Documentation: mk_logwatch?

JPH · September 3, 2021, 7:51am

Hello all

I’m looking for an actual Checkmk documentation page for all the parameters we can use for mk_logwatch/logwatch.cfg.
Has anybody an link for me?

I found only this summary:

But I need something official from Checkmk for our customers.

Please let me know.

Thanks
Jan-Philipp

r.sander · September 3, 2021, 8:39am

Unfortunately there is seldom a complete documentation of an agent plugin’s configuration options available. The best thing is to look at the plugin code and figure it out.

github.com

tribe29/checkmk/blob/master/agents/plugins/mk_logwatch.py#L17

    
      
          This is the Check_MK Agent plugin. If configured it will be called by the
          agent without arguments.
          
          
Options:
              -d               Debug mode: Colored output, no saving of status.
              -c CONFIG_FILE   Use this config file
              -h               Show help.
              --no_state       No state
              -v               Verbose output for debugging purposes (no debug mode).
          
          
You should find an example configuration file at
          '../cfg_examples/logwatch.cfg' relative to this file.
          """
          
          
# this file has to work with both Python 2 and 3
          # pylint: disable=super-with-arguments
          
          
from __future__ import with_statement
          
          
__version__ = "2.1.0i1"

has a line that references a example configuration file:

github.com

tribe29/checkmk/blob/master/agents/cfg_examples/logwatch.cfg

# Copyright (C) 2019 tribe29 GmbH - License: GNU General Public License v2
# This file is part of Checkmk (https://checkmk.com). It is subject to the terms and
# conditions defined in the file COPYING, which is part of this source code package.

# logwatch.cfg
# This file configures mk_logwatch. Define your logfiles
# and patterns to be looked for here.

# Name one or more logfiles, and the options to be applied (if any)
"/var/log/messages" maxlinesize=1024 encoding=utf-8
# Patterns are indented with one space are prefixed with:
# C: Critical messages
# W: Warning messages
# I: ignore these lines (OK)
# R: Rewrite the output previous match. You can use \1, \2 etc. for
#    refer to groups (.*) of this match
# The first match decides. Lines that do not match any pattern
# are ignored
 C Fail event detected on md device
 I mdadm.*: Rebuild.*event detected

This file has been truncated. show original

JPH · September 3, 2021, 8:48am

Hello Robert

Thanks, but the problem is that the normal user has no access to the example files.
Our customer has ask for a official documentation here:

Best regards
Jan-Philipp

JPH · September 3, 2021, 9:34am

I found another undocumented parameter which we used in the old Windows check_mk.ini:
rotatded - which defines a log which has a changing name: "textfile = nocontext rotated D:\XXXXX\log\YYYYY\20??-??-??.log "

How is this handled by mk_logwatch?
I that parameter as well available for the Windows logwatch.cfg?

r.sander · September 3, 2021, 9:39am

@fayepal and @martin.hirschvogel may have a look at that.
Currently the only documentation for most of the agent plugins is in the source code itself.

JPH · September 3, 2021, 9:41am

Thank Robert!
So we’ve to try it and write our own documentation for the customer.

thkos · September 13, 2021, 3:38pm

We are aware that information on logwatch is missing in the Checkmk User guide.
A new article is already planned.
We will start on it soon, but I cannot provide currently a date.
Best regards
Thomas

JPH · September 13, 2021, 3:43pm

Hello Thomas an all

I’ve a collection for my example CFG, maybe you can use it:

