Loading...
 

Greg's Tech blog

NSCLient++ and Real-time Eventlog checks

Monday 02 of November, 2020

I am trying to get NSCLient++ to work with NSCA to do real-time eventlog checks.  It's complicated, so here are my notes. The documentation on this is a bit thin so if there are holes here, comments are welcome.  And up front - a shout-out to the NSClient++ lead dev - Michael Medin.  He did a lot of work over many years to get the client in the shape its in.  This work is based on v5.2.35 of the client.

Concept

The real-time log & eventlog system has two parts.  I'll call them the filter (or sensor) and the reporter.  The filter/sensor decides what events to look for and is configured under these setting headings:

[["/settings/eventlog"|/settings/eventlog]]
[["/settings/eventlog/real-time"|/settings/eventlog/real-time]]

[["/settings/eventlog/real-time/filters/default"|/settings/eventlog/real-time/filters/default]]
[["/settings/eventlog/real-time/filters/check_WSUS"|/settings/eventlog/real-time/filters/check_myfilter]]

the root heading is not used by me
the /settings/eventlog/real-time heading is used to enable the real-time sensor and set some defauts:
/settings/eventlog/real-time
enabled=true
destination=NSCA
debug=true
startup age=30m