I am trying to get NSCLient++ to work with NSCA to do real-time eventlog checks. It's complicated, so here are my notes. The documentation on this is a bit thin so if there are holes here, comments are welcome. And up front - a shout-out to the NSClient++ lead dev - Michael Medin. He did a lot of work over many years to get the client in the shape its in. This work is based on v5.2.35 of the client.
Concept
The real-time log & eventlog system has two parts. I'll call them the filter (or sensor) and the reporter. The filter/sensor decides what events to look for and is configured under these setting headings:
[["/settings/eventlog"|/settings/eventlog]]
[["/settings/eventlog/real-time"|/settings/eventlog/real-time]]
[["/settings/eventlog/real-time/filters/default"|/settings/eventlog/real-time/filters/default]]
[["/settings/eventlog/real-time/filters/check_WSUS"|/settings/eventlog/real-time/filters/check_myfilter]]
the root heading is not used by me
the /settings/eventlog/real-time heading is used to enable the real-time sensor and set some defauts:
/settings/eventlog/real-time
enabled=true
destination=NSCA
debug=true
startup age=30m