Ignore all log messages
list Scot Kreienkamp
Hi everyone, Does anyone have any advice on messages logging? I have a log for postgres that gets so many lines written in a day there's no way it can transfer all of them to the Xymon server. I don't need any of that traffic anyway. The only lines I need are ones that contain a few specific words. So I put this in client-local.cfg: [servername] log:/var/log/postgres.log:10240 ignore .* trigger %(FATAL|Fatal|FAIL|Fail|fail|Error|ERROR|error|Error|timestamp|deadlock|Deadlock|password authentication failed|pg_hba.conf|invalid magic number) log:/var/log/messages:10240 ignore %(postgres|RMS Printing Subsystem|connection received|disconnection|connection authorized) trigger %(FAIL|Fail|fail|Error|ERROR|error|Error|timestamp|deadlock|Deadlock|password authentication failed|pg_hba.conf|invalid magic number) file:/etc/passwd However, that doesn't seem to produce any log messages from the postgres log even when it should match one of the triggers. Client and server is version 4.3.17. I appreciate any ideas anyone has, or if someone has already done this if you could share your config I'd like to see how you did it. Thanks! Scot This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, please note that you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.
list Scot Kreienkamp
OK, so after searching through the mailing list for two hours and finding an old post about using different syntax in client-local I've changed it to this: My new config: log:/var/log/postgres.log:10240 ignore rmstomcat|jboss
▸
trigger FATAL|Fatal|FAIL|Fail|fail|Error|ERROR|error|Error|timestamp|deadlock|Deadlock|password authentication failed|pg_hba.conf|invalid magic number
log:/var/log/messages:10240
ignore postgres|RMS Printing Subsystem|connection received|disconnection|connection authorized
trigger FAIL|Fail|fail|Error|ERROR|error|Error|timestamp|deadlock|Deadlock|password authentication failed|pg_hba.conf|invalid magic number
file:/etc/passwd
Not sure if this is correct or not. Does this match up with anyone elses?
▸
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Scot Kreienkamp
Sent: Wednesday, December 03, 2014 9:58 AM
To: xymon at xymon.com
Subject: [Xymon] Ignore all log messages
Hi everyone,
Does anyone have any advice on messages logging? I have a log for postgres that gets so many lines written in a day there's no way it can transfer all of them to the Xymon server. I don't need any of that traffic anyway. The only lines I need are ones that contain a few specific words. So I put this in client-local.cfg:
[servername]
log:/var/log/postgres.log:10240
ignore .*
trigger %(FATAL|Fatal|FAIL|Fail|fail|Error|ERROR|error|Error|timestamp|deadlock|Deadlock|password authentication failed|pg_hba.conf|invalid magic number)
log:/var/log/messages:10240
ignore %(postgres|RMS Printing Subsystem|connection received|disconnection|connection authorized)
trigger %(FAIL|Fail|fail|Error|ERROR|error|Error|timestamp|deadlock|Deadlock|password authentication failed|pg_hba.conf|invalid magic number)
file:/etc/passwd
However, that doesn't seem to produce any log messages from the postgres log even when it should match one of the triggers. Client and server is version 4.3.17.
I appreciate any ideas anyone has, or if someone has already done this if you could share your config I'd like to see how you did it.
Thanks!
Scot
This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, please note that you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.
list Scot Kreienkamp
Does anyone know if the ignore and trigger statements are applied per log? For example: Log /var/log/messages Ignore postgres Trigger fatal Log /var/log/postgres Ignore stuff Trigger test Is the first set of ignore/trigger done only on the first log and the second set to the second log, or are all the ignores and triggers cumulative to all the logs? Thanks!
▸
From: Scot Kreienkamp
Sent: Wednesday, December 03, 2014 12:58 PM
To: xymon at xymon.com
Subject: RE: Ignore all log messages
OK, so after searching through the mailing list for two hours and finding an old post about using different syntax in client-local I've changed it to this:
My new config:
log:/var/log/postgres.log:10240
ignore rmstomcat|jboss
trigger FATAL|Fatal|FAIL|Fail|fail|Error|ERROR|error|Error|timestamp|deadlock|Deadlock|password authentication failed|pg_hba.conf|invalid magic number
log:/var/log/messages:10240
ignore postgres|RMS Printing Subsystem|connection received|disconnection|connection authorized
trigger FAIL|Fail|fail|Error|ERROR|error|Error|timestamp|deadlock|Deadlock|password authentication failed|pg_hba.conf|invalid magic number
file:/etc/passwd
Not sure if this is correct or not. Does this match up with anyone elses?
