Here there, I’m new to CheckMK and I want to configure Windows Event Log Filtering. I’ve already enable Fowarding of all windows event to the EC, but I would like to create filters to discard some of the recurring event that we have on windows servers. I’ve read about the FineTune Windows Event rule… but I can’t find this option in WATO !!! Currently, we are running on the CheckMK Raw edition. Also, Windows Server are running the CheckMK agent V2.0.0p12
Hi,
this rule is part of Checkmk Enterprise Edition. In the RAW edition you have to create your configuration file on your own. An example for this file can be found in Setup > Windows, Linux, Solaris, AIX > Windows files.
Hi,
the solution @Karl describe is the pre-filter at the source. If you want to filter based on specific Event IDs from Windows, you ned to define rules in the EC for this.I think, the format of Win Logs like this:
07/01/2022 12:00 0.1234 Service has failed in Win appl 123
You need to define a rule with a regex in “Text to match” like this:
^\d+\/\d+\/\d+\s+\d+:\d+ (0.1234) .*
The ID in the matching group will use internaly as a key for correlation (key = host, application, matching groups).
I hope this will help also.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.