Event syslog rule for expected regular messages

General
1

How do i make an event rule that will set the error state only when x messages matching the filter are not received in y amount of time?

Using Checkmk Raw Edition 2.4.0p15

Here

Setup \ Events \ Event Console rule packs \ Rule pack my_pack

I tried this

Matching criteria
Text to Match: [my_criteria]
Match host: [my_host]
Outcome & Action
Rule type: Normal Operation
State: CRIT
Counting & Timing
Expect regular messages: 1 msg per day

But for the matching criteria it will generate a CRIT state even if messages are received within the expected time frame.

Fortunately, the Events service for those hosts seems unaware of these Event Console events, so the service state stays OK (as I want it, since regular messages were received during the set time limit)
image

But the strange thing is that the Event console is actually generating unexpected CRIT states:

image
image1191×408 37.3 KB

Why is the Event console generating CRIT state events at all in these cases?

2

Hi.

What’s your criteria? You need to detect the exact match of the incomming message. If something different, the rule will not work. You can work with matchin groups to create an uniqe key. Use mathing groups on the dynamic informations.

RG, christian

3

Hi @ChristianM

The generated events do match the filter criteria.

But in the rules I also enabled the “Expect regular messages” set at 1 per day.

With that setting I would expect the CRIT event\state to be generated only if no macthing messages are received in a day.

See my next posts for more details.

4

The rule works as expected when no messages are received in the expected time frame.

To test it, I set “Expected regular messages” to 1 per 5 minutes, during which no matching messages were received.

And as expected, the Events service for the host goes to CRIT
image

And clicking on the loudspeaker, the message shown is clear:

image
image1125×255 30.5 KB

(a very minor issue is that to have the host field correctly populated for this event I had to enable “Rewrite host name” in the rule, otherwise it’s empty)

Now the remaining issue is the behavior of this rule when the expected messages ARE received within the set time limit: see next post.

5

The rule does NOT work as expected when messages are received in the expected time frame.

To test it I set “Expect regular messages” at 1 per 5 minutes and I sent 4 test messages very rapidly.

Fortunately, the Events service of the host stays in the OK state.

image

But clicking on the loud speaker, it will show the unexpected CRIT event, with a note that “This event has not reached the target count yet”:

image
image1299×296 26.9 KB

Why is checkmk creating a CRIT event at all and how can the target count be not reached yet if I sent 4 messaged very rapidly while the rule is expecting 1 message per 5 minutes?