Logwatch: Windows Event Log: Auto-Remove Log entries after X days
We use the checkmk agent on Windows Server. The agent has the logwatch plugin builtin, to monitor the Windows event logs.
That is a good plugin, but it need some more rulesets to define and control the monitoring.
The problem of that cmk service is that the Log service stores everything and does not remove old events. We always have to go into the service, click on "Clear Log" and remove that old information.
Following features would be nice: A new ruleset that automatically remove old Log entries:
There is the ruleset "Logfile patterns" to manage Logwatch. A new ruleset could set the time for auto removal. For example, if we create a rule that entries are deleted after 14 days, each entry which is older then 14 days is automatically removed.
Comments: 3
-
24 Jan, '23
Ralf SpennerWe had nearly the same issue when starting with logwatch. When logwatch detects an error in a logfile, this error remains until the logfile has been removed from the Checkmk host(s) and even if the error is not present anymore.
So we created a small bash script which is able to clear all logfiles in a given logwatch path. With an entry in /etc/crontab which starts the script every night (or in different time ranges if you want) all logwatch files are cleared and you get only new alerts (or the same alert if the error is still present). -
16 Feb, '23
JPHThe implementation should be implemented for all agent logs, not only for Windows.
-
21 Feb, '23
Andreastotally support JPH. This function should be implemented for all OS types