Windows log monitoring 🔗 link

Hey everyone,

      So I had this discussion before and it didnt go anywhere.  I now know
that you cannot disable the full display of the logs but is there a way to
filter...i have it set up but could someone show me their client-local.cfg
lines for the window machines?

Also for a last chance effort is there any way to not have xymon store the
logs in data dir.....It takes up a lot of space and filles our 100GB
harddrive by 2% every day.  What could i do to have it not store it or just
look at it and toss it......any ideas


Hey if it wasn't for you guys my job would be nearly impossible.


See ya,
Derek Deckert


Notice:
This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. � 2510.  Its disclosure is strictly limited to the recipient(s) intended by the sender of this message.  This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED.  Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.

For windows log monitoring, have you tried using Snare and have it sent to
a Syslog server (Rsyslog)

That gives you the most flexability in filtering and such.

Hi all,

I want to monitor some windows logs that are named with a date/time stamp using BBWin in central mode.

I've tried putting a command in backticks in client-local.cfg ( log:` dir /B D:\Transact\Transact\Server\Logs\*.tr1`:10240 ) but although that command works perfectly in a windows command prompt, I don't get anything monitored. If I hard code the name of the file all works as expected.

At the moment I suspect that what I want to do is not possible but I thought I'd check with the mailing list before I go looking in to external scripts to do this.

Cheers,
Neil.

Name & Registered Office: EXPRESS GIFTS LIMITED, 2 GREGORY ST, HYDE, CHESHIRE, ENGLAND, SK14 4TH, Company No. 00718151.
Express Gifts Limited is authorised and regulated by the Financial Services Authority
NOTE:  This email and any information contained within or attached in a separate file is confidential and intended solely for the Individual to whom it is addressed. The information or data included is solely for the purpose indicated or previously agreed. Any information or data included with this e-mail remains the property of Findel PLC and the recipient will refrain from utilising the information for any purpose other than that indicated and upon request will destroy the information and remove it from their records.  Any views or opinions presented are solely those of the author and do not necessarily represent those of Findel PLC. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. No warranties or assurances are made in relation to the safety and content of this e-mail and any attachments.  No liability is accepted for any consequences arising from it. Findel Plc reserves the right to monitor all e-mail communications through its internal and external networks. If you have received this email in error please notify our IT helpdesk on +44(0) 1254 303030

 
Den 2014-02-04 11:53, Neil Simmonds skrev: 

) but although that command works perfectly in a windows command prompt,
I don't get anything monitored. If I hard code the name of the file all
works as expected. 

 BBWin cannot monitor log
files, only the Windows event-log. 
The Powershell-based WinPSClient
appears to do logfile-checks like the Unix-based Xymon client.


Regards,
Henrik

I don’t like to correct you Henrik but BBWin 0.13 can monitor log files as long as the log file name is hard coded in the client-local.cfg. What I’m unable to find an answer to is the unix like way of running a command to get the log file name for monitoring.

I suspected WinPSClient might be the option for this so now you have suggested it’s possible in that, it’s worth me investing the time to install it on a server and do some testing.

From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of user-ce4a2c883f75@xymon.invalid
Sent: 04 February 2014 11:19
To: xymon at xymon.com
Subject: Re: [Xymon] Windows log monitoring


Den 2014-02-04 11:53, Neil Simmonds skrev:
I want to monitor some windows logs that are named with a date/time stamp using BBWin in central mode.
I’ve tried putting a command in backticks in client-local.cfg ( log:` dir /B D:\Transact\Transact\Server\Logs\*.tr1`:10240 ) but although that command works perfectly in a windows command prompt, I don’t get anything monitored. If I hard code the name of the file all works as expected.
At the moment I suspect that what I want to do is not possible but I thought I’d check with the mailing list before I go looking in to external scripts to do this.
BBWin cannot monitor log files, only the Windows event-log.
The Powershell-based WinPSClient appears to do logfile-checks like the Unix-based Xymon client.

Regards,
Henrik

Name & Registered Office: EXPRESS GIFTS LIMITED, 2 GREGORY ST, HYDE, CHESHIRE, ENGLAND, SK14 4TH, Company No. 00718151.
Express Gifts Limited is authorised and regulated by the Financial Services Authority
NOTE:  This email and any information contained within or attached in a separate file is confidential and intended solely for the Individual to whom it is addressed. The information or data included is solely for the purpose indicated or previously agreed. Any information or data included with this e-mail remains the property of Findel PLC and the recipient will refrain from utilising the information for any purpose other than that indicated and upon request will destroy the information and remove it from their records.  Any views or opinions presented are solely those of the author and do not necessarily represent those of Findel PLC. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. No warranties or assurances are made in relation to the safety and content of this e-mail and any attachments.  No liability is accepted for any consequences arising from it. Findel Plc reserves the right to monitor all e-mail communications through its internal and external networks. If you have received this email in error please notify our IT helpdesk on +44(0) 1254 303030

I have a very obfuscated way of doing exactly what you want to do, and do it myself.

I created a directory in etc that will hold different parts of my client-local.cfg file (common win32 entries, a README file, and single file for each individual server that doesn’t use defaults).

For one of my Windows servers that has a log file with a date as part of the file name (which we know doesn’t work with BBWin in central mode) I have a file that looks like this:

Filename: <servername>
Content:
log:D:\Program Files\Apache Software Foundation\TomcatA\logs\stdout_YYYYMMDD.log:10240
log:D:\Program Files\Apache Software Foundation\TomcatB\logs\stdout_YYYYMMDD.log:10240

Then, I have a cronjob run a simple script at 23:45 to change YYYYMMDD or YYMMDD to the next days date and assemble a new client-local.cfg file.

