Ep. 38: Monitoring von Windows-Event-Logs und benutzerdefinierter Log-Dateien mit Checkmk
[0:00:00] | Today we start monitoring event logs and custom log files on Windows. |
[0:00:13] | Welcome to the Checkmk Channel. Today we are taking a look at how to monitor the Windows event log and custom log files. |
[0:00:20] | Monitoring the Windows event log is quite easy because the Windows agent actually collects all the default event logs from Windows and sends them to the Checkmk server. |
[0:00:31] | But I'm going to show you how to handle them properly or how to direct them into the right direction to be able to monitor them. |
[0:00:40] | Additionally, we will take a quick look at how to monitor custom log files that are not within the Windows event console. So, let's take a look at how we can configure this. |
[0:00:50] | So, right now we are looking at a typical Windows server that has been outfitted with the Checkmk agent, and we can already see some log services here. |
[0:01:00] | So, these come by default. The agent by default collects a certain set of messages from the Windows event log and reports them to Checkmk. |
[0:01:09] | And for example, here we see the Security Log, which already contains 99 critical messages, and there's a lot of stuff going on here. No idea what's going on there, but there's a lot of information. |
[0:01:21] | So, this is the default way Checkmk handles Windows log files, but it's not really a nice way to work with this because most of the time the messages are irrelevant. |
[0:01:30] | Because in Windows, a lot of messages are logged as critical or warning as opposed to other operating systems. |
[0:01:37] | So, you want to filter this information to a certain degree. As you can see now, we are already up to 108 critical messages, so either something's going on or nothing going on. |
[0:01:50] | So, what we do recommend in general is to direct all the log messages from the Windows event log that we get to the event console. |
[0:01:58] | There's a dedicated video on that topic, which you will find in the video description. |
[0:02:04] | And that enables you to have all the log messages in a single place, and there you can very efficiently filter those messages, so make sure you only get those that are relevant for you and that you want to see. |
[0:02:15] | To do that, we go to the Setup menu and search for the term 'forward'. And there we find the rule says Logwatch Event Console Forwarding. |
[0:02:28] | So, I'm gonna go there, add a rule. And I only need to say Forward Messages to Event Console. |
[0:02:35] | The defaults are fine, we don't need to change anything here in the first step. So, I'm just going to save this rule. |
[0:02:43] | And what happens now if I go to the Windows host to the service discovery, I will find that these log services we saw earlier vanished and we get one new service called Log Forwarding, which already tells us that it forwarded seven messages from the security log. |
[0:03:05] | So, in the first step, this simply makes your log monitoring easier because you only have one service that's really just informational telling you how many log messages have been forwarded. |
[0:03:18] | Now let's enable that here. And starting with this activation, all messages fetched by the agent will be forwarded to the event console. |
[0:03:28] | As you can see there are already quite some events in the event console because in preparation of this video, I already enabled the rule set we just enabled. |
[0:03:36] | And there we see there's quite a lot going on, but by default, no messages at all will be visible in the event console or better put no events will be visible in the event console because you need to create a rule for that. |
[0:03:54] | For this example, I created a rule that catches all the messages and depicts them here. We're not going to dive into that in detail because that's done in a specific video, but this is the way you would handle Windows event messages by default. |
[0:04:08] | So, now we also want to take a look at how to monitor custom log files because not all applications log to a Windows event log. |
[0:04:17] | So, let's take a look at that rule. We go to the Setup menu again, we search for log files. |
[0:04:27] | There we find an agent rule which is called Text logfiles. And if we add that rule, there are several options. |
[0:04:37] | The bare minimum that we need to do is to configure a log file section and to provide the path to a log file. |
[0:04:44] | I look something up, I have no idea what's logged in here, but it's a custom log file which is not available in the event console. And that's everything that you need to do to get this started. |
[0:04:55] | There's a lot of options which you can dive into, but by default, we stick with the settings to be able to just fetch the files. |
[0:05:03] | And of course, after activating changes, we need to bake agents. And then update the agent on the Windows system. |
[0:05:20] | So, that's that. And now after we install this updated agent package on the Windows host, it will send the messages from this custom log file to the Checkmk server. |
[0:05:29] | But there is no change in the services of that host because if we take another look, the rule that we enabled before that forwards all the messages to the event log, to the event console shows up here as this Log Forwarding service. |
[0:05:44] | And that's really all there is. So, the messages will go through the service, to the event console. |
[0:05:48] | And as discussed earlier, there you have all the power to filter those events and see whatever you need there. |
[0:05:56] | So, you saw monitoring event log and custom log files on Windows is quite easy. It's very few rules. It's very simple to implement. |
[0:06:03] | The really interesting part starts after you fetch those messages because then you have to understand what's going on there and to see, depending on your use case, what you actually want to see in the event console afterwards. |
[0:06:16] | So, that concludes the video for today. Thank you guys so much for watching. Be sure to subscribe and I will see you around. |
Wollen Sie mehr über Checkmk erfahren? Dann nehmen Sie an unserem Webinar "Einführung in Checkmk" teil!