Need help in getting message alerts

7 messages in this thread

list Edward Croft · Thu, 10 Jan 2008 14:15:24 -0500 ·

On the message page I am getting the following results.
In the client-local.cfg file it says:
log:/var/log/messages:10240
trigger NOTICE
trigger WARNING

log:/var/log/secure:10240
ignore "Connection closed by"
trigger BREAKIN

In hobbit-clients.cfg it says:
        LOG /var/log/messages WARNING COLOR=yellow
        LOG /var/log/messages NOTICE COLOR=red
        LOG /var/log/secure BREAKIN

Yet, nothing appears in the top half and it never changes from green.


No entries in /var/log/messages
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages>;

No entries in /var/log/secure
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure>;


Full log /var/log/messages
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages>;
Jan 10 13:31:40 sirona ecroft: NOTICE

Full log /var/log/secure
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure>;
Jan 10 13:22:50 sirona sshd[5087]: Connection closed by 10.0.14.249
Jan 10 13:27:51 sirona sshd[5133]: Connection closed by 10.0.14.249
Jan 10 13:31:38 sirona ecroft: BREAKIN
Jan 10 13:32:52 sirona sshd[5181]: Connection closed by 10.0.14.249
Jan 10 13:37:53 sirona sshd[5227]: Connection closed by 10.0.14.249
Jan 10 13:42:54 sirona sshd[5273]: Connection closed by 10.0.14.249
Jan 10 13:47:55 sirona sshd[5319]: Connection closed by 10.0.14.249
Jan 10 13:52:56 sirona sshd[5365]: Connection closed by 10.0.14.249


-- 
If the sane say the insane are insane,
What if the sane are insane?
Would that make the insane sane?
Explains a lot in Washington!
 --E. Croft

list Edward Croft · Fri, 11 Jan 2008 08:08:29 -0500 ·

On the message page I am getting the following results.
In the client-local.cfg file it says:
log:/var/log/messages:10240
trigger NOTICE
trigger WARNING

log:/var/log/secure:10240
ignore "Connection closed by"

trigger BREAKIN

In hobbit-clients.cfg it says:
        LOG /var/log/messages WARNING COLOR=yellow
        LOG /var/log/messages NOTICE COLOR=red
        LOG /var/log/secure BREAKIN

Yet, nothing appears in the top half and it never changes from green.


No entries in /var/log/messages
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages>;

No entries in
/var/log/secure
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure>;


Full log /var/log/messages
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages>;
Jan 10 13:31:40 sirona ecroft: NOTICE


Full log /var/log/secure
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure>;
Jan 10 13:22:50 sirona sshd[5087]: Connection closed by
10.0.14.249
Jan 10 13:27:51 sirona sshd[5133]: Connection closed by 10.0.14.249
Jan 10 13:31:38 sirona ecroft: BREAKIN
Jan 10 13:32:52 sirona sshd[5181]: Connection closed by
10.0.14.249
Jan 10 13:37:53 sirona sshd[5227]: Connection closed by 10.0.14.249
Jan 10 13:42:54 sirona sshd[5273]: Connection closed by
10.0.14.249
Jan 10 13:47:55 sirona sshd[5319]: Connection closed by 10.0.14.249
Jan 10 13:52:56 sirona sshd[5365]: Connection closed by 10.0.14.249


-- 
If the sane say the insane are insane,
What if the sane are insane?
Would that make the insane sane?
Explains a lot in Washington!
 --E. Croft

list Henrik Størner · Sat, 12 Jan 2008 15:15:41 +0100 ·

Have you configured your client(s) for server-side or client-side
configuration ? It's the first question asked when you configure
the client:
  Server side client configuration, or client side [server] ?

And what host are you editing the client-local.cfg and
hobbit-clients.cfg files on ? On the client or on the server?


