Migrating from BBWin to Xymon PS Client
list Timothy Persoon
Hi,
I'm migrating from BBWin to the newest Xymon PS Client. However, there are
some settings in the BBWin.cfg file that I can't seem to migrate to the
analysis.cfg file.
In BBWin there are several message checks:
<msgs>
<setting name="alwaysgreen" value="false" />
<ignore logfile="Application" eventid="1000" />
<ignore logfile="Application" eventid="16385" />
<ignore logfile="Application" eventid="8198" />
<ignore logfile="Application" eventid="489" />
<ignore logfile="System" eventid="6038" />
<setting name="delay" value="1h" />
<match logfile="System" type="error" alarmcolor="red" />
<match logfile="System" type="warning" alarmcolor="yellow" />
<match logfile="Application" type="error" alarmcolor="red" />
<match logfile="Application" type="warning" alarmcolor="yellow" />
<match logfile="Security" type="fail" />
</msgs>
but how do I migrate those to analysis.cfg? There seem to be two options:
1) LOG eventlog_application %^warning COLOR=red
2) LOG eventlog:Application %warning COLOR=red
Is there a difference between these two notations and is it even possible
to migrate the settings of BBWin.cfg to the analysis.cfg?
Kind regards,
Timothy
list Timothy
Hi,
I'm migrating from BBWin to the newest Xymon PS Client. However, there
are some settings in the BBWin.cfg file that I can't seem to migrate to
the analysis.cfg file.
In BBWin there are several message checks:
<msgs>
<setting name="alwaysgreen" value="false" />
<ignore logfile="Application" eventid="1000" />
<ignore logfile="Application" eventid="16385" />
<ignore logfile="Application" eventid="8198" />
<ignore logfile="Application" eventid="489" />
<ignore logfile="System" eventid="6038" />
<setting name="delay" value="1h" />
<match logfile="System" type="error" alarmcolor="red" />
<match logfile="System" type="warning" alarmcolor="yellow" />
<match logfile="Application" type="error" alarmcolor="red" />
<match logfile="Application" type="warning" alarmcolor="yellow" />
<match logfile="Security" type="fail" />
</msgs>
but how do I migrate those to analysis.cfg? There seem to be two options:
1) LOG eventlog_application %^warning COLOR=red
2) LOG eventlog:Application %warning COLOR=red
Is there a difference between these two notations and is it even
possible to migrate the settings of BBWin.cfg to the analysis.cfg?
Kind regards,
Timothy
list Brandon Dale
I think this will work:
LOG eventlog_System %^error.* COLOR=red
LOG eventlog_System %^warning.* COLOR=yellow
LOG eventlog_Application %^error.* COLOR=red
LOG eventlog_Application %^warning.* COLOR=yellow
LOG eventlog_Security %^failure.* COLOR=red
The Ignore rules for the eventid's I'm not sure about, in the past with bbwin I have always had to ignore based on the message detail. If someone knows how to do this I would also like to know.
In the latest powershell client this is the type of data that you get for events, the eventid is 1 in the below example.
Warning - 03/30/2015 14:11:25 - [1] - test - This is a test message.
However I haven't had any success using an ignore rule to match anything other than the "This is a test message" part of the message.
Regards,
Brandon
▸
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Timothy Persoon
Sent: Tuesday, 24 March 2015 7:55 PM
To: xymon at xymon.com
Subject: [Xymon] Migrating from BBWin to Xymon PS Client
Hi,
I'm migrating from BBWin to the newest Xymon PS Client. However, there are some settings in the BBWin.cfg file that I can't seem to migrate to the analysis.cfg file.
In BBWin there are several message checks:
<msgs>
<setting name="alwaysgreen" value="false" />
<ignore logfile="Application" eventid="1000" />
<ignore logfile="Application" eventid="16385" />
<ignore logfile="Application" eventid="8198" />
<ignore logfile="Application" eventid="489" />
<ignore logfile="System" eventid="6038" />
<setting name="delay" value="1h" />
<match logfile="System" type="error" alarmcolor="red" />
<match logfile="System" type="warning" alarmcolor="yellow" />
<match logfile="Application" type="error" alarmcolor="red" />
<match logfile="Application" type="warning" alarmcolor="yellow" />
<match logfile="Security" type="fail" />
</msgs>
but how do I migrate those to analysis.cfg? There seem to be two options:
1) LOG eventlog_application %^warning COLOR=red
2) LOG eventlog:Application %warning COLOR=red
Is there a difference between these two notations and is it even possible to migrate the settings of BBWin.cfg to the analysis.cfg?
