# ================================================================================================================================ # mk_logwatch.cfg # This file configures mk_logwatch. # ================================================================================================================================ # Documentaion/Examples: # https://github.com/tribe29/checkmk/blob/master/agents/cfg_examples/logwatch.cfg # https://linuxthrill.blogspot.com/2016/04/how-checkmk-monitors-logfiles.html # # Parameter examples: # --------------------------- # I = Informational # W = Warning # C = Critical # # nocontext=1/0/True/False/Yes/No # maxlines=1000 # maxtime=3 # overflow=W/C/I # maxlinesize=2000 # maxfilesize=400 # maxoutputsize=500000 # maxcontextlines=3,4 # encoding=utf-16/utf-16be/utf-8 # fromstart=True/False # # mk_logwatch.pylint # ----------------------------- #class Options(object): # pylint: disable=useless-object-inheritance # """Options w.r.t. logfile patterns (not w.r.t. cluster mapping).""" # MAP_OVERFLOW = {'C': 2, 'W': 1, 'I': 0, 'O': 0} # MAP_BOOL = {'true': True, 'false': False, '1': True, '0': False, 'yes': True, 'no': False} # DEFAULTS = { # 'encoding': None, # 'maxfilesize': None, # 'maxlines': None, # 'maxtime': None, # 'maxlinesize': None, # 'regex': None, # 'overflow': 'C', # 'nocontext': None, # 'maxcontextlines': None, # 'maxoutputsize': 500000, # same as logwatch_max_filesize in check plugin # 'fromstart': False, # } # # The options have the following meanings: #================================================ #maxlines (2) the maximum number of new log messages that will by parsed in one turn in this logfile # #maxtime (2) the maximum time in seconds that will be spent parsing the new lines in this logfile # #overflow (1) When either the number of lines or the time is exceeded, an artificial logfile message # will be appended, so that you will be warned. The class of that message is per default C, # but you can also set it to W or I. Setting overflow=I will silently ignore any succeeding # messages. If you leave out this option, then a C is assumed. # #nocontext This option can be used to disable processing of context log messages, which occur together # with a pattern matched line. To disable processing, add nocontext=1 as option. # # #maxcontextlines https://lists.mathias-kettner.de/pipermail/checkmk-commits/2019-November/030352.html # If the plugin mk_logwatch is configured to send context along with found messages, # the amount of data can become quite large. This werk adds the option of limiting # the context given for every warning or critical message to a given number of lines # befor and after the message. For instance, to limit the context to 3 lines before # and four lines after the message, set the option "maxcontextlines=3,4". # # #maxlinesize The maximum number of characters that are processed of each line of the file. If a line is # longer than this, the rest of the line is being truncated and the word [TRUNCATED]is being # appended to the line. You can filter for that word in the expressions if you like. # #maxfilesize The maximum number of bytes the logfile is expected to be in size. If the size is exceeded, # then once there is created an artificial logfile message with the classification W. The text # of this warning will be: Maximum allowed logfile size (12345 bytes) exceeded. You cannot do # any classification of this line right in the configuration of the plugin. If you need a # reclassification then please do this on the Check_MK server. # #maxoutputsize the value of 500000 has been the same in both cases, the maxoutputsize is limits the bytes that are sent by a single execution of the plugin # #fromstart https://lists.mathias-kettner.de/pipermail/checkmk-commits/2019-July/027904.html # process new files from the beginning # If a new logfile is found we usually skip to its end to avoid processing ancient log messages. # You can now configure mk_logwatch to start processing the file from the beginning and see all # messages that may already be present. # # To enable this behaviour, either set the corresponding flag in the agent bakery rule, or add # 'fromstart=True' to your configuration file. # # #Note (1): when the number of new messages or the processing time is exceeded, the non-processed new log # messages will be skipped and not parsed even in the next run. That way the agent always keeps # in sync with the current end of the logfile. From that follows that you might have to manually # check the contents of the logfile if an overflow happened. We propose letting the overflow level set to C. #Note (2): It is not neccessary to specify both maxlines and maxtime. It also allowed to specify only one # limit. The default is not to impose any limit at all. #----------------------------------------------------------------------------------------------------------------------- #/var/log/foobar.log maxlines=10000 maxtime=3 overflow=W nocontext=True # C critical.*error # W warning.*something # I ignore.*some.*thing # O ok.*rest # ================================================================================================================================ # Copyright (C) 2019 tribe29 GmbH - License: GNU General Public License v2 # This file is part of Checkmk (https://checkmk.com). It is subject to the terms and # conditions defined in the file COPYING, which is part of this source code package. # logwatch.cfg # This file configures mk_logwatch. Define your logfiles # and patterns to be looked for here. # Name one or more logfiles, and the options to be applied (if any) # Patterns are indented with one space are prefixed with: # C: Critical messages # W: Warning messages # I: ignore these lines (OK) # R: Rewrite the output previous match. You can use \1, \2 etc. for # refer to groups (.*) of this match # The first match decides. Lines that do not match any pattern # are ignored "/var/log/messages" maxlinesize=1024 encoding=utf-8 C Fail event detected on md device I mdadm.*: Rebuild.*event detected W mdadm\[ W ata.*hard resetting link W ata.*soft reset failed (.*FIS failed) W device-mapper: thin:.*reached low water mark C device-mapper: thin:.*no free space C Error: (.*) "/var/log/mysql/error.log" W Warning C ERROR C mysqld_safe mysqld from pid file /var/run/mysql/mysqld.pid ended #"/var/log/mysql/slow.log" # W .*