Problem with LOG test
list Olivier Boyaval
Hello,
I have a problem to test many log file on a linux client. I test a log
file with word cirtical and major but hobbit doesn't send any alarm when
this log file contains message with this key words.
My client doesn't use the local config and use the server config.
-------> My log file (for test) :
Major : test alarme
Critical : test alarme
fin
Nota : If I don't add the first line (-------) then the begin of line is cut after 5 characters.
-------> My hobbit server's hobbit-clients.cfg extract :
HOST=agecanonix
PROC /usr/sbin/ntpd 1
PROC tina_daemon 1
LOG /var/log/messages WARNING COLOR=yellow
LOG /var/log/messages ERROR COLOR=red
LOG /home/sirt/log/alarm_tina.log major COLOR=yellow
LOG /home/sirt/log/alarm_tina.log critical COLOR=red
DISK /media/dvd IGNORE
-------> My hobbit server's client-local.cfg extract :
[agecanonix]
log:/var/log/messages:10240
trigger %WARNING|ERROR
log:/home/sirt/log/alarm_tina.log:10240
trigger %major|critical
-------> The hobbit page :
System logs at Fri Sep 22 10:30:17 CEST 2006
No entries in /var/log/messages <http://alambix.ch-bethune.fr/hobbit-cgi/bb-hostsvc.sh?CLIENT=agecanonix&SECTION=msgs:/var/log/messages>;
No entries in /home/sirt/log/alarm_tina.log <http://alambix.ch-bethune.fr/hobbit-cgi/bb-hostsvc.sh?CLIENT=agecanonix&SECTION=msgs:/home/sirt/log/alarm_tina.log>;
Full log /var/log/messages <http://alambix.ch-bethune.fr/hobbit-cgi/bb-hostsvc.sh?CLIENT=agecanonix&SECTION=msgs:/var/log/messages>;
Sep 22 08:05:21 agecanonix vsftpd: Fri Sep 22 10:05:21 2006 [pid 23276] CONNECT: Client "xxxxx"
Sep 22 10:07:58 agecanonix su: (to hobbit) root on /dev/pts/2
Sep 22 10:07:58 agecanonix su: pam_unix2: session started for user hobbit, service su
Sep 22 08:10:22 agecanonix vsftpd: Fri Sep 22 10:10:22 2006 [pid 23415] CONNECT: Client "xxxxx"
Sep 22 10:11:46 agecanonix su: pam_unix2: session finished for user hobbit, service su
Sep 22 10:12:17 agecanonix su: pam_unix2: session finished for user sirt, service su
Sep 22 08:12:22 agecanonix vsftpd: Fri Sep 22 10:12:22 2006 [pid 23418] CONNECT: Client "xxxxx"
Sep 22 10:12:28 agecanonix su: (to sirt) root on /dev/pts/2
Sep 22 10:12:28 agecanonix su: pam_unix2: session started for user sirt, service su
Sep 22 10:15:01 agecanonix /USR/SBIN/CRON[23502]: (sirt) CMD (/home/sirt/bin/alarm_tina.sh)
Sep 22 10:15:03 agecanonix su: (to hobbit) root on /dev/pts/2
Sep 22 10:15:03 agecanonix su: pam_unix2: session started for user hobbit, service su
Sep 22 08:17:23 agecanonix vsftpd: Fri Sep 22 10:17:23 2006 [pid 23640] CONNECT: Client "xxxxx"
Sep 22 08:22:25 agecanonix vsftpd: Fri Sep 22 10:22:25 2006 [pid 23686] CONNECT: Client "xxxxx"
Sep 22 08:27:26 agecanonix vsftpd: Fri Sep 22 10:27:26 2006 [pid 23729] CONNECT: Client "xxxxx"
Sep 22 10:30:01 agecanonix /USR/SBIN/CRON[23737]: (sirt) CMD (/home/sirt/bin/alarm_tina.sh)
Full log /home/sirt/log/alarm_tina.log <http://alambix.ch-bethune.fr/hobbit-cgi/bb-hostsvc.sh?CLIENT=agecanonix&SECTION=msgs:/home/sirt/log/alarm_tina.log>;
Major : test alarme
Critical : test alarme
fin
Any idea ?
Cdl
Olivier
list David Gore
▸
Olivier Boyaval wrote:
Hello,
I have a problem to test many log file on a linux client. I test a log file with word cirtical and major but hobbit doesn't send any alarm when this log file contains message with this key words.
My client doesn't use the local config and use the server config.
-------> My log file (for test) :
Major : test alarme
Critical : test alarme
fin
Nota : If I don't add the first line (-------) then the begin of line is cut after 5 characters.
-------> My hobbit server's hobbit-clients.cfg extract :
HOST=agecanonix
PROC /usr/sbin/ntpd 1
PROC tina_daemon 1
LOG /var/log/messages WARNING COLOR=yellow
LOG /var/log/messages ERROR COLOR=red
LOG /home/sirt/log/alarm_tina.log major COLOR=yellow
LOG /home/sirt/log/alarm_tina.log critical COLOR=red
DISK /media/dvd IGNORE
-------> My hobbit server's client-local.cfg extract :
[agecanonix]
log:/var/log/messages:10240
trigger %WARNING|ERROR
log:/home/sirt/log/alarm_tina.log:10240
trigger %major|critical
-------> The hobbit page :Try this: [agecanonix] log:/var/log/messages:10240 trigger WARNING|ERROR log:/home/sirt/log/alarm_tina.log:10240 trigger major|critical I do not think '%' (pcre) is supported in this file.
