How to monitor Windows event logs in Checkmk

Friends,
we are using Check mk Raw edition version 2.0.0p17 (CRE), we are trying to monitor windows event logs, but cant see any documentation on it, could anyone help on this. do let us know if we need to change anything on agent file, if yet which files we need to monitor on what path, also do we need to configure any rules?

Hi @hemant-cmk,

maybe this is the documentation you are looking for:
The Event Console - Processing logs and SNMP traps (checkmk.com) - Monitoring log files

it does not contain any information for windows, however we are able to get the syslogs for Cisco network devices, but dont know how to get events log for windows

Therefore you need to configure the logwatch plugin for your windows agent. There should be a explanation and configuration examples inside the plugin configuration file.
Maybe this topic helps you too:

For the Windows event logs you only need to configure the “check_mk.user.yml” file and there the section “logwatch”. With a default agent config you should already get all the “normal” Windows log files.
How does the output of you agent looks?

Thanks for helping in this … i am not sure so providing following info about configuration, if this is default and workable config then what step i need to follow , and where i need to to verify in GUI, also help if i need to setup any rules or windows service monitoring

logfiles:
enabled: no
# We do not support logfiles monitoring in agent at the moment
# Please, use plugin mk_logwatch

=============================

logwatch:
# enabled: yes

# sendall: no   # this is MANDATORY
# vista_api: no # this is RECOMMENDED
# max_size: 500000 # default value

 # entries in the windows eventlog
logfile:
    # - 'EventLogName': <crit|warn|all|off> + [context|nocontext]
    # - 'Application': crit context # example
    # - 'System': warn nocontext    # another example
    # - 'YourOwn': all nocontext    # yet another example
    # - '*': warn nocontext         # This is default params for not missing entries

Hello could you help here

My default Logwatch section looks like this.

logwatch:
  enabled: true
  logfile:
    - application: warn nocontext
    - system: warn nocontext
    - "*": off context

What you posted is the example config where all the entries are disabled.

1 Like

i have tested this and its working fine for few servers but not for all servers, what i found is that, its require to have windows log forwarder service monitored , if agent cant find that service on server then its not working, could you help on how to enable log forwarder services on all windows

I had no problem on any server with the Windows event logs.

The agent access the log information directly and it uses no system service for this.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.