Logwatch: Windows Event Log: Auto-Remove Log entries after X days
We use the checkmk agent on Windows Server. The agent has the logwatch plugin builtin, to monitor the Windows event logs.
That is a good plugin, but it need some more rulesets to define and control the monitoring.
The problem of that cmk service is that the Log service stores everything and does not remove old events. We always have to go into the service, click on "Clear Log" and remove that old information.
Following features would be nice: A new ruleset that automatically remove old Log entries:
There is the ruleset "Logfile patterns" to manage Logwatch. A new ruleset could set the time for auto removal. For example, if we create a rule that entries are deleted after 14 days, each entry which is older then 14 days is automatically removed.
Comments: 4
Oldest
•
Newest
•
Most likes
•
Fewest likes
-
24 Jan, '23
Ralf SpennerWe had nearly the same issue when starting with logwatch. When logwatch detects an error in a logfile, this error remains until the logfile has been removed from the Checkmk host(s) and even if the error is not present anymore.
So we created a small bash script which is able to clear all logfiles in a given logwatch path. With an entry in /etc/crontab which starts the script every night (or in different time ranges if you want) all logwatch files are cleared and you get only new alerts (or the same alert if the error is still present). -
20 Apr
ScotsieAs an addition to this suggestion, could the CheckMK server side 'remove logs' rules include regex matching abilities for the retention policy setting? Similar to how the logwatch pattern matching rules allow modification of states, set a retention policy of N days/weeks associate regex matching.
For example:
Retention value | regex
14 days | ^.*\[WRN\]\s+\[sipsorcery\].*attempt (?:1[1-9])\.
30 days | ^.*\[WRN\]\s+\[sipsorcery\].*attempt (?:2[1-9])\.
And if nothing matches, lines remain until cleared.
For other use cases, I guess a .* match could handle the global cleanup.