Mass archiving in event console

mike1098 · August 3, 2022, 2:59pm

Hello,

Unfortunately, because no other solution was available, we enabled event based monitoring for a certain software on our shop floor servers years ago.
Our local admins never get used to this and most of them didn’t neither acknowledge nor archive their events. Today we have a state based monitoring for this software in place and I want to get rid of these millions of alerts. The problem is, that these alerts are distributed over ~250 remote sites. In the event view of the master site I see the events but the page is limited to 1000 entries. Ok, I can increase but not to the mass of events I want to delete.

In event console settings we have:

Event history lifetime.................................	365 days

But this is only for already archived events.

If I well understood I can delete the files in ~/var/mkeventd/history but I need to do this on 250 remote computers.
Before I start and write a script which run over all the remote sites and delete the history files I like to ask the community if there is a more elegant way to do it or any other option to expire and auto archive these events.
I know in event console is the option “Limit event lifetime” but this will not work for the existent events as far as I tested this option.

Any help is much appreciated

Michael

andreas-doehler · August 3, 2022, 8:17pm

I would also do your way with deleting the files.
If i remember correctly it is not only the history (acknowledged and archived events) but also the current state file (active events) of the event console.

My doing would be something like this

stop mkeventd
remove all status and archive files - if nothing is needed there anymore
start mkeventd

Dirk · August 4, 2022, 7:10am

I usually run this command (as site user) to completely remove all events from the event console and the event history:

echo "COMMAND FLUSH" | unixcat ~/tmp/run/mkeventd/status

I do not know what happens in a distributed environment, though. It might be neccessary to run it on every checkmk instance.

mike1098 · August 4, 2022, 9:15am

Thank you, that makes things easier.

regards

Michael

ChristianM · August 4, 2022, 9:28am

Hi,

you can also query the the livestatus tablke “eventconsoleevent” and “eventconsolehistory” with a time rage or state, and remove the evenz IDs in your findings with “COMMAND DELETE;(id);houskeeping” on “~/tmp/run/mkeventd/status”.

Rg,
Christian

mike1098 · August 4, 2022, 12:12pm

Thanks Cristian, for me its sufficient to flush away everything. In our Local Monitoring we don´t use events anymore and I hope I will not be forced to use it again.

BR
Michael