Bug in msgs test in 4.3.19
list Johan Sjöberg
Hi. I upgraded our Xymon server to 4.3.19. Unfortunately, I experienced problems with the msgs test for the Xymon server itself. The most serious bug is that I am getting log rows associated with the wrong log file, and triggering alerts for that file. If I look in the client data, I can see that a few lines are from the correct file, but then it switches over to another log file's content: [msgs:/var/log/server01.log] <...SKIPPED...> Apr 16 15:53:32 server01 AppMailImporter[INFO]: KTRO2155 Successfully made deed avaliable to registrator group propID = 10029300 Apr 16 15:54:38 server01 AppMailImporter[INFO]: KESK2216 Email did not have a body or contains crap from scanners only. Not creating deed, but for attachments! Apr 16 15:54:38 server01 AppMailImporter[INFO]: KESK2216 PostList item created with propID = 10101563 Apr 16 15:54:38 server01 AppMailImporter[INFO]: KESK2216 Attachment written to disk with GUID = 6fc966f7-796b-427f-b114-173f927ae451.pdf Apr 16 15:54:39 server01 AppMailImporter[INFO]: KESK2216 Created document with propID = 10101564 and ObjectID = 15612 <...CURRENT...> Apr 16 15:54:39 server01 AppMailImporter[INFO]: KESK2216 Successfully connected document with deed propID = 10101563 and ObjectID = 15612 cal proxy 192.168.105.10/255.255.255.255/0/0 on interface outside Apr 16 15:51:02 fw2-v10 %ASA-3-713902: Group = 192.168.206.250, IP = 192.168.206.250, QM FSM error (P2 struct &0x00007fff4a020c40, mess id 0x5ac031d1)! Apr 16 15:51:02 fw2-v10 %ASA-3-713902: Group = 192.168.206.250, IP = 192.168.206.250, Removing peer from correlator table failed, no match! The logs for "server01" are from the correct file, but the ones from "fw2-v10" are from a different log file which has different alert match rules. The log file for fw2-v10 is also included in the client data, as a separate section Also, if I alert on all log entries, I now get alerts for <...CURRENT...>, which I guess is some tag that is added internally by Xymon. This I can avoid by adding ignore for this string, so it's not a big problem. Regards, Johan
list Japheth Cleaver
▸
On Thu, April 16, 2015 7:24 am, Johan Sjöberg wrote:
Hi. I upgraded our Xymon server to 4.3.19. Unfortunately, I experienced problems with the msgs test for the Xymon server itself. The most serious bug is that I am getting log rows associated with the wrong log file, and triggering alerts for that file. If I look in the client data, I can see that a few lines are from the correct file, but then it switches over to another log file's content: [msgs:/var/log/server01.log] <...SKIPPED...> Apr 16 15:53:32 server01 AppMailImporter[INFO]: KTRO2155 Successfully made deed avaliable to registrator group propID = 10029300 Apr 16 15:54:38 server01 AppMailImporter[INFO]: KESK2216 Email did not have a body or contains crap from scanners only. Not creating deed, but for attachments! Apr 16 15:54:38 server01 AppMailImporter[INFO]: KESK2216 PostList item created with propID = 10101563 Apr 16 15:54:38 server01 AppMailImporter[INFO]: KESK2216 Attachment written to disk with GUID = 6fc966f7-796b-427f-b114-173f927ae451.pdf Apr 16 15:54:39 server01 AppMailImporter[INFO]: KESK2216 Created document with propID = 10101564 and ObjectID = 15612 <...CURRENT...> Apr 16 15:54:39 server01 AppMailImporter[INFO]: KESK2216 Successfully connected document with deed propID = 10101563 and ObjectID = 15612 cal proxy 192.168.105.10/255.255.255.255/0/0 on interface outside
Apr 16 15:51:02 fw2-v10 %ASA-3-713902: Group = 192.168.206.250, IP = 192.168.206.250, QM FSM error (P2 struct &0x00007fff4a020c40, mess id 0x5ac031d1)! Apr 16 15:51:02 fw2-v10 %ASA-3-713902: Group = 192.168.206.250, IP = 192.168.206.250, Removing peer from correlator table failed, no match! The logs for "server01" are from the correct file, but the ones from "fw2-v10" are from a different log file which has different alert match rules. The log file for fw2-v10 is also included in the client data, as a separate section
Johan,
Thanks... Can you send your maxbytes configuration for this (direct is
fine), and possibly a run of it in --debug mode? (Manually edit
xymonclient.sh to add --debug=stderr to the logfetch execution.)
For the second log file, do you have multiple triggers and ignores being
used in selection of the lines to come in?
▸
Also, if I alert on all log entries, I now get alerts for <...CURRENT...>, which I guess is some tag that is added internally by Xymon. This I can avoid by adding ignore for this string, so it's not a big problem.
Correct, an analysis.cfg line like:
LOG logfilename . COLOR=red
... will pick this up. An IGNORE= at the end would be your best option.
The docs should be updated for this use case.
Regards,
-jc