Windows System Event id monitoring

khozy · June 18, 2021, 6:57am

Hi. Please help to suggest the code to monitor specific event id from Windows System Event logs. For eg event id 64

logwatch:
    enabled: yes
    
    sendall: no   # this value is MANDATORY, yes is useful only for debugging
    vista_api: no # this is RECOMMENDED
    max_size: 500000 #

    logfile: # entries in the windows eventlog
        - 'Parameters': ignore
        - 'State': ignore
        - '*': warn nocontext # This is default params for not missing entries

Thank you for the help in advance

khozy · June 22, 2021, 10:18am

Hello, any help that can be extended from the CMK community? A sample code that works to monitor a specific Event id from System Event log?

andreas-doehler · June 22, 2021, 2:21pm

First questions.

is this event a warning or critical event?

If Yes

then you need only to setup the Logfile name with the option “warn” and “nocontext”

Config file for standard logs.

logwatch:
  enabled: yes
  logfile:
    - 'System': warn nocontext
    - 'Application': warn nocontext
    - '*': off

If No

then you have to transmit all log entries from the specific log to the CMK server
on the CMK server you should setup the log forwarding to EventConsole and there you need to build a matching rule for your event
If you don’t want to use the EC you can also create negative filter rules for the normal logwatch inside CMK

Config file for all entries of System log.

logwatch:
  enabled: yes
  logfile:
    - 'System': all nocontext
    - 'Application': warn nocontext
    - '*': off

system · June 22, 2022, 2:22pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.