Who Column Test
list Ray Reuter
I need to be able to alert off of the "who" column. An example would be if there was less than 5 connections I would like to be alerted. I know way back in Big Brother days there was a perl script to do just that but I am having zero luck of finding it now. Any suggestions would be greatly appreciated. Thank you
list Henrik Størner
▸
On 13-11-2012 16:05, Ray Reuter wrote:
I need to be able to alert off of the "who" column. An example would be if there was less than 5 connections I would like to be alerted. I know way back in Big Brother days there was a perl script to do just that but I am having zero luck of finding it now.
First step is to make the "who" status red - if you do that, then you can use the normal alert-rules to send out alerts.
Current Xymon versions allow you to modify the color of an existing status, by sending a "modify" command to xymond. So what I would do was to run a script on the Xymon server which regularly fetches all of the "who" statuses, counts how many users are logged in on each host, and the sends a "modify" status if the maximum is exceeded.
To get all of the "who" statuses, you can use
xymon 127.0.0.1 "xymondboard test=who fields=hostname,msg"
The output from this command is one line per status, with the hostname, then a '|' delimiter, and then the status-message with new-line changed into '\n'. I'm sure someone with Perl / Python / whatever scripting knowledge could easily turn this into something where you could count the number of lines (one for each user, minus a couple of header-lines), but here's a C program that will do it:
--- cut here ---
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char **argv)
{
char buf[4096];
char *hostname, *msg, *l_start, *l_end;
while (fgets(buf, sizeof(buf), stdin)) {
int loggedin = 0;
hostname = strtok(buf, "|");
msg = strtok(NULL, "\n");
if (!msg) continue;
l_start = msg;
do {
l_end = strstr(l_start, "\\n");
if ( (strncmp(l_start, "SESSIONNAME", 11) == 0) ||
(strncmp(l_start, ">", 1) == 0) ||
(strncmp(l_start, "rdp-tcp", 7) == 0) ||
(strncmp(l_start, "console", 7) == 0) ) {
/* Ignore the line */
}
else {
loggedin++;
}
l_start = l_end ? (l_end + 2) : NULL;
} while (l_start);
fprintf(stdout, "%s %d\n", hostname, loggedin);
}
return 0;
}
--- cut here ---
Just save this to "whocount.c" and run "gcc -o whocount whocount.c" to compile it. It ignores lines beginning with the texts "SESSIONNAME", ">", "rdp-tcp" or "console" - I think those lines always appear in the "who" status regardless of who is logged in.
When you feed the input from the xymondboard command into this, it should output one line for each host with the hostname and the number of users logged in.
So putting it all together, this script will change the "who" status to red for all hosts where 5 or more users are logged in:
--- cut here ---
#!/bin/sh
LIMIT=5
xymon 127.0.0.1 "xymondboard test=who fields=hostname,msg" | whocount | while read L
do
set $L
HOSTNAME=$1
LOGINCOUNT=$2
if test $LOGINCOUNT -gt $LIMIT
then
echo 127.0.0.1 "modify $HOSTNAME.who red whomon $LOGINCOUNT users logged in (max is $LIMIT)"
fi
done
exit 0
--- cut here ---
(assumes the "whocount" utility is in your PATH).
You'd run this as an extra task from tasks.cfg - e.g. every 5 minutes.
Now you have the "who" status going red when too many users are logged in, so alerting is easy - just add
TEST=who COLOR=red
MAIL user-e062f1bfb90c@xymon.invalid
to alerts.cfg .
Regards,
Henrik
list Ray Reuter
Thank you for the quick turnaround, I will give it a shot and let you know how it works out, we need it for Citrix and want to make sure no fewer than 5 are logged in to any one machine.
