Logwatch matching the correct content

Steven1 · December 1, 2022, 1:24pm

2.0.0p29 (RAW)
Ubuntu 18.04.6 LTS

Hi

I am trying to monitor a simple log file that I am creating myself which contains the output of a single ping every 5 minutes.

I copied the mk_logwatch_2.py (system is running python version 2) + chmod 777
I edited the logwatch.cfg + chmod 777
When I execute: cmk -v --detect-plugins=logwatch servername

FETCHING DATA
[TCPFetcher] Execute data source
[ProgramFetcher] Execute data source
PARSE FETCHER RESULTS
Received no piggyback data
Log /var/log/ids.log No error messages

Which means that the logwatch function is working.

My logwatch.cfg file contains the following lines:

#ids.log file
/var/log/ids.log
 C \Destination

My log file contains this:

— 172.18.8.181 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 25.838/25.838/25.838/0.000 ms

PING 10.10.10.188 (10.10.10.188) 56(84) bytes of data.
From 81.246.57.141 icmp_seq=1 Destination Host Unreachable

— 10.10.10.188 ping statistics —
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
Thu Dec 1 11:50:01 CET 2022
PING 172.18.8.181 (172.18.8.181) 56(84) bytes of data.
64 bytes from 172.18.8.181: icmp_seq=1 ttl=123 time=26.8 ms

What do I need to put in logwatch.cfg to make it pick up that line?
I tried
*Destination
Destination
[Destination]
\wDestination
but nothing seems to work
(I restart my agent after every change with “systemctl restart check_mk.socket”)

Any suggestions?

Steven1 · December 2, 2022, 7:47am

For extra clarity, this is on a Ubuntu client that I am trying this.
I have done the same on many Windows machines, they don’t seem to have this issue.

louis · December 2, 2022, 7:53am

I think you should get rid of the backslash in your logwatch.cfg:

/var/log/ids.log
 C Destination

Steven1 · December 2, 2022, 8:32am

Hey @louis

I changed my stance, instead of breaking my brain about why it doesn’t pick up, I just changed the script to generate a different output that has a number in it, and now it works (matching on the number).

I still don’t understand why it doesn’t want to match on words but no matter wich combination I tried, they all seemed to fail (even your suggestion of removing the "")

Thanks for thinking along!

louis · December 2, 2022, 12:39pm

This is indeed strange. It should have worked matching on words. (It actually matches regular expressions). Well at least glad you found a work-around.

MarcK · December 5, 2022, 11:26am

For regular expression try

.*Destination.*

system · December 5, 2023, 11:27am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.