Messages file not reporting

One thing to watch out for would be multi-line log messages.  I don't know
about Linux, but Solaris certainly reports some device messages with WARNING
or ERROR on the first line, and the actual device on the next line with more
information.  Where I work, the jokers that set up CA Unicenter made it
detect WARNING & ERROR  and had the agent send "Disk error" messages to the
console, and never mind that the device was /dev/st0 (scsi *tape*) and it
just wanted cleaning, or a fresh tape...

I seem to recall that the second and subsequent lines were indented a couple
of spaces.  Kinda like Linux seems to do, such as in the lines right after:

   BIOS-provided physical RAM map:

and several other places in the boot messages.

Ralph Mitchell


On 2/3/06, Edward Croft <user-5619e8943180@xymon.invalid> wrote:

Yes, Linux based. I will  have to look into what you are doing. I am
wondering if maybe a grep on the log file with the expression "WARNING"
would return only those warnings. Then bump up against the timestamp to see
if it is old. Beyond an hour, ignore it. This would give me the alert and
then I could shut it off and it would go past the time stamp. Big Brother
gave you a file to show for each machine what you were looking to alert on.
Thanks for giving me a direction to go.

On Fri, 2006-02-03 at 08:41 -0500, user-e3a6ebbee6cd@xymon.invalid wrote:


Hi Edward - I understand your frustration - I've been through the same
things myself, and also initially not found the FAQ indicating that syslog
monitoring is not yet supported. I believe that Henrik is making it a
priority since so many of us are asking for it but there is no news yet or
commitment from him on when it will be available.

I searched deadcat.net and didn't find anything that looked worth using to
me, but I may have missed it. One thing I have been working on, but I've had
a few problems, is writing a custom extension. The extension itself is very
easy to do - e.g. I have written two for my Linux servers, one to run some
sql code to attach to an Oracle instance and report green if it is up or red
if it is down, and another to check LAN adapter settings and turn yellow if
it is not set to 100Mb full duplex. I have been working on a syslog monitor
which looks at /var/log/messages, checks the inode to be sure logrotate has
not run, and then uses tail to parse the last n lines. I determine n by
checking how many lines are in the file with wc and recording that to a file
on disk, then later come back and do the same again. If the inode is the
same, and wc -l returned 1000 but now returns 1057, then I do tail -n 57
/var/log/messages | grep -i error and look for any problems.

The problem I've encountered is that sometimes the inode changes. Yes, it
really does and I'm not crazy, give it a try on Linux. Copy
/var/log/messages, then ls -al -i the copy. Edit it with vi, even if all you
do is open, then write and quit with no actual changes, and more often than
not, the inode will change. I don't understand it. If I can get this working
I'd be happy to share my custom extension with you - or maybe you will have
some ideas on a different and more robust approach.

I'm assuming of course that you're Unix/Linux based, which is not always a
good assumption!


  *Edward Croft <user-5619e8943180@xymon.invalid>*

02/02/2006 05:16 PM
  Please respond to

user-ae9b8668bcde@xymon.invalid


   To
 user-ae9b8668bcde@xymon.invalid   cc

  Subject
 Re: [hobbit] Messages file not reporting


On Thu, 2006-02-02 at 22:31 +0100, Etienne Roulland wrote:

Edward Croft wrote:

Why thank you. I did find the one line:
It does not currently provide any data for the system-log "msgs" column.

That is all it says. Does not currently. Sooooo when can it be
expected, if ever?
This one thing prevents me from using it as the programs that monitor
our systems
write warnings into the log file which currently gets picked up by big
brother and an
alert sent.

You can use external script from *http://www.deadcat.net/*to monitor your
logfiles.


*Thank you. I appreciate your response.*

--
Edward M. Croft
Sr. Systems Engineer
Open Ratings, Inc.
200 West Street
Waltham, MA 02451-1121


**********************************************************************************
*This e-mail, and any attachments, is intended solely for use by the *
*addressee(s) named above.  It may contain the confidential or *
*proprietary information of Dana Corporation, its subsidiaries, *
*affiliates or business partners.  If you are not the intended recipient *
*of this e-mail or are an unauthorized recipient of the information, you *
*are hereby notified that any dissemination, distribution or copying *
*of this e-mail or any attachments, is strictly prohibited.  If you have *
*received this e-mail in error, please immediately notify the sender *
*by reply e-mail and permanently delete the original and any copies *
*or printouts.*

*Computer viruses can be transmitted via email. The *
*recipient should check this e-mail and any attachments for the *
*presence of viruses. Dana Corporation accepts no liability for any *
*damage caused by any virus transmitted by this e-mail. *

*English, Francais, Espanol, Deutsch, Italiano, Portugues:*
*http://www.dana.com/overview/EmailDisclaimer.shtm*

**********************************************************************************

*-- *

*This message has been scanned for viruses and*

*dangerous content by*
*MailScanner <http://www.mailscanner.info/>**, and is*

*believed to be clean.*

  --
Edward M. Croft
Sr. Systems Engineer
Open Ratings, Inc.
200 West Street
Waltham, MA 02451-1121