Kind regards,
Timothy
[cid:image001.gif at 01D06AF3.F96FDF40]
list Zak Beck
Hi The fields in the event log message from the PS client are as follows: <level> - <date / time> - [<eventid>] - <provider> - <message> Warning - 03/30/2015 14:11:25 - [1] - test - This is a test message. In the example given, 'test' is the provider. Ignore rules should match against provider or message. You cannot currently ignore against event ids - I believe you could use them in alert.cfg though. If you want to only receive warning or error 'level' messages, you can limit using the eventlogswanted: eventlogswanted:LIST_OF_EVENT_LOGS:MAX_SIZE:REQUIRED_LEVELS REQUIRED_LEVELS is an optional list of the levels you want to report, e.g.: eventlogswanted:*:250000:error,warning Zak
▸
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Brandon Dale
Sent: 30 March 2015 04:37
To: Timothy Persoon; xymon at xymon.com
Subject: Re: [Xymon] Migrating from BBWin to Xymon PS Client
I think this will work:
LOG eventlog_System %^error.* COLOR=red
LOG eventlog_System %^warning.*
COLOR=yellow
LOG eventlog_Application %^error.*
COLOR=red
LOG eventlog_Application %^warning.*
COLOR=yellow
LOG eventlog_Security %^failure.*
COLOR=red
The Ignore rules for the eventid's I'm not sure about, in the past with
bbwin I have always had to ignore based on the message detail. If someone
knows how to do this I would also like to know.
In the latest powershell client this is the type of data that you get for
events, the eventid is 1 in the below example.
Warning - 03/30/2015 14:11:25 - [1] - test - This is a test message.
However I haven't had any success using an ignore rule to match anything
other than the "This is a test message" part of the message.
Regards,
Brandon
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Timothy Persoon
Sent: Tuesday, 24 March 2015 7:55 PM
To: xymon at xymon.com <mailto:xymon at xymon.com> Subject: [Xymon] Migrating from BBWin to Xymon PS Client
Hi,
I'm migrating from BBWin to the newest Xymon PS Client. However, there are
some settings in the BBWin.cfg file that I can't seem to migrate to the
analysis.cfg file.
In BBWin there are several message checks: <msgs> <setting name="alwaysgreen" value="false" /> <ignore logfile="Application" eventid="1000" /> <ignore logfile="Application" eventid="16385" /> <ignore logfile="Application" eventid="8198" /> <ignore logfile="Application" eventid="489" /> <ignore logfile="System" eventid="6038" /> <setting name="delay" value="1h" /> <match logfile="System" type="error" alarmcolor="red" /> <match logfile="System" type="warning" alarmcolor="yellow" /> <match logfile="Application" type="error" alarmcolor="red" /> <match logfile="Application" type="warning" alarmcolor="yellow" /> <match logfile="Security" type="fail" /> </msgs>
but how do I migrate those to analysis.cfg? There seem to be two options: 1) LOG eventlog_application %^warning COLOR=red 2) LOG eventlog:Application %warning COLOR=red
Is there a difference between these two notations and is it even possible to
migrate the settings of BBWin.cfg to the analysis.cfg?