My script is simple:
#!/bin/sh

cd /home/xymon/etc/client-local

cat header >client-local.cfg
echo "[<myxymonserver>]" >>client-local.cfg
cat <myxymonserver> >>client-local.cfg
cat seperator >>client-local.cfg    # separator has warning messages so as to not edit the original client-local.cfg file as it will be over written.

for x in `ls|egrep -v 'header|win32|attmon|README|client-local.cfg'`   # process all files except for these
do
echo "[${x}]" >>client-local.cfg    # this will create the client-local.cfg entry for this particular server
cat $x |sed s/YYYYMMDD/`date --date="tomorrow" +%Y%m%d`/ |sed s/YYMMDD/`date --date="tomorrow" +%y%m%d`/ >>client-local.cfg   # change to new dates
cat win32 >>client-local.cfg     # win32 contains all the default rules to apply
cat seperator >>client-local.cfg
done

echo "[win32]" >>client-local.cfg     # finish off the file with defaults
cat win32 >>client-local.cfg
cat seperator >>client-local.cfg

cp client-local.cfg /home/xymon/server/etc    # replace the current client-local.cfg file

README:
This folder is used to seperate each host that needs specific rules within
the client-local.cfg file.  Each host that needs an entry will have a file
by its own server name.

Current files are:
xymonserver
windowserver2
linuxserver4
etc.

This cron job will process each file and create a new client-local.cfg within
this directory and copy it to /home/xymon/server/etc:
45 23 * * * /home/xymon/bin/update_clientlocalcfg.sh > /dev/null 2>&1

There are a few special files that are processed differently.  The "header"
file is the first to be added to client-local.cfg.  It contains warnings and
usage information.  "win32" is the default specification for all windows
servers and is also appended to each of the seperate host files that are
included.  This allows for a single file to be edited and included for all
of the windows servers.

Example:
Filename = servername
log:D:\Program Files\Apache Software Foundation\TomcatA\logs\stdout_YYYYMMDD.log:10240
log:D:\Program Files\Apache Software Foundation\TomcatB\logs\stdout_YYYYMMDD.log:10240


Seperator (warning messages):
#
# EDIT client-local/<hostname> ONLY!!!!!
# EDIT client-local/<hostname> ONLY!!!!!
# EDIT client-local/<hostname> ONLY!!!!!
# EDIT client-local/<hostname> ONLY!!!!!
# EDIT client-local/<hostname> ONLY!!!!!
# EDIT client-local/<hostname> ONLY!!!!!
# EDIT client-local/<hostname> ONLY!!!!!
#


I run this through cron at 23:45 which provides a little time for the file to be disseminated out to the windows servers by midnight.  Hopefully, this is not too confusing.  ☺

Thanks,
John
Upcoming PTO:
(none)

John Rothlisberger
IT Strategy, Infrastructure & Security - Technology Growth Platform
TGP for Business Process Outsourcing
Accenture
XXX.XXX.XXXX office

From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Neil Simmonds
Sent: Tuesday, February 04, 2014 5:30 AM
To: user-ce4a2c883f75@xymon.invalid; xymon at xymon.com
Subject: Re: [Xymon] Windows log monitoring

I don’t like to correct you Henrik but BBWin 0.13 can monitor log files as long as the log file name is hard coded in the client-local.cfg. What I’m unable to find an answer to is the unix like way of running a command to get the log file name for monitoring.

I suspected WinPSClient might be the option for this so now you have suggested it’s possible in that, it’s worth me investing the time to install it on a server and do some testing.

From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of user-ce4a2c883f75@xymon.invalid<mailto:user-ce4a2c883f75@xymon.invalid>
Sent: 04 February 2014 11:19
To: xymon at xymon.com<mailto:xymon at xymon.com>
Subject: Re: [Xymon] Windows log monitoring


Den 2014-02-04 11:53, Neil Simmonds skrev:
I want to monitor some windows logs that are named with a date/time stamp using BBWin in central mode.
I’ve tried putting a command in backticks in client-local.cfg ( log:` dir /B D:\Transact\Transact\Server\Logs\*.tr1`:10240 ) but although that command works perfectly in a windows command prompt, I don’t get anything monitored. If I hard code the name of the file all works as expected.
At the moment I suspect that what I want to do is not possible but I thought I’d check with the mailing list before I go looking in to external scripts to do this.
BBWin cannot monitor log files, only the Windows event-log.
The Powershell-based WinPSClient appears to do logfile-checks like the Unix-based Xymon client.

Regards,
Henrik


Name & Registered Office: EXPRESS GIFTS LIMITED, 2 GREGORY ST, HYDE, CHESHIRE, ENGLAND, SK14 4TH, Company No. 00718151.

Express Gifts Limited is authorised and regulated by the Financial Conduct Authority
NOTE: This email and any information contained within or attached in a separate file is confidential and intended solely for the Individual to whom it is addressed. The information or data included is solely for the purpose indicated or previously agreed. Any information or data included with this e-mail remains the property of Findel PLC and the recipient will refrain from utilising the information for any purpose other than that indicated and upon request will destroy the information and remove it from their records. Any views or opinions presented are solely those of the author and do not necessarily represent those of Findel PLC. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. No warranties or assurances are made in relation to the safety and content of this e-mail and any attachments. No liability is accepted for any consequences arising from it. Findel Plc reserves the right to monitor all e-mail communications through its internal and external networks. If you have received this email in error please notify our IT helpdesk on +44(0) 1254 303030


This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. .

www.accenture.com