Stop monitoring Windows logs

nicmair · July 24, 2022, 9:46pm

Hi, I’m using the Checkmk Raw Edition 2.1.0p4, and have tired two ways to stop the monitoring of Windows Log files, but neither is working.

I have tired adding a Check_mk.ini file with these settings
[logwatch]

Switch all other logfiles off. Default is warn:

send messages of type warn or crit

logfile * = off

to the c:\Prgram Files (x386)\checkmk folder (and the \service folder) and then stopping and starting the Check_Mk service.

I have also set the check_mk.yml file log section to
_logfiles:
enabled: no

Yet despite these setting, I’m still seeing log file information in the dash board. What am I missing? as I really don’t wont the windows log file information.

oh and sorry if this has been covered before, I’ve searched, (which is where I got the above from) but not found anything more.

Wee update, I’ve also just read the the check_mk.user in the C:\ProgramData\checkmk\agent folder, can also be used to disable functions, so I have

logwatch:
enabled: no
and restarted the service, So I’ll be interested to see what it does.

Cheers
Nic.

andreas-doehler · July 25, 2022, 5:16am

You can check if your modification of the YML files are correct with an

C:\Program Files (x86)\checkmk\service\check_mk_agent.exe showconfig

In the output you should see a section

logwatch:
  enabled: false
  sendall: false
  vista_api: no
  skip_duplicated: true
  max_size: 500000
  max_line_length: -1
  max_entries: -1
  timeout: -1
  logfile:
    - "*": off context
    - Parameters: ignore
    - State: ignore

To get the “enabled: false” you can use the config option “disabled_sections” with the section name “logwatch”. What also works is the entry - "*": off context.

One advice - don’t modify the check_mk.yml file inside the "C:\Program Files (x86)\checkmk\service", only make manual changes to the file “C:\ProgramData\checkmk\agent\check_mk.user.yml”.
After a change you can reload the agent config or restart the agent service.

jsmyth · July 25, 2022, 2:44pm

Hi Nic,

Depending on your use case, it may be preferable to ignore the Windows logs via a Checkmk rule rather than disabling them on each agent.

We use the following rule to ignore all logwatch checks:

The downside to this approach is that the logwatch information is still sent over the wire, which is effectively wasted bandwidth. The upside is that we do not have to manually configure the agent on each server to disable the logwatch checks.

Hope this helps,
Jason

andreas-doehler · July 25, 2022, 2:52pm

The real downside is a potential longer agent runtime, as the collection of the Windows event logs can take a significant amount of time.
I would not recommend a configuration like the shown one.

jsmyth · July 25, 2022, 3:34pm

Thank you for the feedback, Andreas.

Agent runtime has not been an issue for us so it was not something I considered when designing a solution to the noisy Windows logs checks. It is definitely something I will keep in mind for the future, though.

Thank you again,
Jason

Yggy · July 26, 2022, 2:55pm

In my experience both Windows agent as Checkmk with a rule need to be configured.
But some of the output is contradicting, so maybe I haven’t configured parts correctly.

(I think) I have the windows logs disabled by the use of disabled_sections: [logwatch] in "C:\ProgramData\checkmk\agent\check_mk.user.yml"

The output of .\check_mk_agent.exe showconfig is however confusing. It suggests that it is both enabled as disabled. I snipped out a lot of lines ... to only have the interesting bits shown.

  sections:
   ...
    - logwatch
   ...
  disabled_sections: [logwatch]
...
logwatch:
  enabled: yes
  sendall: no
  vista_api: no
  skip_duplicated: no
  max_size: 500000
  max_line_length: -1
  max_entries: -1
  timeout: -1
  logfile:
    - Parameters: ignore
    - State: ignore
    - "*": warn nocontext

Based on the download agent output of a host in the webinterface, I assume the windows logs are not sent and bandwith saved / agent running time reduced.

But to avoid Check_MK to go in WARN state with message like [agent] Success, Missing monitoring data for plugins: logwatch WARN and lots of windows log services in PEND state, I created a disabled services rule on the WATO folder for my Windows Clients to disable all the windows log services. Have no desire to manually disabled them per host.

I am using Checkmk Raw Edition 2.1.0p5

andreas-doehler · July 26, 2022, 3:05pm

Here you only need to do a rediscovery of this host. No rules needed. All the log services should be shown as vanished.

If the logwatch section is enabled or not is not so important. Important is the last line without any other logfile name before.

system · July 26, 2023, 3:05pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.