[Check_mk (english)] Windows Event Log Logwatch - Messages do not match?

Andreas Döhler andreas.doehler at gmail.com
Wed Oct 14 20:30:05 CEST 2015


That is no bug it is working as intended from windows side. In your last
paragraph it shows already the right direction every log source has there
own set of messages and corresponding event id's. These messages are stored
inside DLL files and the check_mk agent tries to find and browse this files
to get the right message. If the pair of log source and DLL file is not
stored the right way inside registry then we get this false messages. Your
last test was not found inside the DLL and it shows you the original text
you submitted.

I hope the is understandable :) a little bit more information can be found
inside agent source with links to the Microsoft documentation.

Best regards
Andreas

Duane, Brad <Brad.Duane at eberspaecher.com> schrieb am Mi., 14. Okt. 2015,
17:53:

> The content of the event log entries sent by the Check_MK agent often do
> not seem to match the actual event. I noticed this first where the content
> sent by the agent was very different from what appeared in the actual event
> log as viewed from windows Event Viewer. Then I did some testing:
>
>
>
> From powershell, I generated and event using the following two commands:
>
>
>
> New-EventLog -LogName Application -Source "logwatch_test"
>
> Write-EventLog -LogName Application -Source "logwatch_test" -EntryType
> Error -EventID 5 -Message "This is a test error generated from powershell"
>
>
>
> Immediate after generating the event, I ran on the check_mk server: cmk –d
> myserver | fgrep –A 20 “<<logwatch>>”
>
>
>
> The relevant output:
>
>
>
> <<<logwatch>>>
>
> [[[Application]]]
>
> C Oct 14 11:32:51 0.5 logwatch_test Access is denied.
>
>
>
>
>
> So, where is this “Access is denied” coming from? I checked the full XML
> view of the event in the Windows event viewer, and I don’t see this message
> anywhere. I did some more testing, generated a new event, changing only the
> event ID:
>
>
>
> Write-EventLog -LogName Application -Source "logwatch_test" -EntryType
> Error -EventID 4 -Message "This is a test error generated from powershell"
>
>
>
> And I get the following from the agent:
>
>
>
> <<<logwatch>>>
>
> [[[Application]]]
>
> C Oct 14 11:37:38 0.4 logwatch_test The system cannot open the file.
>
>
>
> Again, now I tried Event ID 3:
>
>
>
> <<<logwatch>>>
>
> [[[Application]]]
>
> C Oct 14 11:38:27 0.3 logwatch_test The system cannot find the path
> specified.
>
>
>
> But then, I tried with a random event ID of 512, and check_mk agent
> actually did report my custom message:
>
>
>
> <<<logwatch>>>
>
> [[[Application]]]
>
> C Oct 14 11:43:01 0.512 logwatch_test This is a test error generated from
> powershell
>
>
>
> I’m a little bit lost at this inconsistent behavior, is this a bug with
> the agent? At first before I saw the message being passed through my theory
> was that the agent completely ignored everything other than the source log,
> event ID, and severity level, and I thought the agent was generating some
> message based on the Event ID… however this approach would be flawed
> because Event ID’s are not globally unique, event ID’s are only unique to a
> source, different sources (applications) can use the same EventID and have
> them mean completely different things.
>
>
>
>
>
> *Brad Duane*
> _______________________________________________
> checkmk-en mailing list
> checkmk-en at lists.mathias-kettner.de
> http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en
>
> We’ll meet in Munich for the 2nd Check_MK Conference!
> Book your place now and be part of it.
> October 18th-20th, 2015
> http://mathias-kettner.com/conference
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mathias-kettner.de/pipermail/checkmk-en/attachments/20151014/197f2b2a/attachment-0001.html>


More information about the checkmk-en mailing list