On 10/31/2014 04:39 PM, deepak deore wrote:
Hi,
I want to trigger alert if there is non 200 status in below tomcat access
logs. I have enabled logs monitoring in client-local.cfg, eg. below log has
non-200 status in 3rd field from last.
10.10.10.10 - - [31/Oct/2013:15:45:56 +0000] GET /some/long/url HTTP/1.0
404 2531 161
How can i define that pattern in analysis.cfg, i can define for 404 as
below but would like to alert for all non 200.
LOG %/path/to/log_file/access\.[0-9]*-[0-9]*-[0-9]*\.log " 404 " COLOR=red
Thanks,
Deepak
Hi Deepak
If you want the test to turn red on any non 200 status, you can omit
the COLOR=red because that is the default. You can also leave it for clarity
though. :)
I think the following will work. Replace your " 404 " with:
"%HTTP/1\.(1|0)[[:space:]][345][[:digit:]]{2}[[:space:]][[:digit:]]"
That should catch all HTTP/1.0 or HTTP/1.1 requests, followed by a literal
space, followed by a 3, or 4, or 5 followed by two more digits (to cover all
300, 400 and 500 series http response codes), followed by a literal space,
followed by a digit.
If you don't look for the HTTP/1.(0|1) at the front, you will catch all other
300, 400, 500 numbers that are surrounded by spaces in your logs. For example,
the size of the request (if it is three digits) which follows the response
code in your example.
In my Apache log entries, the GET or POST requests are double-quoted like so:
.... "GET /wtf HTTP/1.1" 404 270 "-" "Mozilla/5.0 ....."
so I could use:
"%[[:punct:]][[:space:]][345][[:digit:]]{2}[[:space:]][[:digit:]]"
Which ignores the HTTP/1.(1|0) and just catches the closing double-quote after
the HTTP/1.0 or HTTP/1.1, the literal space, and then the non-200 response
code, followed by a space.
Also, you may not want to catch the 300 series response codes because they
mainly consist of non-warning or non-critical things like redirects.
Hope this helps.
--
Bill Arlofski
Reverse Polarity, LLC
http://www.revpol.com/
-- Not responsible for anything below this line --