We use cookies to ensure that we give you the best experience on our website.  Visit our Privacy Policy to learn more. If you continue to use this site, we will assume that you are okay with it.

Your choices regarding cookies on this site.
Your preferences have been updated.
In order for the changes to take effect completely please clear your browser cookies and cache. Then reload the page.

Analyzing logfile patterns in WATO

Checkmk Manual

Related articles

Search in the manual

This is the old documentation.
You can find the shiny new documentation here, which is replacing over time this one.
Thus, this article is obsolete and may be not valid anymore - however, the new one is not finished yet!

1. The Logfile Pattern Analyzer

Checkmk uses the logwatch module to display results of the monitored logfiles within Multisite. Logwatch displays problematic loglines including some context lines of the log to be able to get a good view on the current situation stated by the logfile.

The states of the single lines in the logfile are controlled by the sending agent in first instance. Only lines with problems are sent from the agent to the monitoring host. Details about this progress can be found on the dedicated logfile monitoring page.

Since Checkmk version 1.1.2b2 it possible to completely rewrite the states of the single log lines sent by the agent using configurations made in WATO. The logfile patterns can be edited using the rule editor (Host/Service Parameters > Parameters for Inventorized Checks > Logwatch Patterns). In this ruleset you can define rules which contain one or several logwatch patterns to rewrite the state of the matching loglines.

Such a rewrite of states can e.g. be useful when a Windows host sends some CRITICAL log messages about the Security log which is not interesting for you. You can then create logfile rules for these lines to rewrite them to be OK lines.

Sometimes it is not very easy to track the reason why a logfile pattern does not match or why a given logline is not being rewritten to the state you want it to be. For this case we created the Logfile Pattern Analyzer.

The Logfile Pattern Analyzer takes one input string which might be a complete line from your logfile. Then it matches this line of text against the existing logfile patterns to show you which of your rules/paterns matches the given line and which rules defines the final state of your logs containing this line. Addinionally the Logfile Pattern Analyzer takes takes an hostname and service name as input to find the correct collection of applying logfile rules for this given item.

Using the Logfile Pattern Analyzer you should be able to track down problems with your rules or patterns much more easily.

1.1. Links from Logwatch

In the current version of the logwatch module there is an icon shown before each line of logfile. You can click on it. This will lead you to the Logfile Pattern Analyzer with the current context information handed over to the Analyzer. You will see which rule lead to the current state of this line.