Hello All,
Check_MK Version: 2.1.0P9
I would like to know if with Check_MK we can monitor events from the event viewer.
Regards.
Vix
Yes the agent can do this.
You can watch this video
sadly there is no manual article about the configuration possibilities of the “logwatch” section inside the Windows agent configuration. Only the examples inside the YAML file. (check_mk.user.yml) → something to do for @mschlenker
The same problem is the documentation for the mk_logwacth is not existing.
May try the below link. Its quite old but might help.
Here’s some old posts - some are from me but I guess my account isn’t linked correctly to my old one: [Check_mk (english)] Windows Event log alerting
You can monitor events, and this was outlined a bit in the beginner guide. I have a copy of it and can share that if needed. Else I can walk you through some of what I’ve done in the past. I ignore most of the noise from the log files and report on what I want from them.
It takes a bit of babysitting initially because you’re going to get a few Event alerts, but once you filter what you don’t want and what you do want, they become useful.
The caveat is that you have to clear them a lot because you’re only going to get one event per log that gets reported. You won’t keep getting alerts on new stuff until you clear the previous alert.
I will say, I also don’t use the agent config files, ever. For me it just seems too cumbersome if you’re using CRE and then having to go to every single server and manipulate the old ini files, the new yaml files, etc.
I simply make rules in WATO and define the servers in there and that’s it. It’s one place to edit.
That’s right but for Windows Eventlogs what @VIX wanted you need to make the right configuration inside the YAML file.
And for this config options there is no real documentation beside the examples inside the file.
Maybe we’re talking about separate things then.
I monitor events from Log System and Log Security for example, and I never ever configure anything on the server agent.
Every Log file that Check_MK natively detects on all versions starting from 1.2 allowed for detecting events inside WATO without ever having to configure anything in the INI or YAML files of the server agent itself.
So if @VIX was looking to find out if the Log System was reporting a (?i)predictive disk failure, all you would need to do is configure this in WATO, not on the server agent config file.
Is mostly 99.9% informational messages, also the really important ones, but transferred without configuration are only warn or crit events.
I would strongly recommend to switch of all log files, not needed inside the monitoring, via config file. The reason is, the Windows event log processing is one of the biggest time consuming parts of the CMK agent.
For the Log System and Log Application i would do it the same way as you described.
But also here normally i switch of the context transfer via config.
Beside this old Windows log files you need to configure the newer types of log files like → Microsoft-Windows-PrintService/Admin
In these types of log are mostly the relevant information in modern systems.
True - I only monitor this logfile if I am looking for a specific instance of something. Else, I don’t monitor this file at all. Just if I’m looking for the next instance of something in real-time and want to see it quickly. Else I only look at the System one for a small sub-set of text strings.
And yeah like you said on the newer types - most times I don’t monitor them either haha, but I should because there’s a lot that server admins miss that Checkmk can report on.
There’s never enough time 
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.