I am struggling to understand how the Event Console works.
I setup a default (with the first two boxes checked) rule to enable Log Forwarding for my test case.
I added three rules (for a Windows client), literally just for “Error: (.)", "Warning: (.)”, and “Information: (.*)” (with no other changes to the rules) just to get a sense of how it works.
(etc)
Yesterday it found (and never cleared) one Error (there are a few more on the box since then) and overnight found some 40 odd Information lines, but only from “Security”, and only Audit Failures (designating everything CRIT).
On the box though, there were thousands of Information logs from the “Security” event log in that time (as is always the case with Windows). There were a couple of hundred “System” information logs, and a handful of errors as well, and in “Applications” a handful of warning and information logs.
None of that stuff seemed to be anywhere in the Event Console on checkmk though (not that I want it all really, I just want to understand how it works and why I do not now see it).
Figuring that I did something wrong I rolled back my snapshot to before I enabled all this (yesterday) to walk back through my steps (this time making the rule pack before making the log forwarding rule) and this iteration has forwarded no logs at all.
Are these not forwarded because the checkmk client “knows” that it forwarded them already and new ones will be?
How far back does that first enabling forward over and what prevents the Event Console from displaying it all? (There are probably 100,000 Windows event logs or more on the box.)
Does checkmk read only the text (and compare that to the rule) or does it include this stuff:
(conspicuously the audit failure logs do have the word information the text, in addition to being the “Level” information but this error level log does not otherwise contain the word error).
Why aren’t any Application logs (apparently) forwarded in either iteration?
The training/manual mentions that rule packs can be exported. Does anyone have a sort of “Standard for Windows” rule pack they could share?
Thanks.
RJD
checkmk 2.2.0.p24 (raw)
ubuntu 22.04
Log Forwarding Forwarded 0 messages