Hello Thomas an all
I’ve a collection for my example CFG, maybe you can use it:
# ================================================================================================================================
# mk_logwatch.cfg
# This file configures mk_logwatch.
# ================================================================================================================================
# Documentaion/Examples:
# https://github.com/tribe29/checkmk/blob/master/agents/cfg_examples/logwatch.cfg
# https://linuxthrill.blogspot.com/2016/04/how-checkmk-monitors-logfiles.html
#
# Parameter examples:
# ---------------------------
# I = Informational
# W = Warning
# C = Critical
#
# nocontext=1/0/True/False/Yes/No
# maxlines=1000
# maxtime=3
# overflow=W/C/I
# maxlinesize=2000
# maxfilesize=400
# maxoutputsize=500000
# maxcontextlines=3,4
# encoding=utf-16/utf-16be/utf-8
# fromstart=True/False
#
# mk_logwatch.pylint
# -----------------------------
#class Options(object): # pylint: disable=useless-object-inheritance
# """Options w.r.t. logfile patterns (not w.r.t. cluster mapping)."""
# MAP_OVERFLOW = {'C': 2, 'W': 1, 'I': 0, 'O': 0}
# MAP_BOOL = {'true': True, 'false': False, '1': True, '0': False, 'yes': True, 'no': False}
# DEFAULTS = {
# 'encoding': None,
# 'maxfilesize': None,
# 'maxlines': None,
# 'maxtime': None,
# 'maxlinesize': None,
# 'regex': None,
# 'overflow': 'C',
# 'nocontext': None,
# 'maxcontextlines': None,
# 'maxoutputsize': 500000, # same as logwatch_max_filesize in check plugin
# 'fromstart': False,
# }
#
# The options have the following meanings:
#================================================
#maxlines (2) the maximum number of new log messages that will by parsed in one turn in this logfile
#
#maxtime (2) the maximum time in seconds that will be spent parsing the new lines in this logfile
#
#overflow (1) When either the number of lines or the time is exceeded, an artificial logfile message
# will be appended, so that you will be warned. The class of that message is per default C,
# but you can also set it to W or I. Setting overflow=I will silently ignore any succeeding
# messages. If you leave out this option, then a C is assumed.
#
#nocontext This option can be used to disable processing of context log messages, which occur together
# with a pattern matched line. To disable processing, add nocontext=1 as option.
#
#
#maxcontextlines https://lists.mathias-kettner.de/pipermail/checkmk-commits/2019-November/030352.html
# If the plugin mk_logwatch is configured to send context along with found messages,
# the amount of data can become quite large. This werk adds the option of limiting
# the context given for every warning or critical message to a given number of lines
# befor and after the message. For instance, to limit the context to 3 lines before
# and four lines after the message, set the option "maxcontextlines=3,4".
#
#
#maxlinesize The maximum number of characters that are processed of each line of the file. If a line is
# longer than this, the rest of the line is being truncated and the word [TRUNCATED]is being
# appended to the line. You can filter for that word in the expressions if you like.
#
#maxfilesize The maximum number of bytes the logfile is expected to be in size. If the size is exceeded,
# then once there is created an artificial logfile message with the classification W. The text
# of this warning will be: Maximum allowed logfile size (12345 bytes) exceeded. You cannot do
# any classification of this line right in the configuration of the plugin. If you need a
# reclassification then please do this on the Check_MK server.
#
#maxoutputsize the value of 500000 has been the same in both cases, the maxoutputsize is limits the bytes that are sent by a single execution of the plugin
#
#fromstart https://lists.mathias-kettner.de/pipermail/checkmk-commits/2019-July/027904.html
# process new files from the beginning
# If a new logfile is found we usually skip to its end to avoid processing ancient log messages.
# You can now configure mk_logwatch to start processing the file from the beginning and see all
# messages that may already be present.
#
# To enable this behaviour, either set the corresponding flag in the agent bakery rule, or add
# 'fromstart=True' to your configuration file.
#
#
#Note (1): when the number of new messages or the processing time is exceeded, the non-processed new log
# messages will be skipped and not parsed even in the next run. That way the agent always keeps
# in sync with the current end of the logfile. From that follows that you might have to manually
# check the contents of the logfile if an overflow happened. We propose letting the overflow level set to C.
#Note (2): It is not neccessary to specify both maxlines and maxtime. It also allowed to specify only one
# limit. The default is not to impose any limit at all.
#-----------------------------------------------------------------------------------------------------------------------
#/var/log/foobar.log maxlines=10000 maxtime=3 overflow=W nocontext=True
# C critical.*error
# W warning.*something
# I ignore.*some.*thing
# O ok.*rest
# ================================================================================================================================