▸
On Tue, Nov 13, 2012 at 11:22 AM, Henrik Størner <user-ce4a2c883f75@xymon.invalid> wrote:
On 13-11-2012 16:05, Ray Reuter wrote:I need to be able to alert off of the "who" column. An example would be if there was less than 5 connections I would like to be alerted. I know way back in Big Brother days there was a perl script to do just that but I am having zero luck of finding it now.First step is to make the "who" status red - if you do that, then you can use the normal alert-rules to send out alerts. Current Xymon versions allow you to modify the color of an existing status, by sending a "modify" command to xymond. So what I would do was to run a script on the Xymon server which regularly fetches all of the "who" statuses, counts how many users are logged in on each host, and the sends a "modify" status if the maximum is exceeded. To get all of the "who" statuses, you can use xymon 127.0.0.1 "xymondboard test=who fields=hostname,msg" The output from this command is one line per status, with the hostname, then a '|' delimiter, and then the status-message with new-line changed into '\n'. I'm sure someone with Perl / Python / whatever scripting knowledge could easily turn this into something where you could count the number of lines (one for each user, minus a couple of header-lines), but here's a C program that will do it: --- cut here --- #include <stdio.h> #include <string.h> #include <stdlib.h> int main(int argc, char **argv) { char buf[4096]; char *hostname, *msg, *l_start, *l_end; while (fgets(buf, sizeof(buf), stdin)) { int loggedin = 0; hostname = strtok(buf, "|"); msg = strtok(NULL, "\n"); if (!msg) continue; l_start = msg; do { l_end = strstr(l_start, "\\n"); if ( (strncmp(l_start, "SESSIONNAME", 11) == 0) || (strncmp(l_start, ">", 1) == 0) || (strncmp(l_start, "rdp-tcp", 7) == 0) || (strncmp(l_start, "console", 7) == 0) ) { /* Ignore the line */ } else { loggedin++; } l_start = l_end ? (l_end + 2) : NULL; } while (l_start); fprintf(stdout, "%s %d\n", hostname, loggedin); } return 0; } --- cut here --- Just save this to "whocount.c" and run "gcc -o whocount whocount.c" to compile it. It ignores lines beginning with the texts "SESSIONNAME", ">", "rdp-tcp" or "console" - I think those lines always appear in the "who" status regardless of who is logged in. When you feed the input from the xymondboard command into this, it should output one line for each host with the hostname and the number of users logged in. So putting it all together, this script will change the "who" status to red for all hosts where 5 or more users are logged in: --- cut here --- #!/bin/sh LIMIT=5 xymon 127.0.0.1 "xymondboard test=who fields=hostname,msg" | whocount | while read L do set $L HOSTNAME=$1 LOGINCOUNT=$2 if test $LOGINCOUNT -gt $LIMIT then echo 127.0.0.1 "modify $HOSTNAME.who red whomon $LOGINCOUNT users logged in (max is $LIMIT)" fi done exit 0 --- cut here --- (assumes the "whocount" utility is in your PATH). You'd run this as an extra task from tasks.cfg - e.g. every 5 minutes. Now you have the "who" status going red when too many users are logged in, so alerting is easy - just add TEST=who COLOR=red MAIL user-e062f1bfb90c@xymon.invalid to alerts.cfg . Regards, Henrik
list Jeremy Laidman
What if you define a "DS" condition in your analysis.cfg that references users.rrd, something like this: HOST=name-of-host DS users users.rrd:la <5 COLOR=red "TEXT=User count %V is fewer than %L" I'm assuming that the user count shown in "[uptime]" (that goes into users.rrd) is the same as the count of entries in "[who]". J
list Henrik Størner
▸
On 14-11-2012 00:57, Jeremy Laidman wrote:
What if you define a "DS" condition in your analysis.cfg that references users.rrd, something like this: HOST=name-of-host DS users users.rrd:la <5 COLOR=red "TEXT=User count %V is fewer than %L" I'm assuming that the user count shown in "[uptime]" (that goes into users.rrd) is the same as the count of entries in "[who]".
That would be another way of doing it, yes. The "DS" rules use the same "modify" command to update the status-color, so it is just a different way of detecting when to go red. Regards, Henrik