Force logfetch to only process complete lines?

Have you user-e73faa70d685@xymon.invalid on the xymon server?  Or the man page
for client-local.cfg?  It's a bit finicky but may be able to do what you're
asking without modifying any code.

=G=

On Thu, May 10, 2018 at 5:32 PM, Larry Bonham <user-7a867963a09a@xymon.invalid> wrote:

Third request.  I just can’t believe that I’m the only one having this
problem.  It is a fairly frequent occurrence for me.  Mainly with higher
volume log files.


I simply want to drop any partial lines before they are compared with LOG
alert definitions.


Based on the comments in logfetch.c (v4.3.28), the section between 509 and
562 would appear to handle this.  But for whatever reason it is not
consistently working for me.  Maybe I’m overloading the MAXCHECK value and
it is just truncating the output?  Or I’m misunderstanding what the section
is actually doing?


Once again, any help would be appreciated.


Larry B.


*From:* Larry Bonham
*Sent:* Monday, March 5, 2018 10:05 AM
*To:* xymon at xymon.com
*Subject:* RE: Force logfetch to only process complete lines?


Second request.  No one else having this particular problem?  Any help
would be appreciated.  Modifying logfetch.c is pretty much beyond my
limited C skills.


Thanks.


Larry B.


*From:* Xymon [mailto:xymon-bounces at xymon.com <xymon-bounces at xymon.com>] *On
Behalf Of *Larry Bonham
*Sent:* Monday, February 26, 2018 5:28 PM
*To:* xymon at xymon.com
*Subject:* [Xymon] Force logfetch to only process complete lines?


RHEL 6.9 and RHEL 7.4

Xymon v4.3.28


This may be documented somewhere and I’m just not able to find it.  But is
there a way to force logfetch to only scan complete lines and discard any
partials it might retrieve based on the MAXCHECK setting?


I’ve been getting quite a few alerts on highly active systems where the
offending line would normally be excluded due to the first part of a search
that is missing.


A simple example, I want to ignore the alert triggers for
/var/log/messages where the system name is test-system and
:\sheader\ssubject: is also in the line.  Since test-system comes right
after the date/time stamp, that causes the ignore check to not work if
test-system is not retrieved by logfetch.


analysis.cfg


# Red alert on CRITICAL or ERROR or SERIOUS (with exceptions)

LOG %.*  %(?-i)CRITICAL|ERROR|SERIOUS COLOR=red
IGNORE=%(?-i)test-system.*:\sheader\ssubject:


I’ve tried adjusting the MAXCHECK setting but it didn’t make a difference
one way or the other.


client-local.cfg


log:/var/log/messages:10240             # 10KB default

log:/var/log/messages:1024000         # 1MB


Thanks.

=========================================================

Larry D. Bonham

Financial Network Inc.
10401-F Baur
Olivette, MO XXXXX

(XXX) XXX-XXXX voice
(XXX) XXX-XXXX fax
=========================================================


CONFIDENTIALITY NOTICE:
This electronic mail message is intended exclusively for
recipient to which it is addressed. The contents of this message
and any attachments may contain confidential and privileged
information. Any unauthorized review, use, print, storage, copy,
disclosure or distribution is strictly prohibited. If you have
received this message in error, please advise the sender
immediately by replying to the message's sender and delete all
copies of this message and its attachments without disclosing
the contents to anyone, or using the contents for any purpose.