Thread Nagios - check_wmi mit spaces / blanks (16 answers)
Opened by pc-dok at 2014-10-16 08:41

GwenDragon
 2014-10-16 09:59
#177839 #177839
User since
2005-01-17
14761 Artikel
Admin1
[Homepage]
user image
Welch Version gehts denn?

Die 1.4 sieht so aus:
more (55.1kb):
Code (sh): (dl )
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
#!/bin/bash
#
# check_wmi_event - nagios plugin for agentless checking of Windows Event Log 
#
# Copyright (C) 2014 Kenneth Moller 
# kenneth.moller (at) gmail.com
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
#
#############################################################################
# TOOD
#
# Figure out to change timeout on WMIC!! Do you know please drop me a mail 
#
#############################################################################
#
# Version 1.1
#
# added extra argument -s , thats give you the possibility to match a 
# text string in message  
#
# -s "System.Net.WebException: The operation has timed out" 
#
# This will add to the WQL :
#
# 'and message like "%System.Net.WebException: The operation has timed out%"'
#
#############################################################################
#
# Version 1.2
#
# Bug fix - when using -C custom critical text 
#
#
#############################################################################
#
# Version 1.3
#
# added to the -t, -e, -s, -S and -l  argument , so that you can select multipel arguments.
# 
# fx. if you want to look for event type warning and error use:   -t 1,2
#
#############################################################################
#
# Version 1.4
#
# Bug fix .. error in script when -c or -w wasnt set
#
#############################################################################
VERSION=1.4

#echo $* >> /tmp/event

DEBUG=0
EXITCODE=0
EXITSTRING=""
LASTSTR=""
MARCOLIST="ITEMCOUNT,LASTSTR"
ERROR_EVENTTYPE=""

E_SUCCESS="0"
E_WARNING="1"
E_CRITICAL="2"
E_UNKNOWN="3"



## TMP directory where wmic outputs 

TMPDIR=/tmp

## WMIC binary

WMIC=/bin/wmic

## Custom exit test , can be set as an argumenten in command  line as  -O ,-W ,-C, -U 

CUSTOM_EXIT_STR[$E_SUCCESS]=""
CUSTOM_EXIT_STR[$E_WARNING]=""
CUSTOM_EXIT_STR[$E_CRITICAL]=""
CUSTOM_EXIT_STR[$E_UNKNOWN]=""


##


E_STR[0]="OK"
E_STR[1]="WARNING"
E_STR[2]="CRITICAL"
E_STR[3]="UNKNOWN"

ETYPE[1]="Error"
ETYPE[2]="Warning" 
ETYPE[3]="Information"
ETYPE[4]="Security Audit Success"
ETYPE[5]="Security Audit Failure"




usage()
{
cat << EOF
usage: $0 options

check_wmi_eventid is a script to check windows event log , for a certian eventid..

Simple example : check application log , for eventtype error(-t) and  eventid 9003(-e) with in the last 60 mins(-m60),
set warning (-w) if greater than 1 ,and set error(-c) if greater than 3

check_wmi_eventid  -H 172.10.10.10 -u domain/user -p password -l application -e 9003  -w 1 -c 3  -t1 -m60


Adv. example : same as above , but with arguments -O -W -C, these are custom plugin output for OK,Warning and Critical
Marco $MARCOLIST , can be used!!


check_wmi_eventid  -H 172.10.10.10 -u domain/user -p password -l application -e 9003  -w 1 -c 3  -t1 -m60 -O "Every thing is OK"
-W "Warning : something is not right" -C "It is totaly bad , found ITEMCOUNT events"

With Eventtype error, warning and Information

check_wmi_eventid  -H 172.10.10.10 -u domain/user -p password -l application -e 9003  -w 1 -c 3  -t1,2,3 -m60 -O "Every thing is OK"
-W "Warning : something is not right" -C "It is totaly bad , found ITEMCOUNT events"


Try it out :)

If you find any error , please let me know



 

