mk_logwatch: support muliline logs

29 votes

More and more applications write multiline logs and it can happen that the search pattern for relevant log lines is spread over several lines.

Therefor mk_logwatch should be expanded with a new option "Multiline" which makes it possible to read multiline events as a block so that the entire event can be searched for a matching pattern.

Under consideration Checks&Agents Log monitoring / Event Console Suggested by: Lars Sörensen (09 Aug, '22) • Upvoted: 17 Mar • Comments: 4

Comments: 4

02 Sep, '22
Mike1098
Did you tried that:
https://stackoverflow.com/questions/587345/regular-expression-matching-a-multiline-block-of-text
09 Jan, '23
Lars Sörensen
@Mike
Since mk_logwatch reads the file line by line, I'm not sure if that would work. Anyway, I haven't tried it yet. But I think this is too complicated for the ordinary user.
09 Jan, '23
Lars Sörensen
With the append function you can already append more or less all lines that belong to the same event. For multiline logs this should be done before instead of after the pattern search.

You could use a simple (S)tart and/or (E)nd pattern to indicate where the current Event block starts and/or ends like for the (A)ppend.
10 Jan, '23
Mike1098
Maybe have a look at :
https://checkmk.com/werk/14550

I agree that the append feature is not well documented.
There is an old documentation available:
https://web.archive.org/web/20160316100057/http://mathias-kettner.de/checkmk_logfiles.html?mwg_rnd=9931125