0

I'm having an odd amount of trouble deducing the proper syntax to "filter=in" two eventTypes, warning and error.

The line I am using is as follows:

CheckEventLog -a truncate=1023 MaxWarn=1 MaxCrit=1 file='DFS Replication' filter=in "filter.eventSource='DFS Replication'" "filter.eventSource='DFSR'" "filter.eventType==error" "filter.eventType==warning" "filter+generated=\<5m" descriptions unique syntax='%message%'

The "filter=in" means "include" all of the filters listed in the condition; versus "filter=out" meaning exclude all the filters listed in the condition.

The "filter*X" syntax meaning is:

  • '.' optional (like logical OR)
  • '+' required (like logical AND)
  • '-' not required (like logical OR NOT)

This information is gathered from the documentation.

The odd thing is that, to me the above syntax means: require the filters listed to be present ('filter=in'), from event source 'DFS Replication' OR 'DFSR', include all warning OR error type events that occurred less than 5 minutes ago.

However, the above syntax returns all eventTypes (including error, warning, information) [from the listed event sources (although I haven't proved that they are explicitly the 'event sources' and not all event sources in the Event Log ('file=')), that occurred less than 5 minutes ago].

Is anyone familiar with how to include two different eventType filters in a CheckEventLog command in NSClient++ v0.3.9?

mbrownnyc
  • 1,825
  • 8
  • 30
  • 50
  • the solution isn't clear, but a work around for me is to just explicitly include all events of eventtype NOT "information" by using `"filter+eventType=<>info"` and excluding "filter.eventType==error" "filter.eventType==warning" – mbrownnyc Sep 09 '11 at 18:07

1 Answers1

1

Use the new syntax which is similar to SQL...

The new sample command contains the following filter:

..."filter=generated gt -2d AND severity NOT IN ('success', 'informational') AND source != 'SideBySide'"...

And in your case I guess you want to have ...source = 'DFS Replication' OR source = 'DFSR'...

Michael Medin
  • 605
  • 3
  • 5
  • It appears that the optional severities are: 'failure', 'success', 'informational', 'warning', and 'error', is this correct, as 'failure' isn't listed on the wiki pages? – mbrownnyc Sep 12 '11 at 15:57
  • I had a lot of trouble actually having useful things return but ended up using this: `file='DFS Replication' filter=in "filter=generated > -5m AND ((source = 'DFS Replication' OR source = 'DFSR') AND severity NOT IN ('informational'))" descriptions unique syntax='%message%'` The parenthesis seem to be critical, as without, CheckEventLog was literally returning contents of the event definitions, not even contents of messages... which is quite interesting. – mbrownnyc Sep 15 '11 at 19:07
  • Failure audit events are reported as severity `success` 100% of the time. So the only way I was able to determine "failure audits," was, well... by failure audits: `file='Security' filter=in "filter=generated > -5m and type = 'auditFailure'" descriptions unique syntax='%message%'` – mbrownnyc Sep 20 '11 at 14:38