Does the checkmk agent "know" that it has forwarded logs to the Event Console?

I am struggling to understand how the Event Console works.

I setup a default (with the first two boxes checked) rule to enable Log Forwarding for my test case.

image781×221 9.15 KB

I added three rules (for a Windows client), literally just for “Error: (.)", "Warning: (.)”, and “Information: (.*)” (with no other changes to the rules) just to get a sense of how it works.

image1033×148 9 KB

image699×703 22.8 KB

(etc)

Yesterday it found (and never cleared) one Error (there are a few more on the box since then) and overnight found some 40 odd Information lines, but only from “Security”, and only Audit Failures (designating everything CRIT).

On the box though, there were thousands of Information logs from the “Security” event log in that time (as is always the case with Windows). There were a couple of hundred “System” information logs, and a handful of errors as well, and in “Applications” a handful of warning and information logs.

None of that stuff seemed to be anywhere in the Event Console on checkmk though (not that I want it all really, I just want to understand how it works and why I do not now see it).

Figuring that I did something wrong I rolled back my snapshot to before I enabled all this (yesterday) to walk back through my steps (this time making the rule pack before making the log forwarding rule) and this iteration has forwarded no logs at all.

Are these not forwarded because the checkmk client “knows” that it forwarded them already and new ones will be?

How far back does that first enabling forward over and what prevents the Event Console from displaying it all? (There are probably 100,000 Windows event logs or more on the box.)

Does checkmk read only the text (and compare that to the rule) or does it include this stuff:

(conspicuously the audit failure logs do have the word information the text, in addition to being the “Level” information but this error level log does not otherwise contain the word error).

Why aren’t any Application logs (apparently) forwarded in either iteration?

The training/manual mentions that rule packs can be exported. Does anyone have a sort of “Standard for Windows” rule pack they could share?

Thanks.

RJD

checkmk 2.2.0.p24 (raw)
ubuntu 22.04

Log Forwarding Forwarded 0 messages

Hi Ron,

the checkmk agent will by default only forward new messages and remembers, until which point it send the messages.
So if you do a new installation and no new messages appear, no entries will be send.

To test and see the events in the event console i would start to add a catch all rule with “Text to match” : .* and then analyse the messages and especially the format you reveive. I assume that your regex does not match the messages that are coming in.
Based on the received messages you can then create your rule packs and rules.

An example of how to monitor your security logs is here :

https://checkmk.atlassian.net/wiki/spaces/KB/pages/9473844/Monitoring+Windows+security+log+with+the+CMK+Event+Console+rule+logwatch

Thank you.

I have since found that it is sending new events, that it appears only to search the text of the event (not the status and type and such that Windows assigns it) and that my regexes were not taking case into account (Error =/= error in a text search).

The link that you sent looks useful, however I do not see it in my own checkmk (2.2.0p24 raw). I notice that the top of the document describes “Finetune Windows Eventlog monitoring” as a “bakery rule”.

I found my way to this YouTube:

in which Bastian shows the agent bakery in action… I however have none of that stuff:

Do you happen to know if the agent bakery stuff I’d need to differentiate in the way that you suggest is only available in the premium version of checkmk? (I am using raw.)

Thanks.

RJD