Hi I am getting the below message on the hosts and services problems page.
CRIT - unacknowledged messages have exceeded max size, new messages are dropped (limit 488.28 kB)
i was wondering if anyone knew of a way to increase the limit? i cant find anything that works for this version of raw
thanks in advance
You can configure this inside WATO but it is better to clear the logs as i don’t know anyone reading more than 500kB of error logs manually 
how do you vonfigure insite WATO?
i cant see where this is done - i only want to increase it a small amount so we dont lose anything when someone isnt clearing it out
Sorry it is one of the very old options only configurable inside the main.mk file.
The option you can configure has the name “logwatch_max_filesize”. The default value is 500000 what translates to 488 kB.
Just a little bit more on this. So, logwatch “count” starts at a match (can even be an “OK” green match). From there on, every line is captured (line counts) in case there is a change of state.
In other words, as long as no message matches for a log, nothing gets counted.
If you have a very chatty log (typical of Windows, but can really be bad with products like Netwrix adding to the chat), then once a match is found and count starts, it can fill up really fast (if the log is very chatty with messages). You can exceed max size quickly, even if you bump it up considerably in certain cases.
So, with that said, we switched away from using logwatch for Windows hosts and use Logwatch Event Console Forwarding instead. You handle things differently though when things are coming to the Event Console. Has its pros and cons (but mostly pro for us anyhow). Because even with a “firehose” like style (events), we still get a lot of chat from the Windows hosts, so we bulk the messages for notification rather than hammering notifications out (though we do pass then individually to our MS Teams firehose channel).
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact @fayepal if you think this should be re-opened.