Disable logwatch entirely

gera83 · August 9, 2022, 1:44am

Hi guys. This is for 1.2.6p16 CEE agent. Windows.
No matter what i do, i keep seeing logwatch logs when i do a “cmk -d HOST”.

I tried:

client side: check_mk.ini, logfile * = off
client side: check_mk.ini, sections = check_mk df uptime (etc. I do not specify logwatch)
server side: ignore logwatch and logwatch groups
ETC
ETC

I want to do a cmk -d HOST and do not retrieve any event log. Nothing.
I want to lower agent utilization. There are windows servers, like domain controllers, that process tons of logs per minute.

Any tip please?
Someone accomplished this?

Thanks!

gstolz · August 9, 2022, 6:27am

phew… not sure if anyone remembers 1.2.6 enough but just to be sure: you restartet the checkmk agent windows service after you changed the check_mk.ini file?

gera83 · August 9, 2022, 9:02am

Every time. Of course. I tried to disable the section even on 1.4 and 1.5. Not working.

Is there anyone who accomplished such mission imposible? Disable logwatch on the client, entirely, so nothing travels through the wire?

gstolz · August 9, 2022, 1:18pm

hm ok, the “logfile * = off” should be enough, and IIRC that worked in our customer installs…
Do other changes you make in the check_mk.ini take affect?

gera83 · August 9, 2022, 9:12pm

Really? Please, go to that server, open a cmd and run: check_mk_agent.exe test
Check if it SLOWS down inside logwatch tag. You will see something incredible.

gera83 · August 10, 2022, 2:32pm

Any hero? Anyone? Any hero?

andreas-doehler · August 10, 2022, 3:36pm

Test output without any config file.

1086 0 large_rawcount
1088 9 large_rawcount
1090 0 bulk_count
1092 0 bulk_count
1094 8532 large_rawcount
<<<logwatch>>>
[[[Application]]]
[[[Cisco AnyConnect AMP Enabler Module]]]
[[[Cisco AnyConnect Network Access Manager]]]
[[[Cisco AnyConnect Network Visibility Module]]]
[[[Cisco AnyConnect Posture Module]]]
[[[Cisco AnyConnect Secure Mobility Client]]]
[[[Cisco AnyConnect Umbrella Roaming Security Module]]]
[[[Cisco AnyConnect Web Security Module]]]
[[[HardwareEvents]]]
[[[Internet Explorer]]]
[[[Key Management Service]]]
[[[Parameters:missing]]]
[[[Security]]]
[[[State:missing]]]
[[[System]]]
[[[Windows PowerShell]]]
<<<logwatch>>>
<<<>>>

<<<>>>

with the following ini

[global]
    sections = check_mk uptime df ps mem services winperf systemtime plugins local spool fileinfo

output looks like this

1086 0 large_rawcount
1088 1 large_rawcount
1090 0 bulk_count
1092 0 bulk_count
1094 8395 large_rawcount
<<<>>>

<<<>>>
<<<local>>>
<<<systemtime>>>

Booth logwatch sections are missing. I think that is what you want. The old agent had no possibility to disable single sections you had to define all other sections as “wanted”.

gera83 · August 11, 2022, 4:52pm

Hi Andreas!! Check the capture. FRESH install.

I specified only: check_mk winperf systemtime

It’s bringing everything. Even services, processes. Everything.
I do a “cmk -d Server”, and i see a ton of logs from event viewer.

Please. I really need this.
I have to apply it on 2000 servers.

On 1.4 and 1.5 it does not work either.
Of course, i prefer you to tell me the solution first on 1.2.6. Enterprise edition.

PLEASE.

andreas-doehler · August 11, 2022, 6:52pm

For myself it looks like the ini file is not used at all.
If there is an syntax error inside then it is ignored completely i think.

Here again my complete ini file and the agent output. It is really on the one option set here.

[global]
    # Just output certain sections (e.g. for upper hosts)
    sections = check_mk uptime df ps mem services winperf systemtime plugins local spool fileinfo

output

PS C:\Temp\cmk> .\check_mk_agent.exe test
<<<check_mk>>>
Version: 1.2.6p17
BuildDate: Sep  3 2015
Architecture: 32bit
AgentOS: windows
.....
34 0 large_rawcount
1086 0 large_rawcount
1088 1 large_rawcount
1090 0 bulk_count
1092 0 bulk_count
1094 5612 large_rawcount
<<<>>>

<<<>>>
<<<local>>>
<<<systemtime>>>
1660243654

You see no logwatch section.
If you can show your complete ini file i can check what it does on my system.

gera83 · August 12, 2022, 2:55am

For the love of all the fucking gods.

check_mk_agent → had no extension
check_mk.ini → had “.ini”

I activate the fucking file extensions and…
check_mk_agent.exe
check_mk.ini.ini !!!

I have no words.

I APOLOGIZE X1000.

It works INCREDIBLE.
Thank you all. Thank you Andreas.

system · August 12, 2023, 2:56am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.