Ep. 22: Monitoring logfiles with Checkmk
[0:00:00] | Hello, my name is Bastian. And today I'm going to show you how to monitor log files. |
[0:00:16] | The logwatch plugin works for Unix and Windows. But only difference is on Windows you're going to get the event logs, while on Unix systems to configure your own log files. |
[0:00:30] | Of course, you can monitor your own log files also on windows. But technically speaking, it's not log watch behind. Let's look into the configuration. |
[0:00:41] | From Setup, we go into the part Agents, which is basically the ancient bakery. And even we don't use the roll out feature of the ancient bakery, we're going to use it to download the agent manually. |
[0:01:00] | Therefore, we change to Agent rules and filter for log. There we have text log files which we can use for Linux, Unix in general and for Windows. |
[0:01:22] | We create a new rule. Everything is like we know from the rule-based configuration system. We basically need to decide that we want to deploy the plugin. And we need to set the default configuration. |
[0:01:45] | That means we need to specify the log files we want to monitor. We can do, of course, multiple of them. |
[0:02:06] | And finally, we need to add some patterns. For example, we want to have everything starting with error and other stuff starting with warning. |
[0:02:31] | This, of course, are only examples for me to show you to plug in. Normally, you would add the patterns you want to monitor from your log files here. Now we just need to save it. |
[0:02:47] | Go back to the agents. Click to Bake agents. Now it takes some seconds. |
[0:03:03] | And finally, we can download our installation package with the agent and the log file plugin. Then let's install the new agent. At first, I need to copy this agent to my server. |
[0:03:32] | Then I need to log on to this server and install it. If the encryption node is enabled, I can do a quick test and can even see in the output that I get information about at least one log file. Next step is we do the discovery. |
[0:04:10] | Since we added this new plugin, we need to discover it, of course, for our host. For that, I can directly use this icon. |
[0:04:22] | This saves me some clicks if I just go to edit and then to the services. It's basically one click more. Checkmk already found my syslog here. |
[0:04:34] | I'm using Fix all to add it and I'm gonna activate my changes. Let's open my host. The new server is still expanding. I'm not patient so I trigger it for not waiting. |
[0:05:04] | No error messages yet. But let's change that. Back to the command line. For testing, I know I'm gonna generate some log events. I'm gonna use the tool logger for that and I remember my pattern with error Something wrong. |
[0:05:33] | And that's it. Already, I can double check it in the log file. There we have it. And the next should be Checkmk to find it. |
[0:05:52] | There it is. One error, one critical message. And what we now need to do is to open the burger menu here. Go to Open log and we can see our log file. |
[0:06:12] | To get a new notification,. the next thing we need to do is to click Clear log. And now Checkmk is ready to receive new errors. |
[0:06:27] | One little thing you need to know if you monitor Windows, you're gonna get all the event logs of Windows. And since you can't configure patterns on the windows agent for the event log, you are able to configure log file patterns also in the Setup. |
[0:06:44] | I'm going to show you how. We go into Setup. We search for log file and we're going to find log file patterns. These are normal rules, which you can create in folders, which you can assign to hosts or even to log files. |
[0:07:06] | And here you can add patterns to reclassify the messages you get from the agent. For example, I can say, if something starts with Test, it should be OK. But it's something with error again. |
[0:07:27] | For the example, it should be critical. I'm going to save that. And now another little helper comes in handy, it's the pattern analyzer. |
[0:07:41] | With this analyzer, you can test your rules. So, you can copy your log file line to here, for example, a line like "Test is good". Try out and you're going to see that this line will match. "Error is bad". Try out. |
[0:08:06] | And you see this line is going to match. This comes especially in handy with the windows syslogs. There you cannot change the patterns on the agent side so you need to do it here. |
[0:08:21] | And a little tip, if you want to add patterns for Windows log files, best would be to use the IDs which you're going to see on the front of the log message. A little thing here about the IDs I want to show. If you build a rule, say, I want to ignore the ID like 0815. |
[0:08:49] | And I'm going to save it. I go back to the analyzer and I'm going to test 0815. It works. But, since we have a regex, also this part will match. |
[0:09:08] | So therefore, a little extra tip: use the power of regex and just add an empty sign at the back and maybe in case of the syslogs from windows even in the front. Because normally you're gonna have text in front. And another little helpful part is the comment section here. |
[0:09:35] | If you just have numbers for the patterns in a year, you don't gonna know what this number even means. So, I would recommend also adding a comment here. So,we save it again, back to the analyzer. |
[0:09:50] | I try again white space in this case, or "something <number> else'. Try out. We have a match. Now we add the six here and don't have a match anymore. That's it for the logfile monitoring. |
[0:10:12] | I hope you enjoy it and see you in the next video. |
Want to know more about Checkmk? Join us for our Introduction to Checkmk Webinar