I am having issues with getting Hobbit to report log entries from client log files. The server is getting the log data but, despite a valid string entry in the log file, no alerts are generated.
Here is an excerpt from my client-local.cfg file:
[hosta-z1]
log:/var/adm/messages:10240
And a corresponding entry from the hobbit-clients.cfg file:
HOST=hosta-z1
LOG /var/adm/messages sshd COLOR=red
The status never changes for this host despite sshd entries existing in the /var/adm/messages file. I used "sshd" because I KNOW that there are current entries in /var/adm/messages since everytime hobbit runs an ssh check on the server an sshd message is generated. I have chosen this string just to troubleshoot this problem...
Clicking on "msgs" for this host, there is a message "No entries in /var/adm/messages". But if I click on the "/var/adm/messages" link it shows recent entries with the sshd string in the log file as the following shows:
[msgs:/var/adm/messages]
Jul 25 16:59:34 hosta-z1 sshd[4164]: [ID 800047 auth.info] Connection closed by 10.0.0.68
Jul 25 17:04:37 hosta-z1 sshd[4507]: [ID 800047 auth.info] Connection closed by 10.0.0.68
Jul 25 17:09:39 hosta-z1 sshd[4857]: [ID 800047 auth.info] Connection closed by 10.0.0.68
Jul 25 17:14:41 hosta-z1 sshd[5192]: [ID 800047 auth.info] Connection closed by 10.0.0.68
Jul 25 17:19:41 hosta-z1 sshd[5534]: [ID 800047 auth.info] Connection closed by 10.0.0.68
Jul 25 17:24:40 hosta-z1 sshd[5884]: [ID 800047 auth.info] Connection closed by 10.0.0.68
Jul 25 17:29:45 hosta-z1 sshd[6222]: [ID 800047 auth.info] Connection closed by 10.0.0.68
Does anyone know what the problem may be? Is there possibly any known issues with Hobbit logging under Solaris 10 Update 3 for SPARC? I have tried almost everything I can think of to get this to work and I am getting no where.
Thanks in advance for any help.
-Ken