[Top] [All Lists]

RE: [nv-l] ? about monitoring event logs on Windows 200x

To: <nv-l@lists.us.ibm.com>
Subject: RE: [nv-l] ? about monitoring event logs on Windows 200x
From: "Glen Warn" <Glen.Warn@pemcocorp.com>
Date: Thu, 28 Jul 2005 17:15:23 -0700
Delivery-date: Fri, 29 Jul 2005 01:15:10 +0100
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
Reply-to: nv-l@lists.us.ibm.com
Sender: owner-nv-l@lists.us.ibm.com
Thread-index: AcWTztqWgiqycywfQVGTnG+O08e5DwAAMz0A
Thread-topic: [nv-l] ? about monitoring event logs on Windows 200x
Thanks for everyone's responses.  So far, the evntwin.exe has fit the
bill perfectly.  It can turn almost any event log entry into an snmp
trap (which can be manipulated thru event customization or rulesets)
and, so far, has provided very fast notification - at least as reliable
as testing can be. 

Glen Warn
PEMCO Corporation Computer Services (PCCS)

-----Original Message-----
From: owner-nv-l@lists.us.ibm.com [mailto:owner-nv-l@lists.us.ibm.com]
On Behalf Of John Sobrinho
Sent: Thursday, July 28, 2005 4:47 PM
To: nv-l@lists.us.ibm.com
Subject: RE: [nv-l] ? about monitoring event logs on Windows 200x

I realize this is a non netview solution but as an alternative
suggestion is to use TecWin adapter to scrape the NTEVENT log, and post
the message to TEC. This bypasses netview polling and provides a close
to real time alert, and less burden on the netview server.


-----Original Message-----
From: owner-nv-l@lists.us.ibm.com [mailto:owner-nv-l@lists.us.ibm.com]On
Behalf Of Jane Curry
Sent: Thursday, July 28, 2005 3:10 PM
To: nv-l@lists.us.ibm.com
Subject: Re: [nv-l] ? about monitoring event logs on Windows 200x

This is getting a little off the original topic, but I have used servmon
successfully to monitor by means other than port sniffing.

Don't forget that servmon can either be told to "sniff" a port or ports,
OR, you can provide him with a script that discovers a "service" and a
script that does status checking on a "service".  So, if you are trying
to detect whether application xyz exists and is running, you can write a
script that does something like:
  ps -ef | grep xyz | grep -v grep                  (the grep -v grep
just avoids getting a match for your grep process).

So far, so good - but the glitch is that the discovery and status
scripts that servmon runs, run on the NetView server itself, not on
boxes out in the network.

The solution I built was based on the fact that the boxes to be
monitored for the xyz process, had ssh installed and setup, as did the
NetView system.  I created a userid on the systems, called servmon, and
made sure that ssh worked between the NetView system and my target
systems.  Then, the script that servmon runs is similar to my one-liner
above but you run it as a parameter to ssh.  Here's my sample code (I
will put it on the NetView TUG site):

# Script to be run from servmon to check for a particular process #
Script uses ssh to check remote systems - it is assumed that ssh works #
# The first parameter should be node to check for a particular process #
The second parameter is the process to check for # # Return codes are 2
= Normal  4 = Critical  0 = test cannot be run # #set -x #echo start
`date` >> /tmp/set #set >> /tmp/set

COMMAND="ps -ef | grep $PROCESS | grep -v grep"

# Parameters for ssh command - -f puts ssh in background; -n redirects
stdin from /dev/null #echo "/usr/bin/ssh -f -n -F
/home/$USERID/.ssh/config -i /home/$USERID/.ssh/identity -i
#/home/$USERID/.ssh/id_rsa -i /home/$USERID/.ssh/id_dsa $USERID@$HOST
$COMMAND" >> /tmp/set

# Note next 2 lines should be all on one line RESULT=`/usr/bin/ssh -f -n
-F /home/$USERID/.ssh/config -i /home/$USERID/.ssh/identity -i
/home/$USERID/.ssh/id_rsa -i /home/$USERID/.ssh/id_dsa $USERID@$HOST

#echo result is $RESULT >> /tmp/set

if [ "$RESULT" = "" ]
then echo $RESULT; exit 4
else echo $RESULT; exit 2

The hard part is ensuring your ssh is good.  Once that works, the rest
is a doddle.  Of cource, if you are not so security conscious, you might
just use rexec if you have that, rather than ssh.


J Shanks wrote:

>I believe that eventwin is only supported on Windows 2000 Server  and 
>Windows 2000 Advanced Server.  I don't think workstations are
>From :  http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318464
>It certainly is not installed on my XP Pro Workstation by default.
>As for Glen's question about how to monitor a service that doesn't 
>listen to a port, I'm completely  baffled.
>If you take a look at /usr/OV/conf/servmon.conf you'll see why I'm
>servmon is all about  trying to connect to a designated port on a 
>remote box to find out whether there is anything listening on it.  
>That's port sniffing, which is how an outside agent would determine 
>that box such-and such has something running on it which is listening 
>on that port.  I don't have any idea how an external agent would 
>determine that a service which did not use a port was active, unless 
>there is a MIB you could query, such as the HOST-RESOURCES MIB or 
>something more vendor-specific.  In fact, I don't even understand what 
>kind  of a service that would be exactly.  How would another user
access it if not by port?
>So far as I can see if it doesn't use a port, then you cannot use 
>servmon to monitor it, and you would need some other tool running on 
>the box to do it for you, which might very well mean that you cannot do

>it  without purchasing additional software.
>James Shanks
>Level 3 Support  for Tivoli NetView for UNIX and Windows Tivoli 
>Software / IBM Software Group

Tivoli Certified Consultant & Instructor Skills 1st Limited, 2 Cedar
Chase, Taplow, Bucks, SL6 0EU, UK
Tel: +44 (0)1628 782565
Copyright (c) 2005 Jane Curry <jane.curry@skills-1st.co.uk>.  All rights
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.9.7/60 - Release Date: 7/28/2005

No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.9.7/60 - Release Date: 7/28/2005

<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web