OPTIONS:
   -h      Show this message
   -H      Host/Ip
   -u      Domain/user
   -p      password
   -l      Name of the log eg "System" or "Application" or any other Event log as shown in the Windows "Event Viewer".
   -t      Eventtype: # 1=error , 2=warning , 3=Information,4=Security Audit Success,5=Security Audit Failure. Multiple Eventypes  possible with , separation
   -e      Eventid, Multiple Eventids possible with , separation
   -s      Sting search for string in message,Multiple strings possible with , separation
   -S      SourceName ,Multiple SourceNames possible with , separation
   -m      Number of past min to check for events.      
   -w      Warning 
   -W      Custom waring string    - ITEMCOUNT,LASTSTR marco can be used  ex. -W "ITEMCOUNT Wanings  with in the LASTSTR"
   -c      Critical
   -C      Custom critical string  - ITEMCOUNT,LASTSTR marco can be used  ex. -W "ITEMCOUNT Critical  with in the LASTSTR"
   -O      Custom ok sting         - ITEMCOUNT,LASTSTR marco can be used  ex. -W "Everything ok with in the LASTSTR"
   -U      CUstom unknown string   - ITEMCOUNT,LASTSTR marco can be used  ex. -W "ITEMCOUNT  Unknowns  with in the LASTSTR"
   -d      Debug
   -v      Version
EOF
}


while getopts "hH:u:p:l:t:e:s:Sw:c:m:W:C:O:U:dv" OPTION
do
     case $OPTION in
         h)
             usage
             exit 1
             ;;
         H)
             HOST=$OPTARG
             ;;
         u)
             USER=$OPTARG
             ;;
         p)
             PASSWD=$OPTARG
             ;;
         l)
             LOGFILE=$OPTARG
             ;;
                 t)
             EVENTTYPE=$OPTARG
             ;;
                 e)
             EVENTID=$OPTARG
             ;;
                 s)
             STRING=$OPTARG
             ;;
                 S) 
                 SOURCENAME=$OPTARG
                 ;;

                 m)
             MIN=$OPTARG
             ;;

             w)
             WARNING=$OPTARG
             ;;
             c)
             CRITICAL=$OPTARG
             ;;

             d)
                 DEBUG=1
                     ;;
  
                 W)
             ##custom Warning string
                 CUSTOM_EXIT_STR[$E_WARNING]=$OPTARG
             ;;

                 C)
             ##custom critical string
             CUSTOM_EXIT_STR[$E_CRITICAL]=$OPTARG 
             ;;
        
                 O)
            
                 CUSTOM_EXIT_STR[$E_SUCCESS]=$OPTARG
             ;;

                 U)

             CUSTOM_EXIT_STR[$E_UNKNOWN]=$OPTARG
             ;;

         v)
             echo "Version : $VERSION"
             exit
             ;;

         ?)
             usage
             exit
             ;;
     esac
done

## check arguments

if [[ -z $HOST ]] || [[ -z $USER ]] || [[ -z $PASSWD ]] || [[ -z $LOGFILE ]] || [[ -z $EVENTTYPE ]]
then
     usage
     exit ${E_CRITICAL}
fi



TMPFILE=$TMPDIR/$RANDOM$RANDOM".wmi"
NOW=`date --date="$MIN min ago" +%Y%m%d%H%M%S".000000+120"`

function WQL_Constructor 
{
  local WS=$1
  local WS_FIELD=$2
  local WS_TYPE=$3              
  if [ -n "$WS" ]
  then
        local WS_WQL=" ( "
        INDEX=0
        IFS=', ' read -a WS_ARRAY <<< "$WS"

        for WS_ELEMENT in ${WS_ARRAY[@]}
                do
                        ((INDEX++))
                        if [[ $WS_TYPE == "like" ]]
                        then
                                WS_WQL+=$WS_FIELD' like "%'$WS_ELEMENT'%"'
                        else
                                WS_WQL+=$WS_FIELD' = "'$WS_ELEMENT'"'
                        fi 
        
