Last updated: July 11. 2012
1. Basic principle of the Event Console
The Check_MK Event Console consists of two components:
- the Event Daemon (mkeventd) - for processing events
- an integration into Multisite and WATO - for status display and rule configuration
1.1. The Event Daemon
The mkeventd is a daemon process that is running independently of
the monitoring core or the status GUI. It is being fed messages from external
applications. The most important one of these is syslog for sure. But it is not
restricted to syslog: any application can send messages to the Event Console.
Sending an event to the EC is simple: just write one line of text into its
pipe. If this text has the correct format (see Setup for details),
then the EC will extract the following information:
- priority (e.g. warn) and facility (e.g. daemon)
- the name of the originating host
- the name of the application process (syslog tag)
- the processes' PID (optional)
- the informational text of the message
All received messages will then be fed into a chain of rules. Each rule
has a set of conditions on the various aspect of the message. If a rule matches,
an event is being generated.
2. Messages & Events
The Event Console uses the concepts of messages and events.
Both are tied together, but - please - do not mix them up:
- A message is a line of text that arrives at the Event Console.
- An event is something that is being created by a rule and shown in the event status.
Of course in most cases events directly result from messages, but:
- Not all messages create an event, only those that trigger a rule
- Multiple messages may create one event (we call this aggregation)
- Messages may cancel an existing event instead of creating a new one
- Artificial events can be created if expected messages do not arrive
Furthermore an event can be in one of the following phases:
|open||This is the most usual phase: the event is being
shown in the event status display. The operator should handle
|acknowledged||The operator has acknowledged the event.|
|counting||A rule with the feature counting has seen
at least one matching message, but the required number of messages has not
yet been reached. This event will not be shown in the event status (at
least not in the default view)|
|delayed||A rule has created the event, but the delay
time has not been elapsed yet. This event will also not been shown to