i tried to monitor logfile /var/log/auth.log on one of my host
i have put mk_logwatch file in host machine in this path /usr/lib/check_mk_agent/plugins and give it 755 permissions with root user as owner
also added logwatch.cfg in /etc/check_mk/
here is auth.log file content which is a default example
/var/log/auth.log
W sshd.*Corrupted MAC on input
after scanning the host machine in checkmk host interface , the service is not discovered
I would suggest updating to a newer supported version of Checkmk, as 1.x version is no longer maintained and in the newer versions there are many improvements and fixes for possible bugs.