Logwatch on Text File on Windows

Tralin · February 24, 2020, 6:31pm

Hey, all.

I’m trying to configure logwatch to read a text file on Windows (C:\temp\text.log). I have configured what seems correct in “C:\ProgramData\checkmk\agent\check_mk.user.yml”:

logwatch:
enabled: yes

sendall: no   # this is MANDATORY
vista_api: no # this is RECOMMENDED
max_size: 500000 # default value

 # entries in the windows eventlog
logfile:
    - 'C:\temp\test.log': all context

This doesn’t create any new services in CMK when I do a full scan, nor does it appear in the check output.

I tried checking the documentation, but there doesn’t seem to be anything current and relevant to monitoring files.

Any help is greatly appreciated.

andreas-doehler · February 24, 2020, 8:56pm

Logwatch config inside the CMK agent cannot be used for text log files.
Logwatch is only for the Windows internal logs.

Inside the example yml file you will find the following comment.

_logfiles:
    enabled: no
    # We do not support logfiles monitoring in agent at the moment
    # Please, use plugin mk_logwatch

An example mk_logwatch config you can find inside the Linux/UNIX agent plugins.

Tralin · February 25, 2020, 8:16pm

Hey, Andreas.

So I take mk_logwatch.exe and put it in C:\ProgramData\checkmk\agent\local, and put logwatch.cfg into C:\ProgramData\checkmk\agent\config?

Then it looks like the cfg file will basically be something like:

C:\temp\test.log
I message to ignore
W message to be a warning
C message to be a critical

Is this correct?

andreas-doehler · February 26, 2020, 10:18am

Only the path for “mk_logwatch” should be “C:\ProgramData\checkmk\agent\plugins”
For the path inside the cfg file you could only try. I don’t know if the “\” must be escaped or not

Tralin · February 28, 2020, 4:17pm

Hey, everyone. Thanks for the help, Andreas!

Got this working as follows:

Download mk_logwatch.exe from Monitoring Agents menu in CMK
Place logwatch binary in C:\ProgramData\checkmk\agent\plugins
Create empty file: C:\ProgramData\checkmk\agent\config\logwatch.cfg
In logwatch.cfg, add a one line with a file path (non-escaped backslashes) with no leading characters, then, create individual rules after it with a leading space (such as in this example):

C:\temp\test.log
I Ignore this:
W Warning message:
C Critical systems message:

Note there must be a leading space before the options (I, W, C), meaning that " W Warning message:" is acceptable but “W Warning message:” is not.

For the CMK team: Could you update the Windows logwatch monitoring documentation to reflect the current way of doing this? While it seems obvious, it isn’t immediately clear how to implement this.

Thanks!
Tralin

j_Lowe · July 13, 2021, 2:18pm

I find no “mk_logwatch.exe” under Monitoring Agents menu in CMK. There’s only 2 options to download the checkmk_agent, nothing else to download. The only 2 options are the base agent, and the agent I’ve set IP addresses on.

How do I enable or get the windows agent like you mention above?

Constey · July 13, 2021, 3:29pm

Do you have the CEE? Then you can configure logwatch directly via the GUI in:

After adding the rule you have the go in the bakery and redeploy/update the agent.