NetXMS Support Forum

Thanks for your reply. Now I understand the different approaches. If you prepend the file path with * the "Event ID" becomes a field that is writable. Missed that before. It seems like you can do more flexible things with the traditional Log Parser.

I use the current 3.9.156, but 3.8.something before didn't have the parameters set as well. Maybe if I use the Log Parser instead of the Windows Event Parser?

Edit: Yes, indeed. It works if I use the Log Parser out of the Policies. But I guess that's better anyway.

Hi,

another topic that I try to wrap my head around. I'm trying to get alarms on different windows events. For the moment I just want a warning message.

So, I have configured Windows Event Log to be pushed to NetXMS server. Does work.
I have configured the Windows Event Parser like this:


<parser trace="0" name="WindowsEventLog">
   <macros/>
   <rules>
      <rule name="SQL Login failed">
         <match repeatInterval="0" reset="false">(.*)</match>
         <event>WIN_EVENT_RECORD_MATCHED</event>
         <id>18456</id>
         <logName>Application</logName>
         <agentAction action=""></agentAction>
      </rule>
      <rule name="SQL Login failed">
         <match repeatInterval="0" reset="false">(.*)</match>
         <event>WIN_EVENT_RECORD_MATCHED</event>
         <id>18452</id>
         <logName>Application</logName>
         <agentAction action=""></agentAction>
      </rule>
   </rules>
</parser>

A couple of questions already:
- The parser is asking for a name, but it seems like you only can have one. So why does it ask for a name and what does the name matter?
- For templates you can define Agent Policies and within a Log Parser. The UI looks similar. Is this a place where Windows Event Parser can be defined as well?

Ok then I defined the Event WIN_EVENT_RECORD_MATCHED with severity of Warning and a message of: Windows event ID %3: "%1"
As I understood the documentation n+2 (= %3) should be the EventID - but it is just empty.

Furthermore, in Event Processing Policy I created an alarm with Message "%m" and Alarm key of "WIN_EVT_%i_%3" to group id by Event ID. But as %3 is empty all events from a single machine are merged.

What am I doing wrong?

Cheers

Quote from: wim.cossement on June 24, 2021, 02:44:18 PM
Yes I know but then you need another Windows box and license.

Just for the record - you can install them on the same box. No extra machine is needed...

If you want a Microsoft only solution, you can use the smtp server that is built-in to IIS. There a plenty of guides out there how to set this up.

Wait, what? I just tested it again and it works... 

You shouldn't change too much in a script at the same time. I tried to return an array of arrays in the script to work with the individual array in the filter script, but it seems you only can return an array of strings.

Just tried to use this as a starting point, but

$node->readAgentTable("System.Services");

does not work. However the older syntax
AgentReadTable($node, "System.Services");
does work.

What do I miss? A bug in 3.8.382?

Hi,

OMG, yes. I didn't know that I need both, the npi and the .exe. Now I have both files in the same folder and it just works...

Thanks a lot...

Cheers
Frank

I wonder if I'm the only one with the Package Manager problem... 

Thanks. I guess you can even skip the "? true : false" part, as the part in front of ? is already a boolean...

Hi Marco,

for the WebUI look whether ther Service will be run as "LocalService" and set it to "LocalSystem".

Cheers Frank

I investigated on the package upload problem a bit more. This is the log at debug level 8. Seems like the client is cancelling the transfer. But it must be a server problem as I also tried it with the client 3.8.120 that has worked before updating the server.


2021.03.17 09:12:48.009 *D* [client.session.0   ] Sending message CMD_REQUEST_COMPLETED (32 bytes)
2021.03.17 09:12:48.009 *D* [client.session.0   ] Message dump:
  ** 000000 | 00 1D 50 00 00 00 00 20 00 00 00 3A 00 00 00 01 | ..P.... ...:....
  ** 000010 | 00 00 00 1C 00 00 00 00 00 00 00 00 00 00 00 00 | ................
  ** code=0x001D (CMD_REQUEST_COMPLETED) version=5 flags=0x0000 id=58 size=32 numFields=1
  ** 000000: [    28] INT32       0

