Hi there,
After updating from the last 1.16 version to 2.0.0p1, I now see the logwatch of all the windows servers are not working any more. Unfortunately, I did not notice this before I updated CheckMK.
I still have the ‘old’ 1.16 agent running on most Windows machines, so nothing has changed on that part. I also tried updating the windows agent on some boxes to 2.0 agent, but also to no avail.
I’m struggling to debug this, does anybody have some pointers?
Thanks
What do you mean with “logwatch” the Windows event log like “Application” and “System” or text log files?
If it is the event logs then nothing is changed there. This is working on all of my systems also after upgrade it to 2.0.
What version was you old one, 1.16 is not existing was it 1.6?
Yes, I mean the Windows event logs. I had these working for ~200 Windows servers over 3 sites.
I doublechecked, I was running 1.6.0p22. After doing some research, I found some logs in the ‘/opt/omd/sites//var/check_mk/logwatch/’ that were from after the upgrade, so I continued my search.
On the bottom of the Logfile pattern analyzer page, (long scroll down in our case), there was an error message which mentioned “Internal error: bad escape \R at position 6”. I have not changed these regex’es after the update, so I presume the upgrade has had something to do with this error. Just FYI, These rules worked perfectly before updating. (And yes, these were not 100% valid regex’es with unescaped ‘’ in the Windows paths occuring in the logs)
What is also worth mentioning, additional errors appear after opening the ‘edit rule’ page and then trying to save the rule without changes. I found an additional 5 errors in various rules which were not mentioned on the pattern analyzer page.
I submitted a crash report with one of there errors. I’ll be monitoring and see if this fixes my issue.
Hi WaaZaa666,
just a quick side info - I guess also before 2.0.0p1 being published there had been some posts here asking for support about equivalent resp. likewise like you did; seems there are others struggling with that topic, too. With the new website going live (some weeks before 2.0.0p1) there’s currently no more documentation available for logfile monitoring although one version existed in the former manual (e.g. lacking explanations on the new yml structure for the restructured windows agent for version 1.6 and above). - when asking, tribe29 told me that the new documentation for that needs to be done / to be updated before being listed in the manual again. So, hopefully this will happen in the nearer future and several how-to-questions will be solved. Ok, it’s not a solution for you right now but maybe a useful information nevertheless to keep in mind.
Beside the missing documentation parts is the finding from @WaaZaa666 important.
I also had some rules inside the CMK configuration that had wrong formatted regex or any other problems. But my problems where not so drastic that no log information are processed anymore.
That is one point missing at the upgrade time - logwatch filter rules are not valuated if correct or not.
After Updating to 2.0.0p1 all Windows EventLogs (System/Application) had ‘Check crashed’.
As long as there were no events, the service was ‘OK’, but at every other Event it crashed.
So far I’ve found out that filtering rules work different now / don’t exist anymore.
After disabling all rules for logwatch it doesn’t crash.
But how do I filter out the events I don’t need?
Ok, I’ve found it.
Topic closed.
Just kidding!
I had a rule to ignore “\(redirected…”
This crashed all my logwatch checks.
How/Where can I report this as Bug?
Here with a good description or if you have a customer account inside your customer portal.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact @fayepal if you think this should be re-opened.