Xymon Mailing List Archive search

Alternate log monitor?

list Larry Bonham
Wed, 3 Jun 2015 21:02:37 +0000
Message-Id: <user-b73f45c15a43@xymon.invalid>

-----Original Message-----
From: Andy Smith [mailto:user-982f5f6d4d28@xymon.invalid]
Sent: Wednesday, June 03, 2015 3:37 PM
To: Larry Bonham
Cc: xymon at xymon.com
Subject: Re: Alternate log monitor?

Larry Bonham wrote:
-----Original Message-----
From: Andy Smith [mailto:user-982f5f6d4d28@xymon.invalid]
Sent: Wednesday, June 03, 2015 1:48 PM
To: Larry Bonham
Cc: xymon at xymon.com
Subject: Re: [Xymon] Alternate log monitor?

Larry Bonham wrote:

Has anyone successfully integrated a different log monitor into xymon?
The internal msgs monitor works fine for /var/log/messages or any other
system log where a similar notification is used for each system (in our
case the systems group).


But I have a need to monitor multiple Apache logs on various systems
where a different user group would be notified if any yellow or red
alerts were created.  I don't see a way to do that and have
/var/log/messages alerts going somewhere else for the same system.


Running 4.3.18 on RHEL 6.6


swatch maybe?  Everything I'm finding is either too simplistic or way
overkill for what I need.  The lighter the footprint the better.


Thanks.

=========================================================

Larry D. Bonham
Hi, like you, we found the internal msgs tool is perfectly adequate in
terms of functionality, but does not lend itself well to notifying
different groups unless you are relying on email notification, in which
case you can define a GROUP rule in alert.cfg/analysis.cfg.  In our
place, we do not use email, instead, we have a 24x7 operations team
viewing the critical page, managing the incidents in real time, so we
needed different column names to be able to identify the requirements in
critical.cfg.  I wrote this simple script to direct a given log analysis
to a given column name, it may work for you :-

https://wiki.xymonton.org/doku.php/monitors:msgs

When we have need for more sophisticated log monitoring and we use SEC
(http://simple-evcorr.sourceforge.net/) which is extremely powerful, we
employ just a fraction of its potential.  We have a perl module that
goes with SEC so that SEC delivers status messages to Xymon in exactly
the same way as the internal msgs tool.
--
Andy


Andy,

I appreciate the response.  I should have mentioned I already tried your msgs.sh add on.  Only problem is the original output stays in MSGS as well as getting copied to the alternate test name.  We don't want the normal alerts going out to MSGS owners.  Just to the owners of the alternate test name.

Unless I missed something in setting it up, I wasn't able to do that.  I could do special notification on the alternate test but could not differentiate those in the normal test.

Please let me know if I'm misunderstanding something there (e.g. possible GROUP usage).  Wouldn't be the first time.

I have used SEC in the past with snmp trap translation.  That is one of those overkill solutions I mentioned.  I'm sure it would work but I wanted to keep the solution as simple as possible for support purposes down the road.  I was really hoping to accomplish this all within xymon itself if possible.

Thanks for your suggestions.

Larry
For instance, on our apache web servers we suppress the msgs column
completely (group-except msgs blah blah blah in hosts.cfg) and direct
messages-ng to a new column called syslog which ultimately gets the the
UNIX SA called out and the httpd error_log and access_log get directed
to a column called weblog which gets our middleware team called out.

I would disagree that SEC is overkill.  Some of our apache access logs
are over 4GB per day, the best way we found to watch traffic in these
volatile logs is with SEC.  Admittedly, it is nothing more sophisticated
than regex patterns we look for but there is no way we can afford to
ship this amount of data to the central server for analysis.  Yes, we
generate some impact at the client side by analyzing locally instead of
centrally, but extend this to tomcat logs and weblogic logs and get the
power of rules like singlewithsuppress and contexts and we can easily
find the needle in the haystack for our developers.
--
Andy


Thanks again Andy.  Very good clarification on manipulating msgs.

Probably overkill was the wrong word to use on my part in regards to SEC.  And I do plan on keeping the analysis on the client side.  Only sending alerts or warnings to the central server.

Larry


CONFIDENTIALITY NOTICE:
This electronic mail message is intended exclusively for
recipient to which it is addressed. The contents of this message
and any attachments may contain confidential and privileged
information. Any unauthorized review, use, print, storage, copy,
disclosure or distribution is strictly prohibited. If you have
received this message in error, please advise the sender
immediately by replying to the message's sender and delete all
copies of this message and its attachments without disclosing
the contents to anyone, or using the contents for any purpose.