On Thu, April 16, 2015 7:24 am, Johan Sjöberg wrote:
Hi.
I upgraded our Xymon server to 4.3.19. Unfortunately, I experienced
problems with the msgs test for the Xymon server itself.
The most serious bug is that I am getting log rows associated with the
wrong log file, and triggering alerts for that file.
If I look in the client data, I can see that a few lines are from the
correct file, but then it switches over to another log file's content:
[msgs:/var/log/server01.log]
<...SKIPPED...>
Apr 16 15:53:32 server01 AppMailImporter[INFO]: KTRO2155 Successfully made
deed avaliable to registrator group propID = 10029300
Apr 16 15:54:38 server01 AppMailImporter[INFO]: KESK2216 Email did not
have a body or contains crap from scanners only. Not creating deed, but
for attachments!
Apr 16 15:54:38 server01 AppMailImporter[INFO]: KESK2216 PostList item
created with propID = 10101563
Apr 16 15:54:38 server01 AppMailImporter[INFO]: KESK2216 Attachment
written to disk with GUID = 6fc966f7-796b-427f-b114-173f927ae451.pdf
Apr 16 15:54:39 server01 AppMailImporter[INFO]: KESK2216 Created document
with propID = 10101564 and ObjectID = 15612
<...CURRENT...>
Apr 16 15:54:39 server01 AppMailImporter[INFO]: KESK2216 Successfully
connected document with deed propID = 10101563 and ObjectID = 15612
cal proxy 192.168.105.10/255.255.255.255/0/0 on interface outside
Apr 16 15:51:02 fw2-v10 %ASA-3-713902: Group = 192.168.206.250, IP =
192.168.206.250, QM FSM error (P2 struct &0x00007fff4a020c40, mess id
0x5ac031d1)!
Apr 16 15:51:02 fw2-v10 %ASA-3-713902: Group = 192.168.206.250, IP =
192.168.206.250, Removing peer from correlator table failed, no match!
The logs for "server01" are from the correct file, but the ones from
"fw2-v10" are from a different log file which has different alert match
rules.
The log file for fw2-v10 is also included in the client data, as a
separate section
Johan,
Thanks... Can you send your maxbytes configuration for this (direct is
fine), and possibly a run of it in --debug mode? (Manually edit
xymonclient.sh to add --debug=stderr to the logfetch execution.)
For the second log file, do you have multiple triggers and ignores being
used in selection of the lines to come in?
Also, if I alert on all log entries, I now get alerts for <...CURRENT...>,
which I guess is some tag that is added internally by Xymon. This I can
avoid by adding ignore for this string, so it's not a big problem.
Correct, an analysis.cfg line like:
LOG logfilename . COLOR=red
... will pick this up. An IGNORE= at the end would be your best option.
The docs should be updated for this use case.
Regards,
-jc