Xymon Mailing List Archive search

precedence of rules in analysis.cfg

list Gautier Begin
Wed, 13 Aug 2014 10:47:01 +0200
Message-Id: <user-f93564881775@xymon.invalid>

Juergen,

The file is read from top to down. The process stops to read the file when it finds the first feature that matches.

In your exemple, if a disk data comes with the hostname Win32Server on the disk C, first thresholds are used (C 85 90).
Any server of class win32 on data disk on the C drive will use the third thresholds (80 90)
In any other cases for disk data, the default thresholds will be used (90 95)

Cordialement, Regards,Mit freundlichen Grüßen,

Gautier BEGIN


From:   Juergen Fischer/DEU/CSC at CSC
To:     xymon at xymon.com
Date:   08/13/2014 09:44 AM
Subject:        [Xymon] precedence of rules in analysis.cfg
Sent by:        "Xymon" <xymon-bounces at xymon.com>


Please can someone help me regarding the precedence of rules in analysis.cfg? 
analysis.cfg example to illustrate my questions: 
#----------------------------------------------------------- 
HOST=Win32Server         DISK        C 85 90 
DEFAULT         DISK        * 90 95 
CLASS=win32         DISK        C 80 90         LOG        %.*                                  %error COLOR=yellow         LOG        eventlog:Application        %warning COLOR=yellow  IGNORE="%warning .* Symantec AntiVirus .* Could not scan .* files inside .* due to extraction errors encountered by the Decomposer Engines\.Application has encountered an error" 
#----------------------------------------------------------- 
Assumption: Host 'Win32Server' is a CLASS=win32 server running in central mode 
DISK questions: 
1. Does Win32Server's C disk go yellow at 85, 90 or 95% ? 
2. Is this because of the ORDER of the applying rules (first HOST, then DEFAULT, then CLASS)    or is it because HOST is more specific then CLASS and CLASS is more specific then DEFAULT? 
3. Does Xymon at all try to find further possibly matching DISK rules after the first  matching    rule - underneath HOST in this example - has been encountered? 
LOG questions: 
1. If an eventlog message happens to match the 1st of the above listed LOG rules    (because it contains 'error'), will the second rule be evaluated at all? 
2. And if the 2nd rule should get evaluated, which of the 2 rules would take precedence?
  (Assuming both rules logically match, but have conflicting effects because of the IGNORE    - i.e. a line that matches the IGNORE and hence has also the word 'error' in it.    Will it be ignored, because the 2nd rule applies? Or will it show yellow, because    the 1st rule applies? And why is this so? 
3. The answers to the 2 prior questions will probably already have answered this one:    Should specific LOG rules appear before or after the more general ones to give to give    the first match precedence? 
Many thanks
Jürgen