lausser
"winwarncrit" option causes Windows eventlog messages to be prefixed with "EE_(EE|WW)_TT"
When monitoring the Windows eventlog, if the winwarncrit option is specified the log messages output by the plugin are prefixed with one of the following:
- EE_EE_TT
- EE_WW_TT
- EE_UU_TT
I've tested using the latest git head (v4.0.1.6 at the time of writing) and the issue is still present. Steps to reproduce the issue are provided below:
Configuration file:
$options = 'report=long, maxlength=768';
$protocolretention=1;
@searches =
(
##
## Windows System EventLog Check
##
{
tag => 'system-eventlog',
script => sub {
my $trimlength = 500;
$op_trim = substr($ENV{CHECK_LOGFILES_SERVICEOUTPUT},0,$trimlength);
print $op_trim;
return $ENV{CHECK_LOGFILES_SERVICESTATEID};
},
type => 'wevtutil',
eventlog => {
eventlog => 'application',
include => {
},
},
criticalpatterns => [
'.*',
],
criticalexceptions => [
],
warningpatterns => [
],
warningexceptions => [
###STARTOFWARNINGEXCEPTIONS###
##ENDOFWARNINGEXCEPTIONS###
],
okpatterns => [
###STARTOFOKPATTERNS###
###ENDOFOKPATTERNS###
],
options => 'nocase,supersmartscript,winwarncrit,sticky=90,preferredlevel=warning',
},
)
Clear the Application event log in Event Viewer and then run check_logfiles:
PS C:\Users\xxx\check_logfiles-522ebe\plugins-scripts> perl .\check_logfiles -f .\test.conf
OK - no errors or warnings|'system-eventlog_lines'=0 'system-eventlog_warnings'=0 'system-eventlog_criticals'=0 'system-eventlog_unknowns'=0
Use Powershell to add a warning to the event log:
New-EventLog -LogName Application -Source CheckLogfilesTest
Write-EventLog -LogName "Application" -Source "CheckLogfilesTest" -EventId 4242 -EntryType Warning -Message "Test warning event"
Run check_logfiles again:
PS C:\Users\xxx\check_logfiles-522ebe\plugins-scripts> perl .\check_logfiles -f .\test.conf
WARNING - (1 warnings in test.protocol-2022-05-05-14-08-58) - EE_WW_TT2022-05-05T14:08:50 4242 Test warning event |'system-eventlog_lines'=1 'system-eventlog_warnings'=1 'system-eventlog_criticals'=0 'system-eventlog_unknowns'=0
tag system-eventlog WARNING
EE_WW_TT2022-05-05T14:08:50 4242 Test warning event
Add an error to the event log using Powershell:
Write-EventLog -LogName "Application" -Source "CheckLogfilesTest" -EventId 4242 -EntryType Error -Message "Test error event"
Run check_logfiles again:
PS C:\Users\xxx\check_logfiles-522ebe\plugins-scripts> perl .\check_logfiles -f .\test.conf
CRITICAL - (2 errors, 1 warnings in test.protocol-2022-05-05-14-09-35) - EE_EE_TT2022-05-05T14:09:30 4242 Test error event ...|'system-eventlog_lines'=1 'system-eventlog_warnings'=1 'system-eventlog_criticals'=2 'system-eventlog_unknowns'=0
tag system-eventlog CRITICAL
EE_EE_TT2022-05-05T14:09:30 4242 Test error event
EE_EE_TT2022-05-05T14:09:30 4242 Test error event
EE_WW_TT2022-05-05T14:08:50 4242 Test warning event
Note how each message is prefixed with "EE_(EE|WW)_TT". However when I remove the winwarncrit option from the configuration the output doesn't include those prefixes:
PS C:\Users\xxx\check_logfiles-522ebe\plugins-scripts> perl .\check_logfiles -f .\test.conf
CRITICAL - (3 errors in test.protocol-2022-05-05-14-15-31) - 2022-05-05T14:12:02 4242 Test error event ...|'system-eventlog_lines'=3 'system-eventlog_warnings'=0 'system-eventlog_criticals'=3 'system-eventlog_unknowns'=0
tag system-eventlog CRITICAL
2022-05-05T14:08:50 4242 Test warning event
2022-05-05T14:09:30 4242 Test error event
2022-05-05T14:12:02 4242 Test error event
I tried changing the type option from "wevtutil" to "eventlog" but the issue remained.