2021.03.17 09:13:03.634 *D* [client.session.0   ] Message dump:
  ** 000000 | 00 6F 00 40 00 00 00 80 00 00 00 3B 00 00 00 06 | .o.@.......;....
  ** 000010 | 00 00 00 C0 78 DA 63 60 60 68 60 67 00 03 EE F2 | ....x.c``h`g....
  ** 000020 | CC BC 94 FC F2 62 DD 0A 33 13 10 BF 11 2A CE 9E | .....b..3....*..
  ** 000030 | 57 91 98 9E 9A 57 C2 00 05 D2 50 71 79 BF D4 92 | W....W....Pqy...
  ** 000040 | 08 DF 60 05 47 90 A4 42 5A 7E 91 82 99 89 6E 52 | ..`.G..BZ~....nR
  ** 000050 | 66 89 42 38 C4 1C 98 FA 5A A8 7A 71 A8 39 BA C6 | f.B8....Z.zq.9..
  ** 000060 | 7A 16 7A 46 46 66 20 7B F4 52 2B 52 61 EA EA 18 | z.zFFf {.R+Ra...
  ** 000070 | 50 41 3D CC 7E A8 7A 30 07 00 0C AB 1D 11 00 00 | PA=.~.z0........
  ** code=0x006F (CMD_INSTALL_PACKAGE) version=0 flags=0x0040 id=59 size=128 numFields=6
  ** 000000: [   128] UTF8-STRING "windows-x64"
  ** 000018: [   129] UTF8-STRING "nxagent"
  ** 000030: [    27] UTF8-STRING "NetXMS Agent for 64-bit Windows"
  ** 000060: [   125] UTF8-STRING "nxagent-3.8.226-x64.exe"
  ** 000088: [   126] INT32       0
  ** 000098: [   127] UTF8-STRING "3.8.226"

2021.03.17 09:13:03.634 *D* [client.session.0   ] Received message CMD_INSTALL_PACKAGE
2021.03.17 09:13:03.634 *D* [client.session.0   ] Sending message CMD_REQUEST_COMPLETED (48 bytes)
2021.03.17 09:13:03.634 *D* [client.session.0   ] Message dump:
  ** 000000 | 00 1D 50 00 00 00 00 30 00 00 00 3B 00 00 00 02 | ..P....0...;....
  ** 000010 | 00 00 00 1C 00 00 00 00 00 00 00 00 00 00 00 00 | ................
  ** 000020 | 00 00 00 7E 00 00 00 00 00 00 00 04 00 00 00 00 | ...~............
  ** code=0x001D (CMD_REQUEST_COMPLETED) version=5 flags=0x0000 id=59 size=48 numFields=2
  ** 000000: [    28] INT32       0
  ** 000010: [   126] INT32       4

2021.03.17 09:13:03.649 *D* [client.session.0   ] Message dump:
  ** 000000 | 00 72 00 01 00 00 00 10 00 00 00 3B 00 00 00 00 | .r.........;....
  ** code=0x0072 (CMD_ABORT_FILE_TRANSFER) version=0 flags=0x0001 id=59 size=16 numFields=0
  ** binary message

2021.03.17 09:13:03.649 *D* [client.session.0   ] Received raw message CMD_ABORT_FILE_TRANSFER
2021.03.17 09:13:04.368 *D* [client.session.0   ] Sending message CMD_KEEPALIVE (32 bytes)


What can I do about this?

As I have only a few pfsense boxes, I made DCIs on each box for their WAN and LAN interfaces (via right click on the interface) but they are not part of the template. That said the template is only a starting point. There are tons of information buried in the SNMP that pfsense provides..

I'm trying to get a more affordable and better solution than PRTG. Tried checkmk, Zabbix and now NetXMS. All have their Pros and Cons, but NetXMS seems more complete for me. But it lacks templates and guides...

I love the inventory part as well. And that you can easily push client updates...
There are a lot of things that are great. But most of them are difficult to find out... e.g. VM monitoring

Hi,

I'm onto this as well. I made a very basic template, yet, but I'm still investigating the best way to do things.

I've seen for Zabbix there is even a way to find out that there is a new version or a new package version available (via Agent active check). With a NetXMS agent we could find out those things as well...

Cheers

Quote from: paul on June 08, 2019, 10:22:24 AM
Well - here is the first cut of my Windows generic template. it includes the events that are triggered.

For explanation of the thresholds that apply in this template, they are implemented as per here:
https://www.netxms.org/forum/general-support/simple-question-cdm-monitoring-using-snmp-anybody-doing-this/msg25843/#msg25843

For excluding CD drives in discovery you have to exclude UFS as well...

Sounds reasonable - thanks...

However changing the name column to nvarchar did not help. I guess you already convert the charset before sending it to the database...
I will just wait for the bugfix..