NRPE check_event_log


I have recently configured my systems to run the check_event_log command. Everything works great. My question is:
Is there a way to filter out unwanted eventID’s from the returned set? For example, If I return an error in the event log, but it is an eventID that shows up all of the time and isn’t really important, can I filter that out?

This command will return all events in the last 8 hours with an error status and matching event ID 12023. Is there a way to change this so that it is not equal to 12023? I can’t seem to change the last == to any kind of ‘not equal’ operator.

check_nrpe -H -p 5666 -c CheckEventLog -a file=“Application” MaxWarn=1 MaxCrit=1 filter=new filter+generated=<8h filter+eventType==warning filter+eventID==12023

Any input is appreciated.




If you are talking about nsclient you might want to mention that. As far as I know there is no event log in linux?


Yes, this was regarding nsclient++ for Windows. It appears the new version 3.8 has made some changes that now allows me to do this. Here is the syntax should someone else need a solution:

The following will return all error events less than 15 minutes old from the Application Event Log EXCEPT EventID 12023:

check_nrpe -c CheckEventLog -H $HOSTADDRESS$ -a file=Application MaxWarn=1 MaxCrit=1 “filter=(generated gt -15m) AND (id NOT IN (12023)) AND (severity=‘error’)” unnique descriptions “syntax=%severity%:%source%: (%count%)”