus "filter=out" meaning exclude all the filters listed in the condition.
The "filter*X" syntax meaning is:
- '.' optional (like logical OR)
- '+' required (like logical AND)
- '-' not required (like logical OR NOT)
This information is gathered from the documentation.
The odd thing is that, to me the above syntax means: require the filters listed to be present ('filter=in'), from event source 'DFS Replication' OR 'DFSR', include all warning OR error type events that occurred less than 5 minutes ago.
However, the above syntax returns all eventTypes (including error, warning, information) [from the listed event sources (although I haven't proved that they are explicitly the 'event sources' and not all event sources in the Event Log ('file=')), that occurred less than 5 minutes ago].
Is anyone familiar with how to include two different eventType filters in a CheckEventLog command in NSClient++ v0.3.9?
-
mbrownnyc almost 13 yearsthe solution isn't clear, but a work around for me is to just explicitly include all events of eventtype NOT "information" by using
"filter+eventType=<>info"
and excluding "filter.eventType==error" "filter.eventType==warning"
-
mbrownnyc almost 13 yearsIt appears that the optional severities are: 'failure', 'success', 'informational', 'warning', and 'error', is this correct, as 'failure' isn't listed on the wiki pages?
-
mbrownnyc almost 13 yearsI had a lot of trouble actually having useful things return but ended up using this:
file='DFS Replication' filter=in "filter=generated > -5m AND ((source = 'DFS Replication' OR source = 'DFSR') AND severity NOT IN ('informational'))" descriptions unique syntax='%message%'
The parenthesis seem to be critical, as without, CheckEventLog was literally returning contents of the event definitions, not even contents of messages... which is quite interesting. -
mbrownnyc almost 13 yearsFailure audit events are reported as severity
success
100% of the time. So the only way I was able to determine "failure audits," was, well... by failure audits:file='Security' filter=in "filter=generated > -5m and type = 'auditFailure'" descriptions unique syntax='%message%'