▸
System logs at Fri Sep 22 10:30:17 CEST 2006
No entries in /var/log/messages <http://alambix.ch-bethune.fr/hobbit-cgi/bb-hostsvc.sh?CLIENT=agecanonix&SECTION=msgs:/var/log/messages>;
No entries in /home/sirt/log/alarm_tina.log <http://alambix.ch-bethune.fr/hobbit-cgi/bb-hostsvc.sh?CLIENT=agecanonix&SECTION=msgs:/home/sirt/log/alarm_tina.log>;
Full log /var/log/messages <http://alambix.ch-bethune.fr/hobbit-cgi/bb-hostsvc.sh?CLIENT=agecanonix&SECTION=msgs:/var/log/messages>;
Sep 22 08:05:21 agecanonix vsftpd: Fri Sep 22 10:05:21 2006 [pid 23276] CONNECT: Client "xxxxx"
Sep 22 10:07:58 agecanonix su: (to hobbit) root on /dev/pts/2
Sep 22 10:07:58 agecanonix su: pam_unix2: session started for user hobbit, service su Sep 22 08:10:22 agecanonix vsftpd: Fri Sep 22 10:10:22 2006 [pid 23415] CONNECT: Client "xxxxx"
Sep 22 10:11:46 agecanonix su: pam_unix2: session finished for user hobbit, service su Sep 22 10:12:17 agecanonix su: pam_unix2: session finished for user sirt, service su Sep 22 08:12:22 agecanonix vsftpd: Fri Sep 22 10:12:22 2006 [pid 23418] CONNECT: Client "xxxxx"
Sep 22 10:12:28 agecanonix su: (to sirt) root on /dev/pts/2
Sep 22 10:12:28 agecanonix su: pam_unix2: session started for user sirt, service su Sep 22 10:15:01 agecanonix /USR/SBIN/CRON[23502]: (sirt) CMD (/home/sirt/bin/alarm_tina.sh) Sep 22 10:15:03 agecanonix su: (to hobbit) root on /dev/pts/2
Sep 22 10:15:03 agecanonix su: pam_unix2: session started for user hobbit, service su Sep 22 08:17:23 agecanonix vsftpd: Fri Sep 22 10:17:23 2006 [pid 23640] CONNECT: Client "xxxxx"
Sep 22 08:22:25 agecanonix vsftpd: Fri Sep 22 10:22:25 2006 [pid 23686] CONNECT: Client "xxxxx"
Sep 22 08:27:26 agecanonix vsftpd: Fri Sep 22 10:27:26 2006 [pid 23729] CONNECT: Client "xxxxx"
Sep 22 10:30:01 agecanonix /USR/SBIN/CRON[23737]: (sirt) CMD (/home/sirt/bin/alarm_tina.sh)
Full log /home/sirt/log/alarm_tina.log <http://alambix.ch-bethune.fr/hobbit-cgi/bb-hostsvc.sh?CLIENT=agecanonix&SECTION=msgs:/home/sirt/log/alarm_tina.log>;
Major : test alarme
Critical : test alarme
fin
Any idea ?
Cdl
Olivier
list Olivier Boyaval
▸
David Gore a écrit :
Try this: [agecanonix] log:/var/log/messages:10240 trigger WARNING|ERROR log:/home/sirt/log/alarm_tina.log:10240 trigger major|critical I do not think '%' (pcre) is supported in this file.
I have tested with "trigger major|critical" and "trigger Major|Critical" and "trigger Critical" and "trigger critical" that doesn't run :-( Olivier
list David Gore
▸
Olivier Boyaval wrote:
David Gore a écrit :Try this: [agecanonix] log:/var/log/messages:10240 trigger WARNING|ERROR log:/home/sirt/log/alarm_tina.log:10240 trigger major|critical I do not think '%' (pcre) is supported in this file.I have tested with "trigger major|critical" and "trigger Major|Critical" and "trigger Critical" and "trigger critical" that doesn't run :-( Olivier
Login to the client host, agecanonix and look for these files: cd ~/client/tmp && ls -al *status *cfg Then you may want to try what you see in the .cfg by hand. You should see something like this in the .cfg file: log:/var/adm/messages:10240 trigger WARNING|ERROR log:/home/sirt/log/alarm_tina.log:10240 trigger major|critical Which should mirror your config. Then try grepping by hand to see if you get what you want: egrep -ei 'WARNING|ERROR' /var/adm/messages And you are using Hobbit 4.2.0, if not then you need to upgrade.
list Olivier Boyaval
▸
David Gore a écrit :
Login to the client host, agecanonix and look for these files: cd ~/client/tmp && ls -al *status *cfg Then you may want to try what you see in the .cfg by hand. You should see something like this in the .cfg file: log:/var/adm/messages:10240 trigger WARNING|ERROR log:/home/sirt/log/alarm_tina.log:10240 trigger major|critical
This file exist and it's OK
▸
Which should mirror your config. Then try grepping by hand to see if you get what you want: egrep -ei 'WARNING|ERROR' /var/adm/messages
egrep -ei'pattern' file doesn't run correctly on my linux box. I must use egrep -i -e'pattern' file synthaxIf I use egrep -i -e'major|critical' /home/sirt/log/alarm_tina.log then the command is Ok and send the 2 test lines.
And you are using Hobbit 4.2.0, if not then you need to upgrade.
I use Hobbit 4.2.0 Cdl Olivier