Documentation: mk_logwatch?

Hello all

I’m looking for an actual Checkmk documentation page for all the parameters we can use for mk_logwatch/logwatch.cfg.
Has anybody an link for me?

I found only this summary:

But I need something official from Checkmk for our customers.

Please let me know.

Thanks
Jan-Philipp

Unfortunately there is seldom a complete documentation of an agent plugin’s configuration options available. The best thing is to look at the plugin code and figure it out.

has a line that references a example configuration file:

Hello Robert

Thanks, but the problem is that the normal user has no access to the example files.
Our customer has ask for a official documentation here:

Best regards
Jan-Philipp

I found another undocumented parameter which we used in the old Windows check_mk.ini:
rotatded - which defines a log which has a changing name: "textfile = nocontext rotated D:\XXXXX\log\YYYYY\20??-??-??.log "

How is this handled by mk_logwatch?
I that parameter as well available for the Windows logwatch.cfg?

@fayepal and @martin.hirschvogel may have a look at that.
Currently the only documentation for most of the agent plugins is in the source code itself.

Thank Robert!
So we’ve to try it and write our own documentation for the customer.

1 Like

We are aware that information on logwatch is missing in the Checkmk User guide.
A new article is already planned.
We will start on it soon, but I cannot provide currently a date.
Best regards
Thomas

Hello Thomas an all

I’ve a collection for my example CFG, maybe you can use it:

# ================================================================================================================================
# mk_logwatch.cfg
# This file configures mk_logwatch.
# ================================================================================================================================
# Documentaion/Examples: 
# https://github.com/tribe29/checkmk/blob/master/agents/cfg_examples/logwatch.cfg
# https://linuxthrill.blogspot.com/2016/04/how-checkmk-monitors-logfiles.html
#
# Parameter examples:
# ---------------------------
# I = Informational
# W = Warning
# C = Critical
#
# nocontext=1/0/True/False/Yes/No
# maxlines=1000	
# maxtime=3
# overflow=W/C/I             
# maxlinesize=2000
# maxfilesize=400
# maxoutputsize=500000
# maxcontextlines=3,4
# encoding=utf-16/utf-16be/utf-8
# fromstart=True/False
#
# mk_logwatch.pylint
# -----------------------------
#class Options(object):  # pylint: disable=useless-object-inheritance
#    """Options w.r.t. logfile patterns (not w.r.t. cluster mapping)."""
#    MAP_OVERFLOW = {'C': 2, 'W': 1, 'I': 0, 'O': 0}
#    MAP_BOOL = {'true': True, 'false': False, '1': True, '0': False, 'yes': True, 'no': False}
#    DEFAULTS = {
#        'encoding': None,
#        'maxfilesize': None,
#        'maxlines': None,
#        'maxtime': None,
#        'maxlinesize': None,
#        'regex': None,
#        'overflow': 'C',
#        'nocontext': None,
#        'maxcontextlines': None,
#        'maxoutputsize': 500000,  # same as logwatch_max_filesize in check plugin
#        'fromstart': False,
#    }
#
# The options have the following meanings:
#================================================
#maxlines	(2) the maximum number of new log messages that will by parsed in one turn in this logfile
#
#maxtime	(2) the maximum time in seconds that will be spent parsing the new lines in this logfile
#
#overflow	(1) When either the number of lines or the time is exceeded, an artificial logfile message 
#           will be appended, so that you will be warned. The class of that message is per default C,  
#           but you can also set it to W or I. Setting overflow=I will silently ignore any succeeding 
#           messages. If you leave out this option, then a C is assumed.
#            
#nocontext	This option can be used to disable processing of context log messages, which occur together 
#           with a pattern matched line. To disable processing, add nocontext=1 as option.
#
#
#maxcontextlines https://lists.mathias-kettner.de/pipermail/checkmk-commits/2019-November/030352.html
#                If the plugin mk_logwatch is configured to send context along with found messages,
#                the amount of data can become quite large. This werk adds the option of limiting
#                the context given for every warning or critical message to a given number of lines
#                befor and after the message. For instance, to limit the context to 3 lines before
#                and four lines after the message, set the option "maxcontextlines=3,4".
#                
#            
#maxlinesize The maximum number of characters that are processed of each line of the file. If a line is 
#            longer than this, the rest of the line is being truncated and the word [TRUNCATED]is being 
#            appended to the line. You can filter for that word in the expressions if you like.
#            
#maxfilesize The maximum number of bytes the logfile is expected to be in size. If the size is exceeded, 
#            then once there is created an artificial logfile message with the classification W. The text 
#            of this warning will be: Maximum allowed logfile size (12345 bytes) exceeded. You cannot do 
#            any classification of this line right in the configuration of the plugin. If you need a 
#            reclassification then please do this on the Check_MK server.
#
#maxoutputsize  the value of 500000 has been the same in both cases, the maxoutputsize is limits the bytes that are sent by a single execution of the plugin
#
#fromstart  https://lists.mathias-kettner.de/pipermail/checkmk-commits/2019-July/027904.html
#           process new files from the beginning
#           If a new logfile is found we usually skip to its end to avoid processing ancient log messages.
#           You can now configure mk_logwatch to start processing the file from the beginning and see all
#           messages that may already be present.
#           
#           To enable this behaviour, either set the corresponding flag in the agent bakery rule, or add
#           'fromstart=True' to your configuration file.
#           
#
#Note (1):  when the number of new messages or the processing time is exceeded, the non-processed new log 
#           messages will be skipped and not parsed even in the next run. That way the agent always keeps 
#           in sync with the current end of the logfile. From that follows that you might have to manually  
#           check the contents of the logfile if an overflow happened. We propose letting the overflow level set to C.
#Note (2): It is not neccessary to specify both maxlines and maxtime. It also allowed to specify only one 
#          limit. The default is not to impose any limit at all.
#-----------------------------------------------------------------------------------------------------------------------
#/var/log/foobar.log maxlines=10000 maxtime=3 overflow=W nocontext=True
# C critical.*error
# W warning.*something
# I ignore.*some.*thing
# O ok.*rest
# ================================================================================================================================
1 Like

Looks good, thanks a lot!