Monitor Windows logs on event ID

louis · June 10, 2022, 1:12pm

Hi,

I’m trying to get CheckMK to generate warning messages based on certain event IDs occurring in the Windows Event logs. I’m using the built in functionallity of the Windows agent for monitoring these logs. For this I’ve created the following rule for filtering logfile patterns:

After the rule was created and activated there were messages in the System log of Windows hosts that should have triggered a warning. However nothing shows up in the logfile. I have another rule for filtering out certain critical / warning messages and that one works fine. (I’ve disabled that one for now, just to avoid any chance that this rule influences the new one I’m testing right now).

Note, in the Windows event log, these are informational messages. Are they perhaps filtered out by default? If so, how can I tell CheckMK to take these in consideration as well?

The servers is running CheckMK CRE 2.0.0p24. Windows agent is 2.0.0p12 at the moment.

Regards,
Louis

andreas-doehler · June 12, 2022, 7:13pm

If these are informational messages then you need to configure your agent that it also transmit these messages.
Can you show your agent config for the Windows logs?

For every log file you can specify what should be transmitted - warning, critical or all messages.
Pay attention if you set it to “all” then you need to specify some rules that drop all unwanted messages.

louis · June 13, 2022, 9:06am

They are informational messages. I did not do any configuration for the agent config of the Windows logs. I just installed the CheckMK agent and used it “as is”. Is this the part of the configuration you mean?

logwatch:
    enabled: yes
    
    sendall: no   # this value is MANDATORY, yes is useful only for debugging
    vista_api: no # this is RECOMMENDED
    max_size: 500000 #
    max_line_length: -1 # -1 to ignore, or any positive, max lingth of the line
    max_entries: -1     # -1 to ignore, or any positive, max count to receive
    timeout: -1         # -1 to ignore, or any positive, in seconds

    logfile: # entries in the windows eventlog
        - 'Parameters': ignore
        - 'State': ignore
        - '*': warn nocontext # This is default params for not missing entries

andreas-doehler · June 13, 2022, 8:43pm

That what you show is the logwatch section. Inside this section you need to make your configuration.
Please only edit the file “check_mk.user.yml” inside the C:\ProgramData\checkmk\agent
Inside the shown config you see the line

        - '*': warn nocontext

This means from all logfiles only transfer warn and crit messages.
Inside the mentioned “check_mk.user.yml” you find the description what you can configure.

louis · June 14, 2022, 8:57am

Thanks, that got it working.

nickjwest1 · September 19, 2022, 3:42pm

I’m trying to do the same, and copied the above, and not getting any luck. Any steps that might be missing from the stated above?

louis · September 20, 2022, 6:35am

Hi,

Can you please show the relevant part of your “check_mk.user.yml”?

Loonen · November 29, 2022, 10:46am

We created a powershell script which does the job better then the default check mk options.
I created a new topic in this forum, check it out; Simple (better) local check; Monitor windows event logs - How-to Articles - Checkmk Community

kasaithambi · January 17, 2023, 2:31pm

I’m trying to do the same, and copied the above, and not getting any luck. Any steps that might be missing from the stated above?

Overlord · September 8, 2023, 11:50am

@andreas-doehler
Is it necessary to add the Logwatch plugin (e. g. Text logfiles via Agent Bakery) to get only output on a special event on Windows Event Console?

For example, I only want to get entries on the service on “Log Application” with event id 1337.

andreas-doehler · September 8, 2023, 12:28pm

No - if your event comes from the Windows internal logs then the agent is enough.

Overlord · September 8, 2023, 12:46pm

Thank you for your reply - yes it’s the Windows Application Log (Anwendung).

But I only want the logs from a specific event id - not from all others. Is it possible to make a “include only this event id and exclude all others”?

andreas-doehler · September 8, 2023, 2:12pm

Not that i know. Two options to achieve this.

forward the events from this log to the EventConsole - there you can define rules to only show the wanted events
create ignore rules for the classic Log check that only the wanted events are there and all other are ignored

system · September 7, 2024, 2:13pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.