You can do this with a "log" configuration entry (in client-local.cfg)
using backticks that counts the lines, calculates a delta, and returns a
suitable message. Something like this:
[name-of-server]
log:`exec 2>/dev/null; Z=$(printf "\x3a"); F=/var/log/messages; Y=1; R=6;
T=/tmp/badlogins; C=$(egrep -c "PAM${Z} (Authentication failure|User not
known)" $F); L=$(cat $T.last); D=$(expr $C - $L); ( [ "$D" = "" ] || { [ $D
-gt $R ] && echo "red${Z} $D login failures exceeded red threshold of $R"
|| { [ $D -gt $Y ] && echo "yellow${Z} $D login failures exceeded yellow
threshold of $Y" || echo "green${Z} $D login failures is OK"; }; } ) >
$T.status; echo "$C" > $T.last; echo $T.status`:1024
Adjust filename and thresholds ($F, $Y and $R) to your liking. The sample
window size is whatever frequency Xymon client is run, typically 5 minutes,
so Y and R thresholds would be a count per 5 minutes. Note that colons and
backticks are not permitted in the command string, so I'm fudging them in
other ways.
Then alert on the message with a couple of LOG entries in analysis.cfg like
so:
HOST=name-of-server
LOG /tmp/badlogins.status %red COLOR=red
LOG /tmp/badlogins.status %yellow COLOR=yellow
Cheers
Jeremy
On 11 January 2013 00:19, Mike Burger <user-cc5c6e80f4c5@xymon.invalid> wrote:
That's what I figured, after having looked at the analysis.cfg man page
multiple times.
If I want to do this, then, I'm going to have to script something to
analyze X amount of time and do something if it sees occurrences>=Y and
then feed that to Xymon somehow.
Thanks.
--
Mike Burger
http://www.bubbanfriends.org
"It's always suicide-mission this, save-the-planet that. No one ever just
stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1
You will need tell client-local.cfg which log to gather data from.
While you can't specify in the last Y amount of time, you can specify Y
amount of data. So if you know your log file writes about 1000 bytes
per hour... and you want to look back 4 hours, you would specify in
client-local.cfg "log:/var/log/mylogfile:4000" This will return the
most recent 4000 bytes worth of data to Xymon.
Your next step is to configure analysis.cfg to tell xymon how to report
on that data. If you want xymon to alert if it sees the word "ERROR",
your analysis.cfg would have a line in it "LOG /var/log/mylogfile %ERROR"
Look at the analysis.cfg and client-local.cfg man pages for information
on the LOG check.
Michael Beatty
Sherwin-Williams
IT Analyst/Developer
user-4aea7c115850@xymon.invalid
XXX-XXX-XXXX
On 01/09/2013 03:50 PM, Mike Burger wrote:
I've got a situation at work where we're being tasked with monitoring
failed logins. We've got logging and audit file creation in place...what
I'm looking for is whether or not there's a way to have Xymon monitor
those logs/files to look for X entries/occurrences within Y amount of
time.
The requirement is to try to do as much as this programatically as
possible without having to resort to scripting or other measures that
may
be easily countered by a system admin.
Thanks.