I'm trying to check Windows Event log for the past 12 hours (or 8hrs) by using CheckEventLog command and I'm getting random results with this command. It works in one place and it doesn't in other places. I have NSClient ++ version (0.5.0.62) installed on all my Win servers.
The command I'm using:
$USER1$/check_nrpe -H HOST IP -p 5666 -c CheckEventLog -a file=Application MaxWarn=1 MaxCrit=1 "filter=generated > -12h AND severity = 'error'" unique descriptions "syntax=%source% - %severity% - Error Details: %message%"
I get the result as:
UNKNOWN-CHECK_NRPE: Invalid packet type received from server.
If I remove '-' on the right of the 12h it shows OK result, but doesn't report any errors (I know there are errors in the event log as I'm viewing them at the same time). If I add the '-' on the right of the 12h, like this "-12h" it will return Unknown.
What is wrong here? have I missed something?
Fixed it by changing the extended response value to zero, under the NRPE settings in the nclient.ini file.
On the remote windows host go to nsclient.ini section:
[/settings/NRPE/server]
and replace 1 with zero for:
extended response = 0
Save and restart NSCLient++
This will limit the query size and won't overflow the NRPE command.