[Check_mk (english)] Windows host, ignore Winlogon CRIT

Andy isalexandru at gmail.com
Tue Feb 3 13:30:54 CET 2015


I'm using check_mk with OMD on a Linux host.
So far I added 24 agents there...3 of them running Windows Server.

Since I add the agents, I get CRIT/WARN from them. I want to solve the
problem that I currently have before going further.



"CRIT - 302 CRIT messages (Last worst: "Feb 03 12:22:57 0.4625
Microsoft-Windows-Security-Auditing An account failed to log on. Subject:
Security ID: S-1-5-18 Account Name: IP-0A4980D6$ Account Domain: WORKGROUP
Logon ID: 0x3e7 Logon Type: 10 Account For Which Logon Failed: Security ID:
S-1-0-0 Account Name: administrator Account Domain: IP-0A4980D6 Failure
Information: Failure Reason: ...."

"CRIT - 325 CRIT, 2 WARN messages (Last worst: "Feb 03 10:58:24 0.0 sshd The
operation completed successfully.")

Now, from what I understand, reading
http://mathias-kettner.de/checkmk_windows.html , I added the following under 


logwatch_patterns = {
    'Security': [

    # reclassify only on host WIN-edge-001
    ( ["WIN-edge-001"], 'I', 'sshd.*successfully' ),

    # this is for all hosts again
    ( 'I', 'test.*failed' )

Then perform an 
omd restart edge_monitor

However, the messages are still on the webpage. Rescheduling a check is not
changing the CRIT status.

Any advice is appreciated.

More information about the checkmk-en mailing list