# ================================================================================================================================
# mk_logwatch.cfg
# This file configures mk_logwatch.
# ================================================================================================================================
# Documentaion/Examples: 
# https://github.com/tribe29/checkmk/blob/master/agents/cfg_examples/logwatch.cfg
# https://linuxthrill.blogspot.com/2016/04/how-checkmk-monitors-logfiles.html
#
# Parameter examples:
# ---------------------------
# I = Informational
# W = Warning
# C = Critical
#
# nocontext=1/0/True/False/Yes/No
# maxlines=1000	
# maxtime=3
# overflow=W/C/I             
# maxlinesize=2000
# maxfilesize=400
# maxoutputsize=500000
# maxcontextlines=3,4
# encoding=utf-16/utf-16be/utf-8
# fromstart=True/False
#
# mk_logwatch.pylint
# -----------------------------
#class Options(object):  # pylint: disable=useless-object-inheritance
#    """Options w.r.t. logfile patterns (not w.r.t. cluster mapping)."""
#    MAP_OVERFLOW = {'C': 2, 'W': 1, 'I': 0, 'O': 0}
#    MAP_BOOL = {'true': True, 'false': False, '1': True, '0': False, 'yes': True, 'no': False}
#    DEFAULTS = {
#        'encoding': None,
#        'maxfilesize': None,
#        'maxlines': None,
#        'maxtime': None,
#        'maxlinesize': None,
#        'regex': None,
#        'overflow': 'C',
#        'nocontext': None,
#        'maxcontextlines': None,
#        'maxoutputsize': 500000,  # same as logwatch_max_filesize in check plugin
#        'fromstart': False,
#    }
#
# The options have the following meanings:
#================================================
#maxlines	(2) the maximum number of new log messages that will by parsed in one turn in this logfile
#
#maxtime	(2) the maximum time in seconds that will be spent parsing the new lines in this logfile
#
#overflow	(1) When either the number of lines or the time is exceeded, an artificial logfile message 
#           will be appended, so that you will be warned. The class of that message is per default C,  
#           but you can also set it to W or I. Setting overflow=I will silently ignore any succeeding 
#           messages. If you leave out this option, then a C is assumed.
#            
#nocontext	This option can be used to disable processing of context log messages, which occur together 
#           with a pattern matched line. To disable processing, add nocontext=1 as option.
#
#
#maxcontextlines https://lists.mathias-kettner.de/pipermail/checkmk-commits/2019-November/030352.html
#                If the plugin mk_logwatch is configured to send context along with found messages,
#                the amount of data can become quite large. This werk adds the option of limiting
#                the context given for every warning or critical message to a given number of lines
#                befor and after the message. For instance, to limit the context to 3 lines before
#                and four lines after the message, set the option "maxcontextlines=3,4".
#                
#            
#maxlinesize The maximum number of characters that are processed of each line of the file. If a line is 
#            longer than this, the rest of the line is being truncated and the word [TRUNCATED]is being 
#            appended to the line. You can filter for that word in the expressions if you like.
#            
#maxfilesize The maximum number of bytes the logfile is expected to be in size. If the size is exceeded, 
#            then once there is created an artificial logfile message with the classification W. The text 
#            of this warning will be: Maximum allowed logfile size (12345 bytes) exceeded. You cannot do 
#            any classification of this line right in the configuration of the plugin. If you need a 
#            reclassification then please do this on the Check_MK server.
#
#maxoutputsize  the value of 500000 has been the same in both cases, the maxoutputsize is limits the bytes that are sent by a single execution of the plugin
#
#fromstart  https://lists.mathias-kettner.de/pipermail/checkmk-commits/2019-July/027904.html
#           process new files from the beginning
#           If a new logfile is found we usually skip to its end to avoid processing ancient log messages.
#           You can now configure mk_logwatch to start processing the file from the beginning and see all
#           messages that may already be present.
#           
#           To enable this behaviour, either set the corresponding flag in the agent bakery rule, or add
#           'fromstart=True' to your configuration file.
#           
#
#Note (1):  when the number of new messages or the processing time is exceeded, the non-processed new log 
#           messages will be skipped and not parsed even in the next run. That way the agent always keeps 
#           in sync with the current end of the logfile. From that follows that you might have to manually  
#           check the contents of the logfile if an overflow happened. We propose letting the overflow level set to C.
#Note (2): It is not neccessary to specify both maxlines and maxtime. It also allowed to specify only one 
#          limit. The default is not to impose any limit at all.
#-----------------------------------------------------------------------------------------------------------------------
#/var/log/foobar.log maxlines=10000 maxtime=3 overflow=W nocontext=True
# C critical.*error
# W warning.*something
# I ignore.*some.*thing
# O ok.*rest
# ================================================================================================================================

thkos · September 13, 2021, 4:09pm

Looks good, thanks a lot!

system · September 13, 2022, 4:10pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.