AD Auditing with raw edition

Norm · July 10, 2023, 10:39am

and welcome to the community!

You can use the event console to forward your logs and filter them with event console rule packs or you just use logwatch. Another way is to build something on your own or use this localcheck from the community to get the desired result.

To do the finetuning for the logwatch you can write your own finetune config. Here is the example config:

github.com

Checkmk/checkmk/blob/76e45d93c00612e139cc58fe1016258be56cfe55/agents/cfg_examples/logwatch.cfg

# Copyright (C) 2019 Checkmk GmbH - License: GNU General Public License v2
# This file is part of Checkmk (https://checkmk.com). It is subject to the terms and
# conditions defined in the file COPYING, which is part of this source code package.

# logwatch.cfg
# This file configures mk_logwatch. Define your logfiles
# and patterns to be looked for here.

# Name one or more logfiles, and the options to be applied (if any)
"/var/log/messages" maxlinesize=1024 encoding=utf-8
# Patterns are indented with one space are prefixed with:
# C: Critical messages
# W: Warning messages
# I: ignore these lines (OK)
# R: Rewrite the output previous match. You can use \1, \2 etc. for
#    refer to groups (.*) of this match
# The first match decides. Lines that do not match any pattern
# are ignored
 C Fail event detected on md device
 I mdadm.*: Rebuild.*event detected

This file has been truncated. show original

Hope this helps.

Norm