mk_logwatch: support muliline logs
More and more applications write multiline logs and it can happen that the search pattern for relevant log lines is spread over several lines.
Therefor mk_logwatch should be expanded with a new option "Multiline" which makes it possible to read multiline events as a block so that the entire event can be searched for a matching pattern.
Comments: 10
Oldest
•
Newest
•
Most likes
•
Fewest likes
-
02 Sep, '22
Mike1098Did you tried that:
https://stackoverflow.com/questions/587345/regular-expression-matching-a-multiline-block-of-text -
09 Jan, '23
Lars Sörensen@Mike
Since mk_logwatch reads the file line by line, I'm not sure if that would work. Anyway, I haven't tried it yet. But I think this is too complicated for the ordinary user. -
09 Jan, '23
Lars SörensenWith the append function you can already append more or less all lines that belong to the same event. For multiline logs this should be done before instead of after the pattern search.
You could use a simple (S)tart and/or (E)nd pattern to indicate where the current Event block starts and/or ends like for the (A)ppend. -
10 Jan, '23
Mike1098Maybe have a look at :
https://checkmk.com/werk/14550
I agree that the append feature is not well documented.
There is an old documentation available:
https://web.archive.org/web/20160316100057/http://mathias-kettner.de/checkmk_logfiles.html?mwg_rnd=9931125 -
03 Dec, '24
Jan MergedSome Applications write errors in multiple log lines. With logwatch we got the opportunity to fetch regex in a single line and also transport context line before / after.
Sadly some cases the messages we fetch are only relevant in case one of the previous or next line has special information. So we would need to match both information.
It would be great to have the option to forward all context lines together with the found logwatch pattern to event console as a single line. Maybe with \n or something to identify the end of a line.
That way the existing ec rules can still be used but we will win more flexibility. -
10 Dec, '24
Mohamed Saleh Admin MergedHi Jan,
Thank you for posting on our Ideas Portal!
We understand the functionality of the idea and why it is important. To give a bit more context, could you provide an example of the most common use cases where such a log message would need to be fetched along with it's previous or next lines.
Thanks very much and looking forward to hearing from you!
Warm regards,
Your Checkmk Team -
11 Dec, '24
Lars Sörensen MergedWe have the same problem: An event should only be reported if ERROR and Kyword occur. The problem is that ERROR is in line 1 and the keyword is only a few lines later (multiline event) in the log file. However, Checkmk has repeatedly refused to support multiline log messages.
-
12 Dec, '24
Jan MergedHi Mohamed, we get these kind of logfile / protocol (I removed all internal info by <...>)
Start of Error:
Line 1: 20241126030045 20241126030045 <Internal Info 1> konvert(k) 02129328
Line 2: 3 Sätze / 1441 Bytes gelesen. <Internal Info 2>
Line 3: durchlauf Archivieren <Internal Info 3>
Internal Info 1 has information of the customer who is effected
Internal Info 2 has the error message
Internal Info 3 has additional Info
So in general it is like we have to search for a combination of Internal Info 1 and 2 to configure who will get the notification.
To get the Information to CheckMK we can configure logwatch to search for the error message we get in Internal Info 2. We then can add the context by one line before and after. So we have it readable in CheckMK, but sadly we cannot use the additional context information within the event console.
I hope this is more understandable now. You can contact me per Mail also to discuss it and we update this idea again. -
19 Dec, '24
Mohamed Saleh System"Possibility to forward logwatch context to event console" (suggested by <Hidden> on 2024-12-03), including upvotes (2) and comments (4), was merged into this suggestion.