Ad Widget

Collapse

Need help with 2008R2 Cluster log parsing

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Deloreansteel
    Junior Member
    • Aug 2011
    • 3
    #1

    Need help with 2008R2 Cluster log parsing

    I have a task to monitor a 2008 R2 / 2008 R2 Sql Failover cluster using Zabbix. The only way I have been successful in monitoring failover in a Windows 2003 environment was to monitor the event logs and when an event Id was reported to the evt log, setup a trigger for it and alert the proper team that the cluster had failed over to a new node. I am currently trying to do this on a 2008 r2 server, but here is the catch: The events are logging into a log named "Microsoft-Windows-FailoverClustering/Operational". I have successfully been able to get latest data on the System and Application logs, but not this log. I have tried to see if there is a nested way windows is saving this log file such as saving it in the system log and via event viewer saving it as Microsoft-Windows-FailoverClustering/Operational log, but my searches for such info have come up dry.

    Has anyone been successful in doing this?

    Here is an excerpt from the Agent log file that I have been troubleshooting with:

    5632:20110810:151410.158 Starting Zabbix Agent. Zabbix 1.8.5 (revision 19047).
    3028:20110810:151410.162 agent #0 started [collector]
    5512:20110810:151410.162 agent #1 started[listener]
    1456:20110810:151410.162 agent #2 started[listener]
    6272:20110810:151410.162 agent #4 started[listener]
    6468:20110810:151410.163 agent #3 started[listener]
    7056:20110810:151410.163 agent #5 started [active checks]
    7056:20110810:151610.884 Can't open eventlog 'Microsoft-Windows-FailoverClustering/Operational' [The operation completed successfully.]
    7056:20110810:151610.884 Active check [eventlog[Microsoft-Windows-FailoverClustering/Operational]] is not supported. Disabled.

    copy of Conf file if needed:

    Server=10.xx.xx.xx
    ServerPort=10051
    Hostname=xx-xx-xx
    ListenPort=10050
    StartAgents=4
    EnableRemoteCommands=1
    DebugLevel=3
    LogFile=C:\zabbix\Zabbix_agentd.log
    Timeout=5
    UserParameter=uLastWinUpdate,cscript.exe /nologo "c:\zabbix\uLastWinUpdate.vbs"

    Key being used in Item:

    eventlog[Microsoft-Windows-FailoverClustering/Operational]
    Tags: None
    • MarkusL
      Member
      • Nov 2008
      • 41
      #2
      Hi!

      We do heavy work with 2008 R2 and zabbix, too.
      But we do it the other way.

      - find out which event-ids you want to monitor (technet is your friend)
      - generate planned tasks for them (on event --> zabbix-sender)
      - work with push, not eventlog-pull


      for example:
      - server does windows-backup every day (with integrated windows backup)
      - on success -> eventid 14 is written in eventlog
      - generate planned task -> push 14 with zabbix_sender to key 2008r2[windowsbackup] (f.e.)
      - trigger that (last(0)#14 or count(#1,14)=1 or something) + nodata with 48h no new entry = backup-process is hanging (kind of "heartbeat-check")


      Works absolutely fantastic, gets you rid of all that eventlog-how-to-monitor-stuff, saves you lot of space, because only relevant data (filtered by planned tasks) is being pushed to your zabbix.



      Kind regards,

      Markus.

        Comment

        • Deloreansteel
          Junior Member
          • Aug 2011
          • 3
          #3
          Thanks

          Quote: "generate planned task -> push 14 with zabbix_sender to key 2008r2[windowsbackup]"


          Would it be safe to say this is configured agent side or on the zabbix server side within the host needing the "eventlog pushing"?

            Comment

            • MarkusL
              Member
              • Nov 2008
              • 41
              #4
              - planned task is generated on your win-server (agent-side)
              - zabbix_sender is of course on your win-server, too

              - in zabbix-server you generate the corresponding template with items "Zabbix Trapper" and link it to your monitored host

                Comment

                • Deloreansteel
                  Junior Member
                  • Aug 2011
                  • 3
                  #5
                  Ahhh:

                  http://www.zabbix.com/documentation/.../zabbix_sender

                  So its a config outside of the zabbix agent, and uses another exe for this process. Is this how you have it setup up?

                  My thoughts are to setup this up on the win server as a scheduled task. This is where I would need hand holding. Are you pushing the events to a file, or haveing it pull from the event log, then sending it to the zabbix server?

                    Comment

                    • MarkusL
                      Member
                      • Nov 2008
                      • 41
                      #6
                      You got it! :-)
                      sender has (nearly) nothing to do with agent, is "standalone".

                      scheduled task is also correct (I meant scheduled task with planned task).
                      On 2008 R2 you can generate a task "on event XY" and this is how to do it. Just create a planned task and set as trigger "on event", define the event from eventlog and your done. If you go down to event-id or just push out by category (f.e. critical, warning) is up to you.

                      What you can do f.e. is:
                      - scheduled task -> on event "category = critical" -> zabbix_sender to key "eventlog[critical]"
                      - scheduled task -> on event "category = warning" -> zabbix_sender to key "eventlog[warning]"
                      and so on.

                      100000 possibilities, all push, no get, no export from eventlog.

                        Comment

                        Previous template Next
                        Working...