Xymon Mailing List Archive search

Help tracking down ghost client

5 messages in this thread

list Robert Herron · Wed, 15 Oct 2014 16:24:48 -0400 · 
Xymon 4.3.17 on Oracle Linux 6

I have a ghost showing up on the my "Ghost Clients" report and I can't
figure out what's is happening.  A quick search of the archive didn't turn
up anything similar.

On the Ghost Client report:
Hostname              Sent from    Candidate            Report age
mail07.example.com    10.10.1.2    xymon.example.com    0:32

This "mail07" [g]hostname doesn't exist in my hosts.cfg.  It was removed
when the host was decommissioned two months ago.

The "sent from" address is my Xymon server.  The "report age" counts up to
just over 3 minutes, resets to 0, and starts incrementing again.

This [g]host was a net-only testing host -- CONN, SMTP, and HTTP. There are
references to the [g]hostname in analysis.cfg and alerts.cfg but those
shouldn't cause this.  The "mail07" string does occur in the
~/server/tmp/xymond.chk file but it seems to be ghost report.  The
xymond.chk line ends in "nGhost reports:\n  10.10.1.2      reported host
mail07.example.com\n|||0|0". No other file in ~/server/etc contains
"mail07".

I added "--debug" to the xymonnet's CMD line and to the
~/server/ext/xymonnet-again.sh but "mail07" doesn't show up in either log.

Any thoughts on where to look next?

Thanks.


Robert Herron
user-8b27ea4290da@xymon.invalid
list Patrick Nixon · Wed, 15 Oct 2014 16:29:41 -0400 · 
Is there a new host on 10.10.1.2 that might be reporting into xymon?

On Wed, Oct 15, 2014 at 4:24 PM, Robert Herron <user-8b27ea4290da@xymon.invalid>
quoted from Robert Herron
wrote:

Xymon 4.3.17 on Oracle Linux 6

I have a ghost showing up on the my "Ghost Clients" report and I can't
figure out what's is happening.  A quick search of the archive didn't turn
up anything similar.

On the Ghost Client report:
Hostname              Sent from    Candidate            Report age
mail07.example.com    10.10.1.2    xymon.example.com    0:32

This "mail07" [g]hostname doesn't exist in my hosts.cfg.  It was removed
when the host was decommissioned two months ago.

The "sent from" address is my Xymon server.  The "report age" counts up to
just over 3 minutes, resets to 0, and starts incrementing again.

This [g]host was a net-only testing host -- CONN, SMTP, and HTTP. There
are references to the [g]hostname in analysis.cfg and alerts.cfg but those
shouldn't cause this.  The "mail07" string does occur in the
~/server/tmp/xymond.chk file but it seems to be ghost report.  The
xymond.chk line ends in "nGhost reports:\n  10.10.1.2      reported host
mail07.example.com\n|||0|0". No other file in ~/server/etc contains
"mail07".

I added "--debug" to the xymonnet's CMD line and to the
~/server/ext/xymonnet-again.sh but "mail07" doesn't show up in either log.

Any thoughts on where to look next?

Thanks.


Robert Herron
user-8b27ea4290da@xymon.invalid
list Paul Root · Wed, 15 Oct 2014 21:13:10 +0000 · 
This generally means that the xymon server is still performing a test on this address.

Do you have any ext scripts or maybe cron scripts that still are running to look at this machine.

What I generally do is add the machine back into the hosts.cfg file so it will show up and tell me what test is the issue. Fix that and remove the host again.
quoted from Robert Herron

From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Robert Herron
Sent: Wednesday, October 15, 2014 3:25 PM
To: xymon
Subject: [Xymon] Help tracking down ghost client

Xymon 4.3.17 on Oracle Linux 6
I have a ghost showing up on the my "Ghost Clients" report and I can't figure out what's is happening.  A quick search of the archive didn't turn up anything similar.
On the Ghost Client report:
Hostname              Sent from    Candidate            Report age

mail07.example.com<http://mail07.example.com>;    10.10.1.2    xymon.example.com<http://xymon.example.com>;    0:32
quoted from Patrick Nixon

This "mail07" [g]hostname doesn't exist in my hosts.cfg.  It was removed when the host was decommissioned two months ago.