Henrik

▸ quoted from Edward Croft



On Thu, Jan 10, 2008 at 02:15:24PM -0500, Edward Croft wrote:

On the message page I am getting the following results.
In the client-local.cfg file it says:
log:/var/log/messages:10240
trigger NOTICE
trigger WARNING

log:/var/log/secure:10240
ignore "Connection closed by"
trigger BREAKIN

In hobbit-clients.cfg it says:
        LOG /var/log/messages WARNING COLOR=yellow
        LOG /var/log/messages NOTICE COLOR=red
        LOG /var/log/secure BREAKIN

Yet, nothing appears in the top half and it never changes from green.


No entries in /var/log/messages
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages>;

No entries in /var/log/secure
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure>;


Full log /var/log/messages
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages>;
Jan 10 13:31:40 sirona ecroft: NOTICE

Full log /var/log/secure
<http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure>;
Jan 10 13:22:50 sirona sshd[5087]: Connection closed by 10.0.14.249
Jan 10 13:27:51 sirona sshd[5133]: Connection closed by 10.0.14.249
Jan 10 13:31:38 sirona ecroft: BREAKIN
Jan 10 13:32:52 sirona sshd[5181]: Connection closed by 10.0.14.249
Jan 10 13:37:53 sirona sshd[5227]: Connection closed by 10.0.14.249
Jan 10 13:42:54 sirona sshd[5273]: Connection closed by 10.0.14.249
Jan 10 13:47:55 sirona sshd[5319]: Connection closed by 10.0.14.249
Jan 10 13:52:56 sirona sshd[5365]: Connection closed by 10.0.14.249


-- 
If the sane say the insane are insane,
What if the sane are insane?
Would that make the insane sane?
Explains a lot in Washington!
 --E. Croft

--


Henrik Storner

list Edward Croft · Sat, 12 Jan 2008 10:43:31 -0500 ·

I have it set up on different machines, in different configurations trying
to find the one that works.The only one that works is the one that is using
the bb client. We are trying to move away from Big Brother. When it is
client-side, I configure it on the client, on the server side I configure
all of them whether they are client-side or not. Question, I note that the
bb-hosts file isn't installed client-side, I did copy it over to
/usr/local/hobbit/client/etc directory just in case, but still no go.
The important thing is for it to alert if there is the word NOTICE in the
line for messages, and BREAKIN for secure.
Thanks Henrik. Other than that, it all looks great. I really like it, but I
have to get this working or it is a no go and I will have to look elsewhere.

▸ quoted from Henrik Størner



On Jan 12, 2008 9:15 AM, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:

Have you configured your client(s) for server-side or client-side
configuration ? It's the first question asked when you configure
the client:
 Server side client configuration, or client side [server] ?

And what host are you editing the client-local.cfg and
hobbit-clients.cfg files on ? On the client or on the server?


Henrik


On Thu, Jan 10, 2008 at 02:15:24PM -0500, Edward Croft wrote:

On the message page I am getting the following results.
In the client-local.cfg file it says:
log:/var/log/messages:10240
trigger NOTICE
trigger WARNING

log:/var/log/secure:10240
ignore "Connection closed by"
trigger BREAKIN

In hobbit-clients.cfg it says:
        LOG /var/log/messages WARNING COLOR=yellow
        LOG /var/log/messages NOTICE COLOR=red
        LOG /var/log/secure BREAKIN

Yet, nothing appears in the top half and it never changes from green.


No entries in /var/log/messages
<
http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages


No entries in /var/log/secure
<
http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure


Full log /var/log/messages
<
http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages

Jan 10 13:31:40 sirona ecroft: NOTICE

Full log /var/log/secure
<
http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure

Jan 10 13:22:50 sirona sshd[5087]: Connection closed by 10.0.14.249
Jan 10 13:27:51 sirona sshd[5133]: Connection closed by 10.0.14.249
Jan 10 13:31:38 sirona ecroft: BREAKIN
Jan 10 13:32:52 sirona sshd[5181]: Connection closed by 10.0.14.249
Jan 10 13:37:53 sirona sshd[5227]: Connection closed by 10.0.14.249
Jan 10 13:42:54 sirona sshd[5273]: Connection closed by 10.0.14.249
Jan 10 13:47:55 sirona sshd[5319]: Connection closed by 10.0.14.249
Jan 10 13:52:56 sirona sshd[5365]: Connection closed by 10.0.14.249


