Add Windows advanced log to CheckMK

leosmarek · October 8, 2022, 7:45pm

Hi,
cant find answer if its possible to add advanced Windows logs to CheckMK, for example located at:
Applications and Service logs-> Microsoft->Windows->Backup ?

Thanks
Leos

ChristianM · October 10, 2022, 11:45am

Hi.

You can add the path tothe windows log in the YAML File. Here is an example based on Print Service, e.g.

-	‘Microsoft-Windows-PrintService/Operational’: all nocontext

Rg, Christian

leosmarek · October 10, 2022, 1:02pm

Hi,
do you mean to C:\Program Files (x86)\checkmk\service\check_mk.yml like this:

logwatch:
    enabled: yes
    
    sendall: no   # this value is MANDATORY, yes is useful only for debugging
    vista_api: no # this is RECOMMENDED
    max_size: 500000 #
    max_line_length: -1 # -1 to ignore, or any positive, max lingth of the line
    max_entries: -1     # -1 to ignore, or any positive, max count to receive
    timeout: -1         # -1 to ignore, or any positive, in seconds

    logfile: # entries in the windows eventlog
        - 'Parameters': ignore
        - 'State': ignore
        - '*': warn nocontext # This is default params for not missing entries
	- ‘Microsoft-Windows-Backup/Operational’: all nocontext

Did this and restarted the service, but I dont get anything new discovered.
Thanks for help

leosmarek · October 10, 2022, 1:19pm

Actually the configuration I shared made my checkmk service to eat 15% cpu constantly and timed out on result execution. I guess I did something wrong.

ChristianM · October 10, 2022, 1:41pm

I think you need the entry on the right ident.

andreas-doehler · October 10, 2022, 1:53pm

This must be set to yes for such log files.

leosmarek · October 10, 2022, 5:52pm

The ident is OK, it was just wrongly formatted by the forum.
I did vista_api to yes, but still, when I initialize a full service scan from CheckMK site I get the agent service on target machine to constantly eat 15% of CPU and return no result to the core.

elias.voelker · October 10, 2022, 6:14pm

Hi Leo,

not sure if the solution is in there, but @robin.gierse just did a video on monitoring custom log files on Windows: Episode 38: Monitoring Windows Event Log and Custom Log Files with Checkmk - YouTube

Best
Elias

andreas-doehler · October 10, 2022, 8:16pm

Example from one of my servers.
There i need to monitor the print service log.

logwatch:
  enabled: true
  logfile:
  - system: warn nocontext
  - application: warn nocontext
  - Microsoft-Windows-PrintService/Admin: warn nocontext
  - '*': off context
  sendall: false
  skip_duplicated: true
  vista_api: true

Result inside CMK is then

The problem in your example are possible the single quotes.

leosmarek · October 11, 2022, 7:53am

OK I copy pasted your file, added my logs. For Cobian its OK, I can see it in the core. But the Backup no way, its not getting discovered. Am I missing something?

leosmarek · November 6, 2022, 8:31pm

Hello,
I tried as per your example with Print log on different server. That works well, Print log is show immediately.
However the Backup log has the same result on another server - nothing shown in core.
Any idea?
thx

andreas-doehler · November 6, 2022, 9:21pm

Pay attention.

vs.

This comes from the point that inside the “Backup” folder is only one log file. In this case there is no “/Operational” as suffix.
The print service folder has two log files inside. To see the real path name make a right click on the wanted log file and select the properties.

leosmarek · November 13, 2022, 4:54pm

Right, problem solved! I was taking the name from a log entry, where it says /Operational.
Thanks!

system · November 13, 2023, 4:54pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.