I’m using Logwatch to catch messages in the secure Log on Linux hosts. There are only a few patterns configured, but the logfile itself can get pretty big.
I then get the (critical) message “unacknowledged messages have exceeded max size, new messages are dropped (limit 500000 Bytes)”
The filesize (plugin config) is already set to ~600MB. In WATO config I adapted the “Maximum number of cached log messages” value in the Monitoing Core section by factor 10 and ended up setting it to ‘0’. This doesn’t make any difference, I still get the critical message.
Am I missing some other parameter that must be adjusted? Does the agent or the monitoring core generate this message? My guess is the latter.
Hi, thanks for the answer. That would mean I need to configure remote logging on each client, right? Or does mk_logwatch just forward all messages to EC?
Apart from this solution, is logwatch not working properly? I have no issues with smaller logfiles - just need to adjust the default(?) value somewhere.
I think what it being suggested is to route your log messages syslog style to your checkmk monitor assuming you’ve enabled syslog and do the rules on the messages sent via the EC.
Don’t get me wrong, I totally appreciate your suggestion and I will definitely have I look into this option as it looks very interesting, but why do I need the reroute to EC, if Logwatch itself does the job. If it’s not made to process bigger logs - in the end the amount the agent transfers does not differ either way - well, I will consider using EC for production. Is Logwatch (without EC) not able to handle bigger logs?