I’m trying to reset the logwatch service in a WARNING status, this is what I read in the docs:
The only way to bring the state back to OK is to delete the text file with the stored log messages. This is stored below ~/var/check_mk/logwatch
however I cannot find this file. The home dir for the cmk-agent user is /var/lib/check_mk_agent, so I guess ~ means /var/lib/check_mk_agent, but there is no var dir there… I had a /var/lib/check_mk_agent/logwatch.state.{IP}, but deleting it had no effects
Of course I already deleted the /var/log/auth.log containing the “Corrupted MAC on input” error.
If I do a grep -r "Corrupted MAC on input" /var/log/ I find many files in /var/log/journal/[...].journal
Do I need do delete these journal files? I wouldn’t because they may contain other useful information
find / -xdev -type d -name "check_mk" outputs only one directory: /etc/check_mk
and /etc/check_mk/logwatch doesn’t exist, so the documentation must be wrong…
Yes, the docs on logwatch are not really in their best shape.
You can delete WARN/CRIT logs from the web GUI. On any log service status page, in the action menu (three horizontal bars) you’ll find the “Open Log” command with some “typewriter” (I guess) icon. On the log page, you then have a “Clear log” command.
To be clear, this is all on the Checkmk server. No need to delete the original logs on the monitored host, since the logwatch plugin remembers its position in the file and won’t re-send lines it has already seen.
Nope, you can! If you have a view or search result that shows multiple logs, then the “clear log” command will act on all those at once.
For example, if you display one individual log, you have a button to go “up” to “Log files of host …” (also in the “Logs” menu). Where you also find an entry “All log files”. On which you can then act with the “Clear logs” button, just like on a single log.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.
