Monitoring pattern only in the first line of a file

CMK version: v2.0.x

We have a Windows server where an application writes down status messages in a (log) file. We want to monitor these file entries by watching for a search pattern (regex). So far so good.

Our problem is that the application writes down new lines in the monitored file at the beginning of the file. New lines are not appended at the end of the file (as usual).

So, we are not able to monitor this file with the usual mk_logwatch plugin. I’ve tested it. As soon as a new line is added at the beginning of the file, the plugin detects an older line with the search pattern. That’s wrong
One workaround is to regularly run a custom script which reverses the lines in the logfile or puts the new line at the end of the log file.

Does anyone know a solution or any other plugin for our issue?

Thank you in advance,
Antje

At the moment i have only one idea how to “solve” this problem.
For this special log file i would try the option “fromstart: true” and “maxlines: 1” or any other suitable value. This should force the plugin to only read the first line of the file every time.

It is only an idea :wink:

Hi Andreas,

thank you for your help.

I followed your advice and changed my logwatch.cfg in this way:

C:\Windows\Temp\cmktest.txt fromstart=true maxlines=1
W failure

The maxlines parameter causes a notification after the first run:
CRIT - 1 CRIT messages (Last worst: “Maximum number (1) of new log messages exceeded.”)

So I removed the parameter:
C:\Windows\Temp\cmktest.txt fromstart=true
W failure

After restarting the Checkmk agent, clearing the log in the Checkmk webinterface and adding a new success line to the file (at the beginning), the next execution of the plugin returns (again):
CRIT - 1 CRIT messages (Last worst: “211122 14:18:19 00:00:01 failure v1.8.1 IAB2114”)

The mentioned log line is an older one (within the file).
My test log file looks as follows:

220118 09:43:19 00:00:01 success v1.8.1 IAB2114
220118 09:20:19 00:00:01 success v1.8.1 IAB2114
220118 09:16:19 00:00:01 success v1.8.1 IAB2114
211128 14:24:19 00:00:01 failure v1.8.1 IAB2114
211127 14:23:19 00:00:01 success v1.8.1 IAB2114
211126 14:22:19 00:00:01 success v1.8.1 IAB2114
211125 14:21:19 00:00:01 failure v1.8.1 IAB2114
211124 14:20:19 00:00:05 success v1.8.1 IAB2114
211123 14:19:19 00:00:01 success v1.8.1 IAB2114
211122 14:18:19 00:00:01 failure v1.8.1 IAB2114
211121 14:17:19 00:00:01 failure v1.8.1 IAB2114

It’s also strange that the status of the service changes to Critical instead of Warning…

Unfortunately, I am afraid that your suggestion will not solve my issue. :frowning:

Kind regards,
Antje