analysis.cfg - LOG - keyword matching 🔗 link

Hello out there,


yesterday i recognized that one of our servers has error messages in /var/log/messages every day.

The entries are:

Aug  8 11:08:26 mrv-online-4 kernel: [3356791.776050] EXT4-fs (dm-8): error count since last fsck: 6
Aug  8 11:08:26 mrv-online-4 kernel: [3356791.776080] EXT4-fs (dm-8): initial error at time 1468716722: ext4_journal_check_start:56
Aug  8 11:08:26 mrv-online-4 kernel: [3356791.776085] EXT4-fs (dm-8): last error at time 1468743842: ext4_put_super:798


In the analysis.cfg of the Xymon server, there is a DEFAULT section with the following content:

DEFAULT
# These are the built-in defaults.
        UP      3
        CLOCK   60
        LOAD    5.0 10.0
        DISK    * 90 95
        MEMPHYS 100 101
        MEMSWAP 80 90
        MEMACT  90 97
        FILE    /var/log/ntp SIZE>0
        FILE    %/var/(adm|log)/messages
        LOG     %/var/(adm|log)/messages WARNING IGNORE=%(smbd|STORVSC:*.WARNING\!|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=yellow
        LOG     %/var/(adm|log)/messages %(I/O|read).error IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt) COLOR=red
        LOG     %/var/(adm|log)/messages Remounting.filesystem.read-only COLOR=red
        LOG     %/var/(adm|log)/messages ERROR IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red
        LOG     %/var/(adm|log)/messages FAIL IGNORE=%(smbd|Connection.reset.by.peer|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport|NT_STATUS_LOGON_FAILURE|LOGIN|STARTTLS) COLOR=red
        LOG     %/var/(adm|log)/messages CRITICAL IGNORE=%(smbd|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red
        LOG     %/var/(adm|log)/messages ALERT COLOR=red
        LOG     %/var/(adm|log)/messages There.are.errors.in.the.filesystem COLOR=red
        PROC    "syslog"


I was thinking, that this directive
        LOG     %/var/(adm|log)/messages ERROR IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red
should msgs let go to red, since the message of the affected server contains the keyword "error", even in lowercase. But the history of the msgs test for the affected server doesn't show any red status.
I do not have the statement (?-i) in the analysis.cfg as documented in the Xymon man-pages:

Note that Xymon defaults to case-insensitive pattern matching; if that is not what you want, put "(?-i)" between the "%" and the regular expression to turn this off. E.g. "%(?-i)WARNING" will match the word WARNING only when it is upper-case.

Is my thinking wrong?

Regards
Christian


Christian Becker
IT-Services
Mittelrhein-Verlag GmbH
August-Horch-Straße 28
D-56070 Koblenz
Verleger und Geschäftsführer: Walterpeter Twer
Reg.-Gericht Koblenz HRB 121
Finanzamt Koblenz Str.Nr. 22 65 10 285 2
www.rhein-zeitung.de<http://www.rhein-zeitung.de/>;

Christian

On Tue, Aug 9, 2016 at 5:53 PM Becker Christian <

user-e4a19bfb94c0@xymon.invalid> wrote:
<snip>

A little.

The man page mentions using "%(?-i)" in the context of matching regular
expressions.  For non-regular-expressions, this doesn't apply.  The code
that performs a non-RE match is:

        return (strstr(datatosearch, pattern) != NULL);

"strstr()" is a case-sensitive string match, so "ERROR" will not match
"error".

You can either have a second line with the lower-case string, or convert to
regular expression, and take advantage of the case-insensitive match:

        LOG     %/var/(adm|log)/messages %ERROR
IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport)
COLOR=red

Cheers
Jeremy

Hi Jeremy,


Thank you for your help – that was a good explanation to me of what the man pages do not really show ;-)

Regards
Christian


Christian Becker
IT-Services
Mittelrhein-Verlag GmbH
August-Horch-Straße 28
D-56070 Koblenz
Verleger und Geschäftsführer: Walterpeter Twer
Reg.-Gericht Koblenz HRB 121
Finanzamt Koblenz Str.Nr. 22 65 10 285 2
www.rhein-zeitung.de<http://www.rhein-zeitung.de/>;

Von: Jeremy Laidman [mailto:user-71895fb2e44c@xymon.invalid]
Gesendet: Mittwoch, 10. August 2016 05:47
An: Becker Christian <user-e4a19bfb94c0@xymon.invalid>; xymon at xymon.com
Betreff: Re: [Xymon] analysis.cfg - LOG - keyword matching

Christian
On Tue, Aug 9, 2016 at 5:53 PM Becker Christian <user-e4a19bfb94c0@xymon.invalid<mailto:user-e4a19bfb94c0@xymon.invalid>> wrote:
<snip>
I was thinking, that this directive
        LOG     %/var/(adm|log)/messages ERROR IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red
should msgs let go to red, since the message of the affected server contains the keyword “error”, even in lowercase. But the history of the msgs test for the affected server doesn’t show any red status.
I do not have the statement (?-i) in the analysis.cfg as documented in the Xymon man-pages:

Note that Xymon defaults to case-insensitive pattern matching; if that is not what you want, put "(?-i)" between the "%" and the regular expression to turn this off. E.g. "%(?-i)WARNING" will match the word WARNING only when it is upper-case.

Is my thinking wrong?
A little.

The man page mentions using "%(?-i)" in the context of matching regular expressions.  For non-regular-expressions, this doesn't apply.  The code that performs a non-RE match is:

        return (strstr(datatosearch, pattern) != NULL);

"strstr()" is a case-sensitive string match, so "ERROR" will not match "error".

You can either have a second line with the lower-case string, or convert to regular expression, and take advantage of the case-insensitive match:


        LOG     %/var/(adm|log)/messages %ERROR IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red

Cheers
Jeremy