client-local.cfg ignore a complicated line - syntax issue?
list Betsy Schwartz
I'm probably missing something obvious here, but I'm getting stuck I'm looking at a logfile and I would like to ignore lines like this: Sep 11 22:24:36 10.65.0.6 apcontroller: *bcastReceiveTask: Sep 11 22:24:36.407: %DTL-4-ARP_ORPHANPKT_DETECTED: dtl_net.c:1426 STA(Target MAC Address) [d4:9a:20:58:46:34, 0.0.0.0] ARP (op ARP REQUEST) received with invalid SPA(Source IP Address) 10.0.10.157/TPA(Destination IP Address) 10.0.10.1 I've been playing around with variations like log:/appdata/logserver/local7.log:102400 IGNORE (apcontroller|cli.WARNING|cli.NOTICE) or log:/appdata/logserver/local7.log:102400 IGNORE apcontroller|cli.WARNING|cli.NOTICE or log:/appdata/logserver/local7.log:102400 IGNORE= (apcontroller|cli.WARNING|cli.NOTICE) or log:/appdata/logserver/local7.log:102400 IGNORE=%(?-i)apcontroller|cli.WARNING|cli.NOTICE and even log:/appdata/logserver/local7.log:102400 IGNORE apcontroller (I'd like to ignore the cli.WARNING and cli.NOTICE too, but there are really too many apcontroller lines) Please, what is the syntax I need for this? Or is this a problem because it's a complicated line containing so many special sorts of characters? thanks Betsy
list Jeremy Laidman
Betsy
▸
On 12 September 2014 13:00, Betsy Schwartz <user-c61747246f66@xymon.invalid> wrote:
I've been playing around with variations like log:/appdata/logserver/local7.log:102400 IGNORE (apcontroller|cli.WARNING|cli.NOTICE) or log:/appdata/logserver/local7.log:102400 IGNORE apcontroller|cli.WARNING|cli.NOTICE or log:/appdata/logserver/local7.log:102400 IGNORE= (apcontroller|cli.WARNING|cli.NOTICE) or
None of those is going to work because you're using PCREs but you haven't told Xymon that they're PCREs with the percent.
log:/appdata/logserver/local7.log:102400 IGNORE=%(?-i)apcontroller|cli.WARNING|cli.NOTICE
This should work. I tested it with pcregrep against your log message and it matched, meaning it should have ignored it.
and even log:/appdata/logserver/local7.log:102400 IGNORE apcontroller
I would expect this to work too, but the man page for client-local.cfg says that the pattern "is a regular expression" and so it might not match this without the "%". Have you tried just "IGNORE %apcontroller"?
▸
Please, what is the syntax I need for this? Or is this a problem because it's a complicated line containing so many special sorts of characters?
This shouldn't matter. It might, but it shouldn't. J
list Jeremy Laidman
Ah, the "ignore" should be on a separate line. Like so: log:/appdata/logserver/local7.log:102400 ignore %(?-i)apcontroller|cli.WARNING|cli.NOTICE And it's lower-case. This is in your client-local.cfg right?
list Jeremy Laidman
On 12 September 2014 18:23, Jeremy Laidman <user-71895fb2e44c@xymon.invalid> wrote:
And it's lower-case.