Kind regards,
Timothy
list Brandon Dale
It looks like you can also ignore against eventids in the analysis.cfg Not very good at regex but something like this might work and then you can match on the anything: LOG eventlog_Application %^warning.* COLOR=yellow "IGNORE=%(\[1111\])|(\[2222\])|(\[1\] - test)" I could be wrong but I think the analysis.cfg is the best place to do this if you want to be able to match on some combo of the provider / eventid / message etc if you do it in alerts.cfg you will still be changing the colour of the msgs test which you might not want. Powershell skills aren't great either... but I think in the powershell client this is where the ignore rules are evaluated in the XymonMsgs Function 1522 if ($entry.ProviderName -match $filter -or $entry.Message -match $filter) You might be able to change it to something like: $fullevent=[string]$level + " - " + [string]$entry.TimeCreated + " - " + "[$($entry.Id)] - " + [string]$entry.ProviderName + " - " + [string]$entry.Message if ($fullevent -match $filter) so you then you are matching against the entire message you see in the msgs column using client-local.cfg, syntax is probably wrong and I don't know what else it would break but you get the idea. Regards, Brandon
▸
From: user-aada0fa38bf8@xymon.invalid [mailto:user-aada0fa38bf8@xymon.invalid]
Sent: Monday, 30 March 2015 6:51 PM
To: Brandon Dale; user-60b6e28df766@xymon.invalid; xymon at xymon.com
Subject: RE: [Xymon] Migrating from BBWin to Xymon PS Client
Hi
The fields in the event log message from the PS client are as follows:
<level> - <date / time> - [<eventid>] - <provider> - <message>
Warning - 03/30/2015 14:11:25 - [1] - test - This is a test message.
In the example given, 'test' is the provider.
Ignore rules should match against provider or message. You cannot currently ignore against event ids - I believe you could use them in alert.cfg though.
If you want to only receive warning or error 'level' messages, you can limit using the eventlogswanted:
eventlogswanted:LIST_OF_EVENT_LOGS:MAX_SIZE:REQUIRED_LEVELS
REQUIRED_LEVELS is an optional list of the levels you want to report, e.g.:
eventlogswanted:*:250000:error,warning
Zak
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Brandon Dale
Sent: 30 March 2015 04:37
To: Timothy Persoon; xymon at xymon.com<mailto:xymon at xymon.com>
Subject: Re: [Xymon] Migrating from BBWin to Xymon PS Client
I think this will work:
LOG eventlog_System %^error.* COLOR=red
LOG eventlog_System %^warning.* COLOR=yellow
LOG eventlog_Application %^error.* COLOR=red
LOG eventlog_Application %^warning.* COLOR=yellow
LOG eventlog_Security %^failure.* COLOR=red
The Ignore rules for the eventid's I'm not sure about, in the past with bbwin I have always had to ignore based on the message detail. If someone knows how to do this I would also like to know.
In the latest powershell client this is the type of data that you get for events, the eventid is 1 in the below example.
Warning - 03/30/2015 14:11:25 - [1] - test - This is a test message.
However I haven't had any success using an ignore rule to match anything other than the "This is a test message" part of the message.
Regards,
Brandon
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Timothy Persoon
Sent: Tuesday, 24 March 2015 7:55 PM
To: xymon at xymon.com<mailto:xymon at xymon.com>
Subject: [Xymon] Migrating from BBWin to Xymon PS Client
Hi,
I'm migrating from BBWin to the newest Xymon PS Client. However, there are some settings in the BBWin.cfg file that I can't seem to migrate to the analysis.cfg file.
In BBWin there are several message checks:
<msgs>
<setting name="alwaysgreen" value="false" />
<ignore logfile="Application" eventid="1000" />
<ignore logfile="Application" eventid="16385" />
<ignore logfile="Application" eventid="8198" />
<ignore logfile="Application" eventid="489" />
<ignore logfile="System" eventid="6038" />
<setting name="delay" value="1h" />
<match logfile="System" type="error" alarmcolor="red" />
<match logfile="System" type="warning" alarmcolor="yellow" />
<match logfile="Application" type="error" alarmcolor="red" />
<match logfile="Application" type="warning" alarmcolor="yellow" />
<match logfile="Security" type="fail" />
</msgs>
but how do I migrate those to analysis.cfg? There seem to be two options:
1) LOG eventlog_application %^warning COLOR=red
2) LOG eventlog:Application %warning COLOR=red
Is there a difference between these two notations and is it even possible to migrate the settings of BBWin.cfg to the analysis.cfg?
Kind regards,
Timothy
[cid:image001.gif at 01D06D33.F738D140]