                        if [ $INDEX -lt "${#WS_ARRAY[@]}" ]
                        then
                                WS_WQL+=" or "
                        else
                                WS_WQL+=" ) and "
                        fi


        done
  fi
echo $WS_WQL
}

EXTRA_WQL=" "$(WQL_Constructor "$LOGFILE"  "Logfile" "" )
EXTRA_WQL+=" "$(WQL_Constructor "$EVENTID" "eventcode" "")
EXTRA_WQL+=" "$(WQL_Constructor "$SOURCENAME" "SourceName" "like")
EXTRA_WQL+=" "$(WQL_Constructor "$STRING"  "Message" "like")
EXTRA_WQL+=" "$(WQL_Constructor "$EVENTTYPE"  "EventType" "" )
echo $ERROR_EVENTTYPE
echo $EXTRA_WQL



WQL='Select EventCode,EventIdentifier,EventType,SourceName from Win32_NTLogEvent where '$EXTRA_WQL'  TimeGenerated > "'$NOW'"'
##WQL='Select EventCode,EventIdentifier,EventType from Win32_NTLogEvent where logfile="'$LOGFILE'" and eventcode='$EVENTID'  and TimeGenerated > "'$NOW'" '$EXTRA_WQL

## debug

if [ $DEBUG -eq 1 ]; then


echo "$WMIC --namespace root/cimv2  -U $USER%$PASSWD //$HOST '--delimiter=\"|\"'  '"$WQL"'"

fi


ERROR=$($WMIC --namespace root/cimv2  -U $USER%$PASSWD //$HOST --delimiter="|"   "$WQL" 2>&1> $TMPFILE )

if [ $DEBUG -eq 1 ]; then

cat $TMPFILE  | sed 1,2d

fi


## WMIC error

if [ ${#ERROR} -gt 0 ]; then
        echo " WMIC ERROR : "$ERROR     
        exit ${E_UNKNOWN}
fi


## make min human-readable

ITEMCOUNT=`cat $TMPFILE | sed 1,2d | wc -l`
DAYS=$(($MIN / 1440))
HOURS=$((($MIN/60) - ($DAYS * 24)))
MINS=$(($MIN - ($DAYS * 1440)-($HOURS * 60)))
if [ $DAYS -gt 0 ] ;then LASTSTR="$DAYS Days,";fi
if [ $HOURS -gt 0 ] ;then LASTSTR="$LASTSTR $HOURS hour";fi
if [ $MINS -gt 0 ] ;then LASTSTR="$LASTSTR $MINS min";fi


## Check Thresholds

if [ -n "$WARNING" ];then
        if [ $ITEMCOUNT -ge $WARNING ]; then 
                EXITCODE=${E_WARNING}
        fi
fi

if [ -n "$CRITICAL" ];then
        if [ $ITEMCOUNT -ge  $CRITICAL ]; then
                EXITCODE=${E_CRITICAL}
        fi
fi

## replace marcos

EXITSTRING=${CUSTOM_EXIT_STR[$EXITCODE]}
EXITSTRING=${EXITSTRING//ITEMCOUNT/$ITEMCOUNT}
EXITSTRING=${EXITSTRING//LASTSTR/$LASTSTR}

IFS=', ' read -a EV_ARRAY <<< "$EVENTTYPE"
for EV_ELEMENT in ${EV_ARRAY[@]}    
        do
                ERROR_EVENTTYPE+=${ETYPE[$EV_ELEMENT]}","
        done 

## if no custom output string , set it to default  

if [ ${#EXITSTRING} -eq 0 ]; then 

        EXITSTRING="${E_STR[$EXITCODE]} $ITEMCOUNT with Severity Level ${ERROR_EVENTTYPE%?}   in $LOGFILE with in  the last $LASTSTR"
fi


## perf data

 
EXITSTRING="$EXITSTRING|eventid$EVENTID=$ITEMCOUNT;$WARNING;$CRITICAL;;"

## housekeeping

rm -f $TMPFILE



echo $EXITSTRING
exit $EXITCODE


Vielleicht mag ja jemand die Funktion WQL_Constructor() verbessern.

//EDIT:
Das Problem ist diese Zeile:
Code: (dl )
        IFS=', ' read -a WS_ARRAY <<< "$WS"

read liste die Zeile wortweise in ein Array; wortweise bedeutet aber am Leerzeichen splitten.
Last edited: 2014-10-16 10:29:28 +0200 (CEST)

View full thread Nagios - check_wmi mit spaces / blanks