Monitor Windows logs on event ID

Hi,

I’m trying to get CheckMK to generate warning messages based on certain event IDs occurring in the Windows Event logs. I’m using the built in functionallity of the Windows agent for monitoring these logs. For this I’ve created the following rule for filtering logfile patterns:

After the rule was created and activated there were messages in the System log of Windows hosts that should have triggered a warning. However nothing shows up in the logfile. I have another rule for filtering out certain critical / warning messages and that one works fine. (I’ve disabled that one for now, just to avoid any chance that this rule influences the new one I’m testing right now).

Note, in the Windows event log, these are informational messages. Are they perhaps filtered out by default? If so, how can I tell CheckMK to take these in consideration as well?

The servers is running CheckMK CRE 2.0.0p24. Windows agent is 2.0.0p12 at the moment.

Regards,
Louis

If these are informational messages then you need to configure your agent that it also transmit these messages.
Can you show your agent config for the Windows logs?

For every log file you can specify what should be transmitted - warning, critical or all messages.
Pay attention if you set it to “all” then you need to specify some rules that drop all unwanted messages.

They are informational messages. I did not do any configuration for the agent config of the Windows logs. I just installed the CheckMK agent and used it “as is”. Is this the part of the configuration you mean?

logwatch:
    enabled: yes
    
    sendall: no   # this value is MANDATORY, yes is useful only for debugging
    vista_api: no # this is RECOMMENDED
    max_size: 500000 #
    max_line_length: -1 # -1 to ignore, or any positive, max lingth of the line
    max_entries: -1     # -1 to ignore, or any positive, max count to receive
    timeout: -1         # -1 to ignore, or any positive, in seconds

    logfile: # entries in the windows eventlog
        - 'Parameters': ignore
        - 'State': ignore
        - '*': warn nocontext # This is default params for not missing entries

That what you show is the logwatch section. Inside this section you need to make your configuration.
Please only edit the file “check_mk.user.yml” inside the C:\ProgramData\checkmk\agent
Inside the shown config you see the line

        - '*': warn nocontext

This means from all logfiles only transfer warn and crit messages.
Inside the mentioned “check_mk.user.yml” you find the description what you can configure.

Thanks, that got it working.

I’m trying to do the same, and copied the above, and not getting any luck. Any steps that might be missing from the stated above?

Hi,

Can you please show the relevant part of your “check_mk.user.yml”?