Home Directory Plugins Operating Systems Windows WMI Check eventlog/eventid by WMI

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com


Remember Me

Directory Tree

Check eventlog/eventid by WMI

Current Version
Last Release Date
Compatible With
  • Nagios 3.x
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
Check_wmi_eventid is a script to check windows event log , for a certian eventid..
Simple example : check application log , for eventtype error(-t) and eventid 9003(-e) with in the last 60 mins(-m60),
set warning (-w) if greater than 1 ,and set error(-c) if greater than 3

check_wmi_eventid -H -u domain/user -p password -l application -e 9003 -w 1 -c 3 -t1 -m60

example : same as above , but with arguments -O -W -C, these are custom plugin output for OK,Warning and Critical
Marco $MARCOLIST , can be used!!

check_wmi_eventid -H -u domain/user -p password -l application -e 9003 -w 1 -c 3 -t1 -m60 -O "Every thing is OK"
-W "Warning : something is not right" -C "It is totaly bad , found ITEMCOUNT events"

Version 1.1

Added an ekstra argument - s, that gives you the option to match for a string in the given eventid

Version 1.2

Bug fix - when using -C custom critical text

Version 1.3

added to the -t, -e, -s, -S and -l argument , so that you can select multipel arguments.

Version 1.4

Bug fix .. error in script when -c or -w wasn't set

Version 1.5 by rojobull

Bug fix - getops line Was missing a colon after the S optin which would ignor the source name provided.

Bug fix - adjust WQL_Constructor function so that spaces are not used as a delimiter.

Bug fix - changed $USER variable to $UNAME. $USER is a system variable and will always be set.

Improvement. Changed the date option to convert time into UTC instead of specifying an offset

Added option to use a credentials file instead of passing

Reviews (5)
I was hapopy with this tool, but when i want to search through sub directory's in eventviewer i cannot find the eventviewer file.

For instance:

delivers nothing. I ended up printing the tmp file before it is deleted and it is always empty.

It would be great if i also can view the following event viewer logs:
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

For the eventlogs in the root this tool just works fine!
bydamned, August 1, 2018
1 of 1 people found this review helpful
Great plugin!
I use to discover 6008 errors on windows machine..the infamous Blue Screen
Works well for the default event logs (Application,Security,System). Can't make it work with other logs - IE: Microsoft-Windows-FailoverClustering/Operational. Need this to check if a cluster resource went offline (1204) or online (1201)
bytompaah, February 14, 2016
1 of 1 people found this review helpful
Works great for its purpose.
I don't understand why the NOW-variable is declared with "000000+120" in the end. This caused the script always to pull 1 hour extra events. I changed this to "000000+60" and it works better for me.
bypjai, July 27, 2015
1 of 1 people found this review helpful
Hi Team,

I have tested this plugin on my FAN server. It's working from command line perfect.

But while fetching the information in GUI of FAN server, It show no output from the plugin.

Thanks in Advance.