Currently I am using a MRPE plugin called check_logfiles to monitor logs for our custom application running on a Windows machine. We have the MRPE plugin configured to alert when certain keywords show up in the log. It is kind of a PITA because I have to maintain the configuration for this MRPE plugin outside of CMK.
Ideally I want to move away from using MRPE and have everything done either through the event console or logwatch using WATO however I am slightly confused on what route to take; EC or logwatch or do they work together?
My goal is to be able to monitor new log files in Windows directory, as an example C:\myapp\logs*.txt for specific text pattern and if detected I want to be notified of the event including the full log line in the details of the email.
There are a few areas I am not entirely sure of as well…
Does the event console or logwatch scan the file every time from start to end or does it know where it left off and picks up from that point on? Some of these files can be large.
Does the entire log get processed on the client side and only the triggered patterns get forwarded to master site? This is the ideal situation for us as the log files are very busy with informational messages we do not want to xfer over the network.
Any experts in the EC/logwatch area of check_mk able to give some details would be appreciated.
I have configured Text logfiles (Linux, Windows) WATO rule and I can see the log file getting picked up (there is a service check created for it).
Now how do I go about triggering a critical notification if line matches certain keyword? I looked at the Logwatch Patterns WATO rule and specified in there to look for the text “Error” but this does not work.
I append bogus lines to the text file that are prefixed with the “Error” keyword but nothing happens, the service shows no error messages.
There is also the Logwatch Event Console Forwarding WATO rule that I have not tried to use.
I wish there was a guide with some actual real world examples on how to use this.
Hi,
can you post the content of /etc/check_mk/logwatch.cfg? If you use Windows then post the content of the logfile-section.
Can you post some example lines from your logfile?
The logwatch.cfg had the log file entries I needed but it did not include any of the patterns that I set in WATO. This was even after baking the agent and updating the agent on the machine.
I ended up removing everything from the client, re-installing fresh and right from the get go the logwatch.cfg had the patterns populated; so monitoring of files on disk is working.
If I want to monitor the Windows event logs (security log) and only forward specific events can we do this? The security log is typically very busy and forwarding the entire log is not a good idea.
Anyone know if can filter and only forward specific events from Windows’s Security log? As an example I want to monitor account lockout events on my domain controllers and only forward those to the event console for further processing… can this be done?
Hi,
you can configure the “Finetune windows event logs” rule to get messages from the Windows security log. It’s not possible to forward specific events. But it’s possible to forward them to the event console and filter there. So it’s possible to drop all unnecessary events in the event console.
If we are trying to monitor the security log of a domain controller it is nearly impossible without being able to filter for specific key events at the source server via the cmk client. The log is just too busy and there will be a lot of traffic generated for no good reason.