On 13-11-2012 16:05, Ray Reuter wrote:
I need to be able to alert off of the "who" column. An example would be
if there was less than 5 connections I would like to be alerted. I know
way back in Big Brother days there was a perl script to do just that but
I am having zero luck of finding it now.
First step is to make the "who" status red - if you do that, then you can
use the normal alert-rules to send out alerts.
Current Xymon versions allow you to modify the color of an existing
status, by sending a "modify" command to xymond. So what I would do was to
run a script on the Xymon server which regularly fetches all of the "who"
statuses, counts how many users are logged in on each host, and the sends a
"modify" status if the maximum is exceeded.
To get all of the "who" statuses, you can use
xymon 127.0.0.1 "xymondboard test=who fields=hostname,msg"
The output from this command is one line per status, with the hostname,
then a '|' delimiter, and then the status-message with new-line changed
into '\n'. I'm sure someone with Perl / Python / whatever scripting
knowledge could easily turn this into something where you could count the
number of lines (one for each user, minus a couple of header-lines), but
here's a C program that will do it:
--- cut here ---
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char **argv)
{
char buf[4096];
char *hostname, *msg, *l_start, *l_end;
while (fgets(buf, sizeof(buf), stdin)) {
int loggedin = 0;
hostname = strtok(buf, "|");
msg = strtok(NULL, "\n");
if (!msg) continue;
l_start = msg;
do {
l_end = strstr(l_start, "\\n");
if ( (strncmp(l_start, "SESSIONNAME", 11) == 0) ||
(strncmp(l_start, ">", 1) == 0) ||
(strncmp(l_start, "rdp-tcp", 7) == 0) ||
(strncmp(l_start, "console", 7) == 0) ) {
/* Ignore the line */
}
else {
loggedin++;
}
l_start = l_end ? (l_end + 2) : NULL;
} while (l_start);
fprintf(stdout, "%s %d\n", hostname, loggedin);
}
return 0;
}
--- cut here ---
Just save this to "whocount.c" and run "gcc -o whocount whocount.c" to
compile it. It ignores lines beginning with the texts "SESSIONNAME", ">",
"rdp-tcp" or "console" - I think those lines always appear in the "who"
status regardless of who is logged in.
When you feed the input from the xymondboard command into this, it should
output one line for each host with the hostname and the number of users
logged in.
So putting it all together, this script will change the "who" status to
red for all hosts where 5 or more users are logged in:
--- cut here ---
#!/bin/sh
LIMIT=5
xymon 127.0.0.1 "xymondboard test=who fields=hostname,msg" | whocount |
while read L
do
set $L
HOSTNAME=$1
LOGINCOUNT=$2
if test $LOGINCOUNT -gt $LIMIT
then
echo 127.0.0.1 "modify $HOSTNAME.who red whomon $LOGINCOUNT users
logged in (max is $LIMIT)"
fi
done
exit 0
--- cut here ---
(assumes the "whocount" utility is in your PATH).
You'd run this as an extra task from tasks.cfg - e.g. every 5 minutes.
Now you have the "who" status going red when too many users are logged in,
so alerting is easy - just add
TEST=who COLOR=red
MAIL user-e062f1bfb90c@xymon.invalid
to alerts.cfg .
Regards,
Henrik