Xymon Mailing List Archive search

analysis.cfg log message issue

list Jeremy Laidman
Mon, 26 Aug 2013 17:12:22 +1000
Message-Id: <user-c7e05166c33d@xymon.invalid>

I think this is expected behaviour.  Each LOG line that matches will
generate the error, not the first line that matches.  Can you do something
like this:

    LOG %.* %Cmdlet.failed..Cmdlet COLOR=yellow****

    LOG %.* %^error COLOR=red IGNORE=^Cmdlet.failed..Cmdlet


On 26 August 2013 14:17, Phil Crooker <user-e8e31cd73303@xymon.invalid> wrote:

 I’m running  xymon 4.3.10 and have a problem with a log event not being
handled correctly. It is unclear whether this is a bbwin client issue or in
xymond (perhaps both). The event:****

** **

In the windows eventlog:****

Cmdlet failed. Cmdlet GetUserPhoto, parameters {Identity=username at domain}.
****

** **

As sent to xymond by the bbwin client:****

error - 2013/08/26 11:19:57 - MSExchange CmdletLogs (6) - Cmdlet failed.
Cmdlet %1, parameters %2.****

** **

I’ve setup the following rule to ‘downgrade’ this basically meaningless
windows event, with the catchall rule under it for the (remaining) errors
that I do want to monitor:****

** **

       LOG %.* %Cmdlet.failed..Cmdlet COLOR=yellow****

       LOG %.* %^error   COLOR=red****

** **

This entry still comes in as a red error:****

** **

red Critical entries in eventlog_msexchange management****

yellow error - 2013/08/26 11:19:57 - MSExchange CmdletLogs (6) - Cmdlet
failed. Cmdlet %1, parameters %2.****

yellow error - 2013/08/26 11:17:26 - MSExchange CmdletLogs (6) - Cmdlet
failed. Cmdlet %1, parameters %2.****

red error - 2013/08/26 11:19:57 - MSExchange CmdletLogs (6) - Cmdlet
failed. Cmdlet %1, parameters %2.****

red error - 2013/08/26 11:17:26 - MSExchange CmdletLogs (6) - Cmdlet
failed. Cmdlet %1, parameters %2.****

** **

Looking at the windows event viewer, there is only one event for each of
these times, so it is somehow being duplicated. Capturing the traffic shows
it is not duplicated ‘on the wire’.  Using the xymon xymondlog command
shows it is duplicated. If I remove the Cmdlet rule from analysis.cfg, it
is not duplicated. ****

** **

This doesn’t happen to all messages but to some, I haven’t worked out what
the commonality is -- perhaps the message string itself is affecting the
parsing…. The only way I’ve been able to stop this is to IGNORE the entry
which I don’t really want to entirely.****

** **

Can anyone help, please?****

** **

Thanks, Phil****