Here there, I’m new to CheckMK and I want to configure Windows Event Log Filtering. I’ve already enable Fowarding of all windows event to the EC, but I would like to create filters to discard some of the recurring event that we have on windows servers. I’ve read about the FineTune Windows Event rule… but I can’t find this option in WATO !!! Currently, we are running on the CheckMK Raw edition. Also, Windows Server are running the CheckMK agent V2.0.0p12
Thank you
Hi,
this rule is part of Checkmk Enterprise Edition. In the RAW edition you have to create your configuration file on your own. An example for this file can be found in Setup > Windows, Linux, Solaris, AIX > Windows files.
Karl
Oh ok… that’s why… OK take a look at this example file right away!! Thank you so much for your guidance!!
Chris
Hi,
the solution @Karl describe is the pre-filter at the source. If you want to filter based on specific Event IDs from Windows, you ned to define rules in the EC for this.I think, the format of Win Logs like this:
07/01/2022 12:00 0.1234 Service has failed in Win appl 123
You need to define a rule with a regex in “Text to match” like this:
^\d+\/\d+\/\d+\s+\d+:\d+ (0.1234) .*
The ID in the matching group will use internaly as a key for correlation (key = host, application, matching groups).
I hope this will help also.
Cheers,
Christian
OK, I’ll try that… I prefer doing the filtering in WATO than the source (agent yml file).
Is the filters only to send events in EC and take action (ex: send notifications) or we can create filters to drop/archive incoming events??
Thanks again!
Oh I just found out this… don’t know why I didn’t see it before
Rule Type : "Do not perform any action, drop this message…"
Trying that now!
Thank you alot!
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.