I am trying to use logfile patterns with WATO … with no success
I monitor Windows hosts and as an example would like to ignore (or ok) all messages “ CRIT - unacknowledged messages have
exceeded max size, new messages are dropped (limit 500000 Bytes)”
So I defined a simple rule (see below) with “unacknowledged messages have exceeded max size, new messages are dropped” as pattern and set “CRITICAL” in the state .
Then I reclassify Critical state to OK.
When I test with analyzer it seems ok.
But then all those log lines are still critical, they do not switch to OK.
I am trying to use logfile patterns with WATO … with no success
I monitor Windows hosts and as an example would like to ignore (or ok) all messages “ CRIT - unacknowledged messages have
exceeded max size, new messages are dropped (limit 500000 Bytes)”
So I defined a simple rule (see below) with “unacknowledged messages have exceeded max size, new messages are dropped” as pattern and set “CRITICAL” in the state .
Then I reclassify Critical state to OK.
When I test with analyzer it seems ok.
But then all those log lines are still critical, they do not switch to OK.
This is not a log message that is collected from the host but a critical
error generated on the monitoring server to tell you that there are too
many log messages in the cached logfile.
Thus it cannot be reclassified.
Regards
···
On 30.04.2018 13:23, Stephane C. A. Pelhatre wrote:
Hi,
I am trying to use logfile patterns with WATO … with no success
I monitor Windows hosts and as an example would like to ignore (or ok)
all messages “CRIT - unacknowledged messages have exceeded max size,
new messages are dropped (limit 500000 Bytes)”
--
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
Tel: 030 / 405051-43
Fax: 030 / 405051-19
Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
Hi Robert,
Of course you are right... it is not an event viewer error.
Anyway is there a simple solution (I would prefer with WATO) to ignore automatically all logfile critical/warning messages (application, security, system,..)
I would like to deactivate for a while all alerts concerning Windows logfiles.
Regards
Stephane
···
-----Original Message-----
From: checkmk-en [mailto:checkmk-en-bounces@lists.mathias-kettner.de] On Behalf Of Robert Sander
Sent: 30 April 2018 13:49
To: checkmk-en@lists.mathias-kettner.de
Subject: Re: [Check_mk (english)] logfile patterns with WAT
On 30.04.2018 13:23, Stephane C. A. Pelhatre wrote:
Hi,
I am trying to use logfile patterns with WATO ... with no success
I monitor Windows hosts and as an example would like to ignore (or ok)
all messages "CRIT - unacknowledged messages have exceeded max size,
new messages are dropped (limit 500000 Bytes)"
This is not a log message that is collected from the host but a critical error generated on the monitoring server to tell you that there are too many log messages in the cached logfile.
Thus it cannot be reclassified.
Regards
--
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
Tel: 030 / 405051-43
Fax: 030 / 405051-19
Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
in the [logwatch] section of the agent's check_mk.ini.
Regards
···
On 30.04.2018 14:11, Stephane C. A. Pelhatre wrote:
Anyway is there a simple solution (I would prefer with WATO) to ignore automatically all logfile critical/warning messages (application, security, system,..)
I would like to deactivate for a while all alerts concerning Windows logfiles.
--
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
Tel: 030 / 405051-43
Fax: 030 / 405051-19
Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
You can still increase the size for all valid rules.
If you want to ignore all of them for awhile then make a rule to ignore them via WATO as described in the beginner guide from Marco, page 40.
Create 1 rule for each log file to ignore and then move the rule (even if temporarily) to the top. The line should simply be an ignore line with a blank pattern.
Now nothing will WARN or CRIT until you move them or remove them.
Of course you are right… it is not an event viewer error.
Anyway is there a simple solution (I would prefer with WATO) to ignore automatically all logfile critical/warning messages (application, security, system,…)
I would like to deactivate for a while all alerts concerning Windows logfiles.
Subject: Re: [Check_mk (english)] logfile patterns with WAT
On 30.04.2018 13:23, Stephane C. A. Pelhatre wrote:
Hi,
I am trying to use logfile patterns with WATO … with no success
I monitor Windows hosts and as an example would like to ignore (or ok)
all messages "CRIT - unacknowledged messages have exceeded max size,
new messages are dropped (limit 500000 Bytes)"
This is not a log message that is collected from the host but a critical error generated on the monitoring server to tell you that there are too many log messages in the cached logfile.
Just create a logwatch rule for windows hosts that reclassifies all entries as ok (.*)
You can keep that as the fallback rule and add less specific rules before it to catch
log entries you want to know about.
···
On 4/30/2018 8:11 AM, Stephane C. A. Pelhatre wrote:
Hi Robert,
Of course you are right... it is not an event viewer error.
Anyway is there a simple solution (I would prefer with WATO) to ignore automatically all logfile critical/warning messages (application, security, system,..)
I would like to deactivate for a while all alerts concerning Windows logfiles.
Regards
Stephane
-----Original Message-----
From: checkmk-en [mailto:checkmk-en-bounces@lists.mathias-kettner.de] On Behalf Of Robert Sander
Sent: 30 April 2018 13:49
To: checkmk-en@lists.mathias-kettner.de
Subject: Re: [Check_mk (english)] logfile patterns with WAT
On 30.04.2018 13:23, Stephane C. A. Pelhatre wrote:
Hi,
I am trying to use logfile patterns with WATO ... with no success
I monitor Windows hosts and as an example would like to ignore (or ok)
all messages "CRIT - unacknowledged messages have exceeded max size,
new messages are dropped (limit 500000 Bytes)"
This is not a log message that is collected from the host but a critical error generated on the monitoring server to tell you that there are too many log messages in the cached logfile.
Thus it cannot be reclassified.
Regards
--
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
Or, if you don’t want to put in logfile patterns, you can just as easily disable the rules for the log files to begin with. I don’t find one way to be faster than the other, and both are accomplished via WATO.
You can still increase the size for all valid rules.
If you want to ignore all of them for awhile then make a rule to
ignore them via WATO as described in the beginner guide from Marco,
page 40.
Create 1 rule for each log file to ignore and then move the rule
(even if temporarily) to the top. The line should simply be
an ignore line with a blank pattern.
Now nothing will WARN or CRIT until you move them or remove
them.
Subject: Re: [Check_mk (english)]
logfile patterns with WAT
Hi Robert,
Of course you are right… it is not an event viewer error.
Anyway is there a simple solution (I would prefer with WATO) to
ignore automatically all logfile critical/warning messages
(application, security, system,…)
I would like to deactivate for a while all alerts concerning
Windows logfiles.
Subject: Re: [Check_mk (english)] logfile patterns with WAT
On 30.04.2018 13:23, Stephane C. A. Pelhatre wrote:
Hi,
I am trying to use logfile patterns with WATO … with no
success
I monitor Windows hosts and as an example would like to ignore
(or ok)
all messages "CRIT - unacknowledged messages have exceeded max
size,
new messages are dropped (limit 500000 Bytes)"
This is not a log message that is collected from the host but a
critical error generated on the monitoring server to tell you that
there are too many log messages in the cached logfile.
