Versions Compared

Version Old Version 7 New Version 8
Changes made by

Walter Fisch

Matthew Hierholzer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Checkmk Rules needed

Configuring the Checkmk Agent

...

In this use case, we are only interested in the Security log, so the rule should look like this and should match all hosts we want to monitor the Security log on:


Image RemovedSetup→ Agents → Windows, Linux, Solaris, AIX → Agent rules → Finetune Windows Eventlog monitoring → Add Rule
Image Added

After saving this rule, activate the changes and bake & sign your agents.

...

If you would discover the services of your affected Windows hosts now, you would will get the old-school Checkmk Services "Log Security" with the "Open Log" in their context menus.

Instead, we want the events to be forwarded to the Event Console. ThereforTherefore, we use the rule "Logwatch Event Console Forwarding":Image Removed


Setup → Services → Service monitoring rules → Logwatch Event Console Forwarding → Add Rule
Image Added

We recommend to use using the spooling, so the events are buffered , if the Event Console should be down for a moment. The syslog facility "local1" can be used later in the EC rules for efficient event handling.

...

From now on, the events from the Windows Eventlog on your hosts will be translated to Checkmk Event Console events and put into the event archive (if not matching any EC Rule, yet):

Image RemovedImage Added

To categorize and classify the incoming events, we will create some EC Rules in the next paragraph. Using the message texts from the Event History, you can define the needed Regex patterns for that.

...

First, create a Rulepack with a suitable name:

Image RemovedImage Added


Go to the rules of this Rulepack:

Image RemovedImage Added

There, create a rule to handle all events that are not matching any other rules, yet:

General properties

Image RemovedImage Added

Matching Criteria

Here, we need two regular expressions:

Image RemovedImage Added

  1. The first one is applied to the message text and defines three matching groups using the brackets:
    .{3} [0-9]+ [0-9:]{8} [0-9]+\.([0-9]{4}) ([^ ]+) (.*)
    The website https://regex101.com helps you to understand how the regex matches the message text and which groups are created:



    These groups can later be accessed using the placeholders \1, \2 and \3 in the message text rewriting. They might also become important when automatic duplicate detection is used. We'll come to that later on.
  2. The second regular expression "^(.*)$" simply matches on any Application text (in our case, it's always "Security", though), and puts it into a matching group. Later, we can access this group using the macro "$MATCH_GROUPS_SYSLOG_APPLICATION_1$".

...