check-mk-server 1.2.6p12-1 / usr / share / check_mk / checks-man / logwatch

This file is indexed.

/usr/share/check_mk/checks-man/logwatch is in check-mk-server 1.2.6p12-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
title: Check logfiles for relevant new messages
agents: linux, windows, aix, solaris
catalog: os/files
license: GPL
distribution: check_mk
description:
 This check processes the output of agents with the logwatch plugin. The windows agent has built
 in this extension. The logwatch extension of the Linux/UNIX agents needs a configuration file
 that lists all relevant logfiles and lists possible log lines that should result in warning
 or critical state. The windows agents does not need any configuration but sends all log files
 in the Windows event log.  It uses the warning/error classification of Windows.

 Relevant log messages found by the agent are stored locally into a text file. The check is
 critical, if at least one new {or old} log message exists that is classified as critical. If
 at least one warning message exists but no critical, the check results in a warning state.

 The only way to bring the state back to OK is to delete the text file with the stored log
 messages.  This is stored below {~/var/check_mk/logwatch}.  Usually the logwatch webpage is
 used to browse and delete the messages. Please refer to the online documentation of check_mk
 for more details about logwatch.

item:
 The name of the logfile. For Linux/UNIX this is the complete absolute path name of the logfile.
 For Windows this is the name as shown in the windows event log, for example {Application}
 (case sensitive!).

inventory:
 All logfiles sent by the agent are automatically inventorized when the option {logwatch_forward_to_ec}
 is not configured or set to {False}. Please use standard inventory configuration methods if
 you want to ignore certain log files.


examples:
  logwatch_patterns = {
     "System":             [ ('W', "crash"),
                             ('I', "svchost") ],
                             ((10,30), "login.*failed") ],
     "/var/log/messages":  [ ( ['test'], ALL_HOSTS, 'I', "sshd") ]
  }

[parameters]
patterns (list): The parameter can be used to reclassify
 log messages sent by the agent. You can assign one of
 the three levels {'I'} (ignore), {'W'} (warning) or
 {'C'} (critical) to each message. It is only possible
 to reclassify messages that have already been classified
 by the agent with an original level of {I}, {W} or {C}.
 As of version 1.1.13i1 the Windows agent supports sending
 always all messages and classifying non-problems as {I}.
 This is done by a configution
 via {check_mk.ini} and setting the level for a logfile to {all}.
 Those messages can later be reclassified.

 Each entry of the list is a pair of the new level and an
 extended regular expression searched in the log line.
 Please note, that because logwatch checks are usually
 inventorized, it is easier to use the global configuration variable
 {logwatch_patterns} instead of explicit check parameters.
 Example: {[ ('I', "sshd"), ('C', "foo.*bar") ]}

 In the current version of this check a level can be substituted
 by a pair of numbers, e.g. instead of {'W'} you can write {(10, 20)}.
 In that case the message will be considered as {'I'} for the first
 9 appearances, further appearances will be classified as {'W'} and
 from the 20th message on it will be {'C'}. The counts are reset each
 time the host is being checked.

[configuration]
logwatch_patterns (dict): A dictionary for reclassifying
 the level of certain messages. This is especially useful
 for the Window agent, since that uses the pre-classification
 of Windows and might not meet your needs. The key of each entry is the name
 of a logfile (see {item}). The value of each entry is
 a list of pairs as described in {parameters}. It is also
 possible to restrict entries to single hosts or groups
 of hosts by prepending list of host and host tags to the pairs,
 as seen in the example.

logwatch_max_filesize (int): This is preset to 500000
 and limits the maximum size of a logfile stored on the monitoring
 servers (i.e. the amount of unacknowledged problem messages).
 As soon as the maximum size is reached, the check gets critical.
 (It probably anyways is with so many problem messages lying around).

logwatch_dir (string): Directory where log messages are
 stored. The default value is {/var/lib/check_mk/logwatch}.
 For each host a subdirectory is created. The name of the
 files therein are the names of the logfiles with slashes
 replaced by backslashes.

logwatch_service_output (string): Change the output of the service to ony
 show the count of events whitout the last error message.  Default is {default} which
 shows the last error message and the count,  use {count} if
 you only want to see the count.

APT Browse - Built by Thomas Orozco.