...
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
|
Getting Started
Background information regarding this subject is available on our:
Checkmk Rules needed
Configuring the Checkmk Agent
...
The "Outcome & Action" section can remain unchanged, but in the Counting & Timing, we have two definitions:
The counting is done based on the hostname and the application. Forcing separate events for different match groups makes no sense here because the message text is stored in group 3, and as we all know, these texts sometimes contain IDs, timestamps, and similar unique strings.
...
In the Rewriting section, we can adjust the message text, application, and other variables that will be shown in the event views:
The message text will be replaced using the groups from above:
...
Clone the "unknown" rule and modify the following fields:
The Regex
Using the long message text, we pick out the important information (colored) and create a regular expression pattern, starting with the one we already used in the "unknown" rule:
...
Fill in the new pattern in the "Text to match" field:
Counting & Timing
The counting and timing also will be changed a bit:
For this kind of event, we want separate events if the match groups ("executing user name" and "affected user name") are different.
...
In the rewriting section, the texts are also adjusted to the newly defined event:
Further Rules and Performance Considerations
...
After that, your rule pack should look similar to this:
Testing these rules by creating and deleting a user on the monitored host results in the following events:
To get rid of the "unknown" events in-between, we can do two things:
...