Versions Compared

Old Version 16

changes.mady.by.user Matthew Hierholzer

Saved on

compared with

New Version Current

changes.mady.by.user Matthew Hierholzer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Status
colourGreen
titleLAST TESTED ON CHECKMK 2.2.0P1


Panel
borderColorblack
bgColor#f8f8f8
titleTable of Contents

Table of Contents

Getting Started

Background information regarding this subject is available on our:


Checkmk Rules needed

Configuring the Checkmk Agent

...


Setup→ Agents → Windows, Linux, Solaris, AIX → Agent rules → Finetune Windows Eventlog monitoring → Add Rule
Screenshot of finetune windows eventlog monitoring. Image Modified

After saving this rule, activate the changes and bake & sign your agents.

...


Setup → Services → Service monitoring rules → Logwatch Event Console Forwarding → Add Rule
Screenshot of logwatch event console fowarding rule. Forwarding method set to local. Syslog facility for forwarded messages set to local1.Image Modified

We recommend using the spooling, so the events are buffered if the Event Console should be down for a moment. The syslog facility "local1" can be used later in the EC rules for efficient event handling.

...

From now on, the events from the Windows Eventlog on your hosts will be translated to Checkmk Event Console events and put into the event archive (if not matching any EC Rule yet):

Screenshot of recent event historyImage Modified

We will create some EC Rules in the next paragraph to categorize and classify the incoming events. Using the message texts from the Event History, you can define the needed Regex patterns for that.

Creating the Event Console Rules

Basic Rules

...


  1. Create a Rulepack with a suitable name:
    Screenshot of adding a rule pack titled Windows EventlogImage Modified

  2. Go to the rules of this Rulepack

...


  1. Screenshot of the rule pack icon location.Image Modified

  2. There, create a rule to handle all events that

...

  1. do not

...

  1. match any other rules yet

...

General properties

Setup → Events → Event Console rule packs → Add Rule
Screenshot of adding a new rule. Rule Id is WinEvtLot_unkonwn. Catch all events that are not categorized yet.Image Modified

Matching Criteria

Here, we need two regular expressions:

Screenshot of adding a rule to match a regular expression statement.Image Modified



  1. The first one is applied to the message text and defines three matching groups using the brackets:

    Code Block
    languagebash
    themeRDark
    .{3} [0-9]+ [0-9:]{8} [0-9]+\.([0-9]{4}) ([^ ]+) (.*)


    The website https://regex101.com helps you to understand how the regex matches the message text and which groups are created:

    Screenshot of regex101.com detailing how to test regular expressions.Image Modified

    These groups can later be accessed using the placeholders \1, \2, and \3 in the message text rewriting. They might also become important when automatic duplicate detection is used. We'll come to that later on.

  2. The second regular expression "^(.*)$" simply matches on any Application text (in our case, it's always "Security", though) and puts it into a matching group. Later, we can access this group using the macro "$MATCH_GROUPS_SYSLOG_APPLICATION_1$".

...

The "Outcome & Action" section can remain unchanged, but in the Counting & Timing, we have two definitions:

Screenshot of force separate events for different host and applications enabled.Image Modified


The counting is done based on the hostname and the application. Forcing separate events for different match groups makes no sense here because the message text is stored in group 3, and as we all know, these texts sometimes contain IDs, timestamps, and similar unique strings.

...

In the Rewriting section, we can adjust the message text, application, and other variables that will be shown in the event views:

Screenshot of rewrite message textImage Modified


The message text will be replaced using the groups from above:

...

WinEvtLog_Unknown_Security_4799

Conclusion

Using this "unknown" rule, we will catch all so-far not categorized events, adjust their message text and application, and then aggregate ("count") them based on the hostname and that modified application.

...

Clone the "unknown" rule and modify the following fields:

Screenshot of rule properties named WinEvtLog_4720Image Modified

The Regex

Using the long message text, we pick out the important information (colored) and create a regular expression pattern, starting with the one we already used in the "unknown" rule:

...

Fill in the new pattern in the "Text to match" field:

Screenshot of regex to matchImage Modified

Counting & Timing

The counting and timing also will be changed a bit:

Screenshot of location of Force separate events for different hosts, applications and match groups.Image Modified


For this kind of event, we want separate events if the match groups ("executing user name" and "affected user name") are different.

...

In the rewriting section, the texts are also adjusted to the newly defined event:

Screenshot of rewrite message text and application enabled.Image Modified


Further Rules and Performance Considerations

We have to create further specific rules as done in the last steps. Here are some things you have to take care of:

  • The first rule that matches will handle the event. All upcoming rules will not be checked at all. Thus, the order of your rules is important. The most common rule (in our case, the "unknown" rule) has to be last.
  • Some rules might be moved up and down independently because they have an explicit pattern or other conditions defined. In that case, put those rules that are used most to the top. This will increase your "rule hit ratio" and, thus, the performance of the Event Console.
  • To further increase the performance, place a dropping rule on the top of your list that drops all events that don't match the syslog facility you have defined in your forwarding rule.

After that, your rule pack should look similar to this:

Screenshot of rule packsImage Modified


Testing these rules by creating and deleting a user on the monitored host results in the following events:

Screenshot of test eventsImage Modified

To get rid of the "unknown" events in-between, we can do two things:

...

  • Create a view that filters out all events coming from the Rule with the ID "WinEvtLog_unknown"

...

...

  • Disable the rule "WinEvtLog_unknown", so those events will be dropped (or archived).


Filter by label (Content by label)
showLabelsfalse
max5
spacesKB
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ( "logfile" , "event_console" , "windows" ) and type = "page" and space = "KB"
labelsevent_console windows logfile

...