Monitor non-default Windows Eventlogs

FFNShadow · August 6, 2025, 8:53am

Hello everyone,

I am trying to monitor a few specific Windows event logs with logwatch. These are located under ‘Application and Services Logs’ and are somewhat buried in subfolders. I can monitor event logs that are located directly under ‘Application and Services Logs’, e.g. ‘DFS Replication’. But as soon as they are located in subfolders, CheckMK apparently no longer recognizes the logs.

Specifically, I am trying to monitor the FailoverClustering log file. According to the properties, the name is ‘Microsoft-Windows-FailoverClustering/Operational’.

My logwatch config:

logwatch:
 enabled: true
  logfile:
  - ‘Microsoft-Windows-FailoverClustering/Operational’: all context
  - ‘DFS Replication’: all context

DFS Replication is recognized during discovery. Unfortunately, the other log file is not. I have also tested other log files with a similar structure. Unfortunately, none of them are recognized. Does anyone have any tips for me? Thank you.

I am using Checkmk Enterprise Edition 2.3.0p33

Best regards,
Christoph

gstolz · August 7, 2025, 6:42am

I rarely need to use these, but if I recall correct, the windows event log in subfolders need the vista api:

i.e. before the logfile block (so at the same level than your “enabled: true” line
vista_api: true

FFNShadow · August 7, 2025, 7:37am

This was the hint I missed. thank so much.