Monitor Windows logs on event ID

Hi,

I’m trying to get CheckMK to generate warning messages based on certain event IDs occurring in the Windows Event logs. I’m using the built in functionallity of the Windows agent for monitoring these logs. For this I’ve created the following rule for filtering logfile patterns:

image994×895 31.5 KB

After the rule was created and activated there were messages in the System log of Windows hosts that should have triggered a warning. However nothing shows up in the logfile. I have another rule for filtering out certain critical / warning messages and that one works fine. (I’ve disabled that one for now, just to avoid any chance that this rule influences the new one I’m testing right now).

Note, in the Windows event log, these are informational messages. Are they perhaps filtered out by default? If so, how can I tell CheckMK to take these in consideration as well?

The servers is running CheckMK CRE 2.0.0p24. Windows agent is 2.0.0p12 at the moment.

Regards,
Louis

If these are informational messages then you need to configure your agent that it also transmit these messages.
Can you show your agent config for the Windows logs?

For every log file you can specify what should be transmitted - warning, critical or all messages.
Pay attention if you set it to “all” then you need to specify some rules that drop all unwanted messages.

They are informational messages. I did not do any configuration for the agent config of the Windows logs. I just installed the CheckMK agent and used it “as is”. Is this the part of the configuration you mean?

logwatch:
    enabled: yes
    
    sendall: no   # this value is MANDATORY, yes is useful only for debugging
    vista_api: no # this is RECOMMENDED
    max_size: 500000 #
    max_line_length: -1 # -1 to ignore, or any positive, max lingth of the line
    max_entries: -1     # -1 to ignore, or any positive, max count to receive
    timeout: -1         # -1 to ignore, or any positive, in seconds

    logfile: # entries in the windows eventlog
        - 'Parameters': ignore
        - 'State': ignore
        - '*': warn nocontext # This is default params for not missing entries

That what you show is the logwatch section. Inside this section you need to make your configuration.
Please only edit the file “check_mk.user.yml” inside the C:\ProgramData\checkmk\agent
Inside the shown config you see the line

        - '*': warn nocontext

This means from all logfiles only transfer warn and crit messages.
Inside the mentioned “check_mk.user.yml” you find the description what you can configure.

Thanks, that got it working.

I’m trying to do the same, and copied the above, and not getting any luck. Any steps that might be missing from the stated above?

Hi,

Can you please show the relevant part of your “check_mk.user.yml”?

We created a powershell script which does the job better then the default check mk options.
I created a new topic in this forum, check it out; Simple (better) local check; Monitor windows event logs - How-to Articles - Checkmk Community

I’m trying to do the same, and copied the above, and not getting any luck. Any steps that might be missing from the stated above?

OMD1090×571 21.7 KB

Log930×321 69.2 KB

@andreas-doehler
Is it necessary to add the Logwatch plugin (e. g. Text logfiles via Agent Bakery) to get only output on a special event on Windows Event Console?

For example, I only want to get entries on the service on “Log Application” with event id 1337.

No - if your event comes from the Windows internal logs then the agent is enough.

Thank you for your reply - yes it’s the Windows Application Log (Anwendung).

But I only want the logs from a specific event id - not from all others. Is it possible to make a “include only this event id and exclude all others”?

Not that i know. Two options to achieve this.

• forward the events from this log to the EventConsole - there you can define rules to only show the wanted events
• create ignore rules for the classic Log check that only the wanted events are there and all other are ignored