Monitor Group Policy eventlog

Question

I want to monitor GPOs and check if the GPOs are applied on all stations of my Domain, by checking the presence of an ID with the name of GPO, and check if an error occured.

I want to monitor Microsoft-Windows-GroupPolicy\Operational.evtx is this possible, and if yes, how?

For the moment I execute

./check_nrpe -H 192.168.102.245 -p 5666 -c CheckEventLog -a file=Microsoft-Windows-GroupPolicy%4Operational MaxWarn=1 MaxCrit=1 "filter=generated gt -5d AND id IN ('7017','7006') " truncate=1000 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"

However this returns the application event log. When I use the ID contained in the event log, check_nrpe sends the information I want.

What is the Problem ? Could you help me to resolve the issue ?

score 0 · Answer 1 · answered Oct 24 '16 at 16:12

0

You are looking for the file argument.

Which would be file=System if I remember correctly.

answered Oct 24 '16 at 16:12

lazyfrosch

790
4
10

I succes to monitoring the ID contain in file=system like power kernel for exemple, but not in =Microsoft-Windows-GroupPolicy%4Operational.evtx – Astroflo2016 Oct 25 '16 at 06:25

Monitor Group Policy eventlog

1 Answers1