Windows logwatch support custom views?

Karczoszki · August 1, 2023, 9:13am

Hi

I use raw 2.0.1p30

Does windows logwatch support logs from custom views.
I created my own filter so that only certain types of errors would be sent to a separate log “MyOwnLog”.

I config check_mk.user.yml

    logfile: 
        - '*': crit nocontext # This is default params for not missing entries

And the plugin only detects

<<<logwatch>>>
[[[Application]]]
[[[HardwareEvents]]]
[[[Internet Explorer]]]
[[[Key Management Service]]]
[[[Security]]]
[[[System]]]
[[[Windows PowerShell]]]

Am i doing something wrong or the logwatch plugin doesn’t support custom views

gstolz · August 1, 2023, 11:11am

Hi @Karczoszki,

you’re not doing anything wrong - there is no filter mechanism (except for the message state) on the client side.

If you want to only react to some specific messages, use either the Event Console or “Logfile patterns” to ignore all messages and match only what you need:

ChristianM · August 1, 2023, 2:34pm

Hi.

I think you need to define the Log source fist in check_mk.user.yaml. The agent need the information about your new log source.
If you want a special source doing this:

     # entries in the windows eventlog
    logfile:
        - 'Microsoft-Windows-Application Server-Applications/Admin': crit nocontext

If you use ‘*’ only “System”,“Security”, “Application” and the other Standards will used

Karczoszki · August 2, 2023, 7:13am

thanks your suggestion worked

Karczoszki · August 2, 2023, 7:18am

Thanks for the suggestions i will try

brwilkinson · November 7, 2023, 2:49am

I have a related question.
What format does checkmk receive the logs from Windows Events?

If I want to do a regex, am I doing this against the XML string ? Or what format should I expect that checkmk is comparing the data from the log events?

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="checkmk" /> 
  <EventID Qualifiers="0">35</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2023-11-07T02:31:25.6958064Z" /> 
  <EventRecordID>30190</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="0" ThreadID="0" /> 
  <Channel>Application</Channel> 
  <Computer>myserver.localtest.com</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>checkmk</Data> 
  <Data>check_mk_service is loading</Data> 
  </EventData>
  </Event>

system · November 6, 2024, 2:49am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.