--
If the sane say the insane are insane,
What if the sane are insane?
Would that make the insane sane?
Explains a lot in Washington!
 --E. Croft

--
Henrik Storner

-- 
If the sane say the insane are insane,
What if the sane are insane?
Would that make the insane sane?
Explains a lot in Washington!
 --E. Croft

list Galen Johnson · Sat, 12 Jan 2008 11:20:15 -0500 ·

▸ quoted from Edward Croft

Edward Croft wrote:

I have it set up on different machines, in different configurations trying to find the one that works.The only one that works is the one that is using the bb client. We are trying to move away from Big Brother. When it is client-side, I configure it on the client, on the server side I configure all of them whether they are client-side or not. Question, I note that the bb-hosts file isn't installed client-side, I did copy it over to /usr/local/hobbit/client/etc directory just in case, but still no go.
The important thing is for it to alert if there is the word NOTICE in the line for messages, and BREAKIN for secure.
Thanks Henrik. Other than that, it all looks great. I really like it, but I have to get this working or it is a no go and I will have to look elsewhere.


On Jan 12, 2008 9:15 AM, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid <mailto:user-ce4a2c883f75@xymon.invalid>> wrote:

    Have you configured your client(s) for server-side or client-side
    configuration ? It's the first question asked when you configure
    the client:
     Server side client configuration, or client side [server] ?

    And what host are you editing the client-local.cfg and
    hobbit-clients.cfg files on ? On the client or on the server?


    Henrik


    On Thu, Jan 10, 2008 at 02:15:24PM -0500, Edward Croft wrote:

On the message page I am getting the following results.
In the client-local.cfg file it says:
log:/var/log/messages:10240
trigger NOTICE
trigger WARNING

log:/var/log/secure:10240
ignore "Connection closed by"
trigger BREAKIN

In hobbit-clients.cfg it says:
        LOG /var/log/messages WARNING COLOR=yellow
        LOG /var/log/messages NOTICE COLOR=red
        LOG /var/log/secure BREAKIN

Yet, nothing appears in the top half and it never changes from
    green.


No entries in /var/log/messages
<
    http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages

    <http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages>>;

No entries in /var/log/secure
<
    http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure

    <http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure>>;


Full log /var/log/messages
<
    http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages

▸ quoted from Edward Croft

    <http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/messages>>;

Jan 10 13:31:40 sirona ecroft: NOTICE

Full log /var/log/secure

    <http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure
    <http://phanes/hobbit-cgi/bb-hostsvc.sh?CLIENT=sirona.hq.openratings.com&SECTION=msgs:/var/log/secure>>;

Jan 10 13:22:50 sirona sshd[5087]: Connection closed by

    10.0.14.249 <http://10.0.14.249>;

Jan 10 13:27:51 sirona sshd[5133]: Connection closed by

    10.0.14.249 <http://10.0.14.249>;

▸ quoted from Edward Croft

Jan 10 13:31:38 sirona ecroft: BREAKIN
Jan 10 13:32:52 sirona sshd[5181]: Connection closed by

    10.0.14.249 <http://10.0.14.249>;

Jan 10 13:37:53 sirona sshd[5227]: Connection closed by

    10.0.14.249 <http://10.0.14.249>;

Jan 10 13:42:54 sirona sshd[5273]: Connection closed by

    10.0.14.249 <http://10.0.14.249>;

Jan 10 13:47:55 sirona sshd[5319]: Connection closed by

    10.0.14.249 <http://10.0.14.249>;

Jan 10 13:52:56 sirona sshd[5365]: Connection closed by

    10.0.14.249 <http://10.0.14.249>;