Sorry, I meant that "ignore" is usually in lower-case. I'm not sure it matters, but the man page examples use "ignore matchstring" in lower-case. The upper-case version, like "IGNORE=matchstring" is the format used in analysis.cfg, and defines to what to ignore when alerting rather that what to ignore when sending log messages. If you're trying to create a rule for analysis.cfg, then your "log" line is in the wrong format, and should be LOG /appdata/logserver/local7.log IGNORE=%(?-i)apcontroller|cli.WARNING|cli.NOTICE J
list Betsy Schwartz
Sorry meant to cc the previous message to the list. Correcting the line wrapping made my lines start to take effect but also caused logfetch to dump core This causes a core dump: log:/appdata/logserver/local7.log:102400 trigger brocade ignore %.*(apcontroller|cli.WARNING|cli.NOTICE).* This works log:/appdata/logserver/local7.log:102400 trigger brocade ignore apcontroller so now, question is how to ignore more than one thing :-) It sounds from this thread (Thanks Jeremy) that maybe multiple bogus trigger lines would help: http://lists.xymon.com/archive/2013-August/038002.html ---------- Forwarded message ---------- From: Betsy Schwartz <user-c61747246f66@xymon.invalid> Date: Fri, Sep 12, 2014 at 7:44 AM Subject: Re: [Xymon] client-local.cfg ignore a complicated line - syntax issue? To: Jeremy Laidman <user-71895fb2e44c@xymon.invalid> Hm, somewhere in there I had gotten onto one line, thanks this is for client-launch.cfg I tried this ignore %(?-i)apcontroller|cli.WARNING|cli.NOTICE and got a core dump on the client upgraded the client from 4.3.12 to 4.3.17 still got a core dump [root at syslog1 logs]# tail xymonclient.log /home/xymon/client/bin/xymonclient.sh: line 60: 33209 Segmentation fault (core dumped) $XYMONHOME/bin/logfetch $LOGFETCHCFG $LOGFETCHSTATUS >> $MSGTMPFILE
list Japheth Cleaver
The ignore/triggercount bug has been fixed in trunk and the 4.3.18 branch, but not released yet (https://sourceforge.net/p/xymon/code/7462/) Also, it's worth re-iterating that logfetch uses POSIX regex's, not PCRE ones, so some of the syntactic sugar is a different there... Regards, -jc
▸
On Fri, September 12, 2014 5:36 am, Betsy Schwartz wrote:Sorry meant to cc the previous message to the list. Correcting the line wrapping made my lines start to take effect but also caused logfetch to dump core This causes a core dump: log:/appdata/logserver/local7.log:102400 trigger brocade ignore %.*(apcontroller|cli.WARNING|cli.NOTICE).* This works log:/appdata/logserver/local7.log:102400 trigger brocade ignore apcontroller so now, question is how to ignore more than one thing :-) It sounds from this thread (Thanks Jeremy) that maybe multiple bogus trigger lines would help: http://lists.xymon.com/archive/2013-August/038002.html ---------- Forwarded message ---------- From: Betsy Schwartz <user-c61747246f66@xymon.invalid> Date: Fri, Sep 12, 2014 at 7:44 AM Subject: Re: [Xymon] client-local.cfg ignore a complicated line - syntax issue? To: Jeremy Laidman <user-71895fb2e44c@xymon.invalid> Hm, somewhere in there I had gotten onto one line, thanks this is for client-launch.cfg I tried this ignore %(?-i)apcontroller|cli.WARNING|cli.NOTICE and got a core dump on the client upgraded the client from 4.3.12 to 4.3.17 still got a core dump [root at syslog1 logs]# tail xymonclient.log /home/xymon/client/bin/xymonclient.sh: line 60: 33209 Segmentation fault (core dumped) $XYMONHOME/bin/logfetch $LOGFETCHCFG $LOGFETCHSTATUS >> $MSGTMPFILE
list Andy Smith
▸
Betsy Schwartz wrote:
Sorry meant to cc the previous message to the list. Correcting the line wrapping made my lines start to take effect but also caused logfetch to dump core This causes a core dump: log:/appdata/logserver/local7.log:102400 trigger brocade ignore %.*(apcontroller|cli.WARNING|cli.NOTICE).* This works log:/appdata/logserver/local7.log:102400 trigger brocade ignore apcontroller so now, question is how to ignore more than one thing :-) It sounds from this thread (Thanks Jeremy) that maybe multiple bogus trigger lines would help: http://lists.xymon.com/archive/2013-August/038002.html ---------- Forwarded message ---------- From: *Betsy Schwartz* <user-c61747246f66@xymon.invalid <mailto:user-c61747246f66@xymon.invalid>> Date: Fri, Sep 12, 2014 at 7:44 AM Subject: Re: [Xymon] client-local.cfg ignore a complicated line - syntax issue? To: Jeremy Laidman <user-71895fb2e44c@xymon.invalid <mailto:user-71895fb2e44c@xymon.invalid>> Hm, somewhere in there I had gotten onto one line, thanks this is for client-launch.cfg I tried this ignore %(?-i)apcontroller|cli.WARNING|cli.NOTICE and got a core dump on the client upgraded the client from 4.3.12 to 4.3.17 still got a core dump [root at syslog1 logs]# tail xymonclient.log /home/xymon/client/bin/xymonclient.sh: line 60: 33209 Segmentation fault (core dumped) $XYMONHOME/bin/logfetch $LOGFETCHCFG $LOGFETCHSTATUS >> $MSGTMPFILE
I have a note in my client-local.cfg that having both trigger and ignore for a log definition causes logfetch to crash, so I figured you can do one or the other but not both at the client side. I ended up with something quite sophisticated as suggested on this list using backticks to execute the grep on the client side and creating a temporary file which is then analysed as normal at the server. It works well. -- Andy