Debugging/Analyzing logfile patterns in WATO
Letzte Aktualisierung: 18. April 2012
1. The Logfile Pattern Analyzer
Check_MK uses the logwatch module to display results of the monitored logfiles within Multisite. Logwatch displays problematic loglines including some context lines of the log to be able to get a good view on the current situation stated by the logfile.
The states of the single lines in the logfile are controlled by the sending agent in first instance. Only lines with problems are sent from the agent to the monitoring host. Details about this progress can be found on the dedicated logfile monitoring page.
Since Check_MK version 1.1.2b2 it possible to completely rewrite the states of the single log lines sent by the agent using configurations made in WATO. The logfile patterns can be edited using the rule editor (Host/Service Parameters > Parameters for Inventorized Checks > Logwatch Patterns). In this ruleset you can define rules which contain one or several logwatch patterns to rewrite the state of the matching loglines.
Such a rewrite of states can e.g. be useful when a Windows host sends some CRITICAL log messages about the Security log which is not interesting for you. You can then create logfile rules for these lines to rewrite them to be OK lines.
Sometimes it is not very easy to track the reason why a logfile pattern does not match or why a given logline is not being rewritten to the state you want it to be. For this case we created the Logfile Pattern Analyzer.
The Logfile Pattern Analyzer takes one input string which might be a complete line from your logfile. Then it matches this line of text against the existing logfile patterns to show you which of your rules/paterns matches the given line and which rules defines the final state of your logs containing this line. Addinionally the Logfile Pattern Analyzer takes takes an hostname and service name as input to find the correct collection of applying logfile rules for this given item.
1.1. Links from Logwatch
In the current version of the logwatch module there is an icon shown before each line of logfile. You can click on it. This will lead you to the Logfile Pattern Analyzer with the current context information handed over to the Analyzer. You will see which rule lead to the current state of this line.