▸ quoted from Edward Croft


--
If the sane say the insane are insane,
What if the sane are insane?
Would that make the insane sane?
Explains a lot in Washington!
 --E. Croft

    --
    Henrik Storner


-- 
If the sane say the insane are insane,
What if the sane are insane?
Would that make the insane sane?
Explains a lot in Washington!
 --E. Croft

Unless you have a reason not to (like a firewall you have no control over), install it with serverside configuration.  While hobbit may look and feel like BB (and use most of the bbc clients with little or no modification), it works differently.  With hobbit, set up with serverside config, you only have to maintain bbhosts on the server. Check out the man pages that you can link via the web page.

=G=

list Henrik Størner · Sat, 12 Jan 2008 17:46:32 +0100 ·

▸ quoted from Edward Croft

On Sat, Jan 12, 2008 at 10:43:31AM -0500, Edward Croft wrote:

On Jan 12, 2008 9:15 AM, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:

Have you configured your client(s) for server-side or client-side
configuration ?

I have it set up on different machines, in different configurations trying


to find the one that works.

Ok, let's pick ONE machine and get that to work. Preferably one where
the client is configured for server-side configuration. Verify this by
looking at the "conn" status - you must have a "Client data available" 
link right above the graph. If there's no link, then the client isn't
sending a Hobbit "client" message, but just the old-style BB messages.


I'll assume this client system is called "testhost.foo.com". Your 
client-local.cfg (on the hobbit server) should then have

    [testhost.foo.com]

▸ quoted from Galen Johnson

    log:/var/log/messages:10240
    trigger NOTICE
    trigger WARNING

    log:/var/log/secure:10240
    ignore "Connection closed by"
    trigger BREAKIN


Changes to client-local.cfg can take up to 15 minutes to trickle down to
the client. You can speed this up by 1) sending a HUP signal to the
hobbitd process on the Hobbit server, and then 2) restarting the Hobbit
client software. After restarting the client, it takes 5 minutes for the
changes to take effect.


Your hobbit-clients.cfg - also on the Hobbit server - must have these
lines:

    HOST=testhost.foo.com
         LOG /var/log/messages WARNING COLOR=yellow
	 LOG /var/log/messages NOTICE COLOR=red
	 LOG /var/log/secure BREAKIN

You can test the configuration on the Hobbit server with the
"hobbitd_client --test" command. Like this:

    $ bbcmd hobbitd_client --test
    2008-01-12 17:41:18 Using default environment file /usr/lib/hobbit/server/etc/hobbitserver.cfg
    Hostname (.=end, ?=dump, !=reload) []: testhost.foo.com
    Hosttype []:
    Test (cpu, mem, disk, proc, log, port): log
    log filename: /var/log/secure
    To read log data from a file, enter '@FILENAME' at the prompt
    log line: Jan 10 13:22:50 sirona sshd[5087]: Connection closed by 10.0.14.249
    log line: Jan 10 13:27:51 sirona sshd[5133]: Connection closed by 10.0.14.249
    log line: Jan 10 13:31:38 sirona ecroft: BREAKIN
    log line: Jan 10 13:32:52 sirona sshd[5181]: Connection closed by 10.0.14.249
    log line: Jan 10 13:37:53 sirona sshd[5227]: Connection closed by 10.0.14.249
    log line:
    Log status is red

    &red Jan 10 13:22:50 sirona sshd[5087]: Connection closed by
    10.0.14.249Jan 10 13:27:51 sirona sshd[5133]: Connection closed by
    10.0.14.249Jan 10 13:31:38 sirona ecroft: BREAKINJan 10 13:32:52 sirona
    sshd[5181]: Connection closed by 10.0.14.249Jan 10 13:37:53 sirona
    sshd[5227]: Connection closed by 10.0.14.249

Also, while in the "hobbitd_client --test" environment, you can use the
dump-command to see how your hobbits-clients.cfg was parsed.


