[Check_mk (english)] logwatch - Log Application

Tost, Lance LTost at armada.net
Wed Jul 20 17:24:00 CEST 2016

What client version are you using?  I'm pretty sure logwatch is broken in the 1.2.8p4 Windows client.

Here is my proof.  We have a SQL job that fails intentionally and logs to the Application event log.  Using the 1.2.6p16 Windows client, and forwarding the logs to the event console, I set up a rule to match anything.  Here is what I see with 1.2.6p16:

"Jul 19 19:57:27 16384.208 SQLSERVERAGENT SQL Server Scheduled Job 'DBS - Priority 1: Test Job' (0xFDF3AAEFE027924B99E4489D37E1459B) - Status: Failed - Invoked on: 2016-07-19 19:57:27 - Message: The job failed. The Job was invoked by User monitor. The last step to run was step 1 (Test Step)."

Next, I upgraded the Windows agent to 1.2.8p4.  This was the only change I made.  The same event console rule matched and showed me the content as this:

"Jul 19 19:52:50 16384.208 SQLSERVERAGENT SQL Server Scheduled Job 'DBS - Priority 1: Test Job' (DBS - Priority 1: Test Job) - Status: DBS - Priority 1: Test Job - Invoked on: DBS - Priority 1: Test Job - Message: DBS - Priority 1: Test Job"

Something is wrong with the way the new agent is parsing the event log.  My rule originally matched and alerted on 'Status: Failed' which is how I found this problem - that string is not found in what the new agent returns.

From: checkmk-en-bounces at lists.mathias-kettner.de [mailto:checkmk-en-bounces at lists.mathias-kettner.de] On Behalf Of Oliver O'Boyle
Sent: Tuesday, July 19, 2016 4:49 PM
To: checkmk-en
Subject: [Check_mk (english)] logwatch - Log Application

How are these descriptions determined? The following is what I see in cmk:

Jul 19 16:00:04 0.2137 Microsoft-SharePoint_Products-SharePoint_Foundation The Workstation service is in an inconsistent state. Restart the computer before restarting the Workstation service.

But this is what is actually in the Windows log:

The SharePoint Health Analyzer detected an error.  Drives are running out of free space.
Available drive space is less than twice the value of physical memory. This is dangerous because it does not provide enough room for a full memory dump with continued operation. It also could cause problems with the Virtual Memory swap file:  (VEEAM-SRV - C:\).

Examine the failing servers and delete old logs or free space on the drives. For more information about this rule, see "http://go.microsoft.com/fwlink/?LinkID=142688".

Event ID: 2137

Oliver O'Boyle
Director, IT * Atlific Hotels

250 Saint-Antoine W., Suite 400 Montreal, Quebec H2Y 0A3
T: 514.509.5545   C: 514.608.8533   F: 514.509.5498

ooboyle at atlific.com<mailto:ooboyle at atlific.com>      www.atlific.com<http://www.atlific.com/>

The information contained in this e-mail and any attachments is confidential and
intended only for the recipient. If you are not the intended recipient, the
information contained in this message may not be used, copied, or forwarded to
third parties or otherwise distributed for any other purpose. Please notify the
sender if you received this e-mail in error and delete the e-mail and its
attachments promptly.  Nothing in this e-mail may be used or deemed to form the
basis of a contractual or any other legally binding obligation unless separately
confirmed in writing by an authorized representative of ARMADA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mathias-kettner.de/pipermail/checkmk-en/attachments/20160720/2bb8f3ff/attachment-0001.html>

More information about the checkmk-en mailing list