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Scot Kreienkamp
Sent: Wednesday, December 03, 2014 9:58 AM
To: xymon at xymon.com
Subject: [Xymon] Ignore all log messages
Hi everyone,
Does anyone have any advice on messages logging? I have a log for postgres that gets so many lines written in a day there's no way it can transfer all of them to the Xymon server. I don't need any of that traffic anyway. The only lines I need are ones that contain a few specific words. So I put this in client-local.cfg:
[servername]
log:/var/log/postgres.log:10240
ignore .*
trigger %(FATAL|Fatal|FAIL|Fail|fail|Error|ERROR|error|Error|timestamp|deadlock|Deadlock|password authentication failed|pg_hba.conf|invalid magic number)
log:/var/log/messages:10240
ignore %(postgres|RMS Printing Subsystem|connection received|disconnection|connection authorized)
trigger %(FAIL|Fail|fail|Error|ERROR|error|Error|timestamp|deadlock|Deadlock|password authentication failed|pg_hba.conf|invalid magic number)
file:/etc/passwd
However, that doesn't seem to produce any log messages from the postgres log even when it should match one of the triggers. Client and server is version 4.3.17.
I appreciate any ideas anyone has, or if someone has already done this if you could share your config I'd like to see how you did it.
Thanks!
Scot
This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, please note that you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.
list Andy Smith
▸
Scot Kreienkamp wrote:
Hi everyone, Does anyone have any advice on messages logging? I have a log for postgres that gets so many lines written in a day there’s no way it can transfer all of them to the Xymon server. I don’t need any of that traffic anyway. The only lines I need are ones that contain a few specific words. So I put this in client-local.cfg: [servername] log:/var/log/postgres.log:10240 ignore .* trigger %(FATAL|Fatal|FAIL|Fail|fail|Error|ERROR|error|Error|timestamp|deadlock|Deadlock|password authentication failed|pg_hba.conf|invalid magic number) log:/var/log/messages:10240 ignore %(postgres|RMS Printing Subsystem|connection received|disconnection|connection authorized) trigger %(FAIL|Fail|fail|Error|ERROR|error|Error|timestamp|deadlock|Deadlock|password authentication failed|pg_hba.conf|invalid magic number) file:/etc/passwd However, that doesn’t seem to produce any log messages from the postgres log even when it should match one of the triggers. Client and server is version 4.3.17. I appreciate any ideas anyone has, or if someone has already done this if you could share your config I’d like to see how you did it.
You need ignore OR trigger, not both. I find that logfetch crashes under certain circumstances if you use both, but in any case, they are functionally exclusive if you think about it. -- Andy
list Jeremy Laidman
First, please note that the parameter you provide to "trigger" and "ignore" is a regular expression, and so the "%" is not required, and likely to be problematic (meaning, it won't match unless there's an actual "%" in a log line). On 4 December 2014 at 05:22, Scot Kreienkamp <user-9678697f1438@xymon.invalid>
▸
wrote:
Does anyone know if the ignore and trigger statements are applied per log?
Yes, they are per log. These two options are fundamentally different, and applied at different times in the log processing. The "ignore" option specifies which lines should be ignored completely. From what's left, some or all will be sent to the server. You have a certain number of bytes that the client will send back to the server, and any more than that will be truncated. The "trigger" option will look through these un-ignored lines and give preference to the lines that match the trigger string. So these trigger-matched lines will get sent for (almost) certain, and whatever doesn't match will be truncated before being sent. If you can use "ignore" to clean out enough lines so that what's left will be under your limit (10kB), then that's all you need to do. However, if you cannot, you will end up with a truncated log, and so will need to use "trigger" to make sure the interesting lines get through. These two should work together, but due to a bug in the client-side code, you can sometimes have problems. So best to choose one or the other. If what you're looking for is to send through ONLY the lines you care about and want to alert on, then you might be able to use a negative-match regular expression in your "ignore" definition. Something like this: ignore ^(?!.*(FATAL|Fatal|FAIL|Fail|fail|Error|ERROR|error|timestamp|deadlock|Deadlock|password authentication failed|pg_hba.conf|invalid magic number)) This bit of regex magic matches any log line that doesn't include the strings given, and in that way only non-matching lines are ignored. J