If this doesn't make your msgs column go red, then I'd like to have a
look at the bb-hosts entry for this host, and your client-local.cfg and
hobbit-clients.cfg files. You can send them directly to me, no need to
bother the entire mailing list with them.


Regards,
Henrik

list Edward Croft · Sat, 12 Jan 2008 22:29:54 -0500 ·

Thank you both. I will check this out first thing Monday morning.

▸ quoted from Henrik Størner


On Jan 12, 2008 11:46 AM, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:

On Sat, Jan 12, 2008 at 10:43:31AM -0500, Edward Croft wrote:

On Jan 12, 2008 9:15 AM, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:

Have you configured your client(s) for server-side or client-side
configuration ?

I have it set up on different machines, in different configurations
trying
to find the one that works.

Ok, let's pick ONE machine and get that to work. Preferably one where
the client is configured for server-side configuration. Verify this by
looking at the "conn" status - you must have a "Client data available"
link right above the graph. If there's no link, then the client isn't
sending a Hobbit "client" message, but just the old-style BB messages.


I'll assume this client system is called "testhost.foo.com". Your
client-local.cfg (on the hobbit server) should then have

   [testhost.foo.com]
   log:/var/log/messages:10240
   trigger NOTICE
   trigger WARNING

   log:/var/log/secure:10240
   ignore "Connection closed by"
   trigger BREAKIN

Changes to client-local.cfg can take up to 15 minutes to trickle down to
the client. You can speed this up by 1) sending a HUP signal to the
hobbitd process on the Hobbit server, and then 2) restarting the Hobbit
client software. After restarting the client, it takes 5 minutes for the
changes to take effect.


Your hobbit-clients.cfg - also on the Hobbit server - must have these
lines:

   HOST=testhost.foo.com
        LOG /var/log/messages WARNING COLOR=yellow
        LOG /var/log/messages NOTICE COLOR=red
        LOG /var/log/secure BREAKIN

You can test the configuration on the Hobbit server with the
"hobbitd_client --test" command. Like this:

   $ bbcmd hobbitd_client --test
   2008-01-12 17:41:18 Using default environment file
/usr/lib/hobbit/server/etc/hobbitserver.cfg
   Hostname (.=end, ?=dump, !=reload) []: testhost.foo.com
   Hosttype []:
   Test (cpu, mem, disk, proc, log, port): log
   log filename: /var/log/secure
   To read log data from a file, enter '@FILENAME' at the prompt
   log line: Jan 10 13:22:50 sirona sshd[5087]: Connection closed by
10.0.14.249
   log line: Jan 10 13:27:51 sirona sshd[5133]: Connection closed by
10.0.14.249
   log line: Jan 10 13:31:38 sirona ecroft: BREAKIN
   log line: Jan 10 13:32:52 sirona sshd[5181]: Connection closed by
10.0.14.249
   log line: Jan 10 13:37:53 sirona sshd[5227]: Connection closed by
10.0.14.249
   log line:
   Log status is red

   &red Jan 10 13:22:50 sirona sshd[5087]: Connection closed by
   10.0.14.249Jan 10 13:27:51 sirona sshd[5133]: Connection closed by
   10.0.14.249Jan 10 13:31:38 sirona ecroft: BREAKINJan 10 13:32:52 sirona
   sshd[5181]: Connection closed by 10.0.14.249Jan 10 13:37:53 sirona
   sshd[5227]: Connection closed by 10.0.14.249

Also, while in the "hobbitd_client --test" environment, you can use the
dump-command to see how your hobbits-clients.cfg was parsed.


If this doesn't make your msgs column go red, then I'd like to have a
look at the bb-hosts entry for this host, and your client-local.cfg and
hobbit-clients.cfg files. You can send them directly to me, no need to
bother the entire mailing list with them.


Regards,
Henrik

-- 
If the sane say the insane are insane,
What if the sane are insane?
Would that make the insane sane?
Explains a lot in Washington!
 --E. Croft

Need help in getting message alerts 🔗 link

Need help in getting message alerts