The "sent from" address is my Xymon server.  The "report age" counts up to just over 3 minutes, resets to 0, and starts incrementing again.

This [g]host was a net-only testing host -- CONN, SMTP, and HTTP. There are references to the [g]hostname in analysis.cfg and alerts.cfg but those shouldn't cause this.  The "mail07" string does occur in the ~/server/tmp/xymond.chk file but it seems to be ghost report.  The xymond.chk line ends in "nGhost reports:\n  10.10.1.2      reported host mail07.example.com<http://mail07.example.com>\n|||0|0";. No other file in ~/server/etc contains "mail07".
quoted from Patrick Nixon
I added "--debug" to the xymonnet's CMD line and to the ~/server/ext/xymonnet-again.sh but "mail07" doesn't show up in either log.

Any thoughts on where to look next?
Thanks.


Robert Herron

user-8b27ea4290da@xymon.invalid<mailto:user-8b27ea4290da@xymon.invalid>
list Tres Finocchiaro · Wed, 15 Oct 2014 20:37:13 -0400 · 
I've had incorrect IPs reported when there were invalid settings in DNS.
Possibly another place to look if your server is configured to use DNS.

- user-88678e65ced1@xymon.invalid

On Wed, Oct 15, 2014 at 5:13 PM, Root, Paul T <user-76fdb6883669@xymon.invalid>
quoted from Paul Root
wrote:

 This generally means that the xymon server is still performing a test on
this address.


Do you have any ext scripts or maybe cron scripts that still are running
to look at this machine.


What I generally do is add the machine back into the hosts.cfg file so it
will show up and tell me what test is the issue. Fix that and remove the
host again.


*From:* Xymon [mailto:xymon-bounces at xymon.com] *On Behalf Of *Robert
Herron
*Sent:* Wednesday, October 15, 2014 3:25 PM
*To:* xymon
*Subject:* [Xymon] Help tracking down ghost client


Xymon 4.3.17 on Oracle Linux 6

I have a ghost showing up on the my "Ghost Clients" report and I can't
figure out what's is happening.  A quick search of the archive didn't turn
up anything similar.

On the Ghost Client report:

Hostname              Sent from    Candidate            Report age
mail07.example.com    10.10.1.2    xymon.example.com    0:32


This "mail07" [g]hostname doesn't exist in my hosts.cfg.  It was removed
when the host was decommissioned two months ago.

The "sent from" address is my Xymon server.  The "report age" counts up to
just over 3 minutes, resets to 0, and starts incrementing again.

This [g]host was a net-only testing host -- CONN, SMTP, and HTTP. There
are references to the [g]hostname in analysis.cfg and alerts.cfg but those
shouldn't cause this.  The "mail07" string does occur in the
~/server/tmp/xymond.chk file but it seems to be ghost report.  The
xymond.chk line ends in "nGhost reports:\n  10.10.1.2      reported host
mail07.example.com\n|||0|0". No other file in ~/server/etc contains
"mail07".

I added "--debug" to the xymonnet's CMD line and to the
~/server/ext/xymonnet-again.sh but "mail07" doesn't show up in either log.


Any thoughts on where to look next?

Thanks.


Robert Herron
user-8b27ea4290da@xymon.invalid
list Robert Herron · Tue, 21 Oct 2014 09:47:35 -0400 · 
This was the trick.  There was an external test/script still using the old
mail server's name.  This external test was under the Xymon's server's
~xymon/client/ext directory and I didn't think to look there with my "it
must be a xymonnet test" blinders.

Thanks for the help.


Robert Herron
user-8b27ea4290da@xymon.invalid
quoted from Tres Finocchiaro

On Wed, Oct 15, 2014 at 5:13 PM, Root, Paul T <user-76fdb6883669@xymon.invalid>
wrote:

 This generally means that the xymon server is still performing a test on
this address.


Do you have any ext scripts or maybe cron scripts that still are running
to look at this machine.


What I generally do is add the machine back into the hosts.cfg file so it
will show up and tell me what test is the issue. Fix that and remove the
host again.