Ignoring strings in event logs

11 messages in this thread

list Colin Coe · Mon, 4 Oct 2010 12:43:39 +0800 ·

Hi all

I have the following in my hobbit-clients.cfg on the Xymon server
---
CLASS=win32
        LOAD 80 90 # Load threholds are in %
        PORT "LOCAL=%([.:]20000)$" TEXT=RemotelyAnywhere
        LOG %.*  %error -.* COLOR=yellow
        LOG eventlog:Security  %failure.* COLOR=yellow
        LOG eventlog:Application  %warning.* COLOR=yellow
IGNORE="%(Warning: IIS log failed to write entry|Many client computers
have not reported back|Unsuccessful logon attempt from IP address .*
Secure (SSL) Connection).*"
        LOG eventlog:System %error.* COLOR=yellow
---

I'm finding that I'm still getting warnings coming up from the WSUS
server regarding the clients that have not checked.

Could someone advise what I'm doing wrong here?

Thanks

CC

-- 
RHCE#805007969328369

list Colin Coe · Tue, 5 Oct 2010 08:15:28 +0800 ·

Anyone have ideas on this?

CC

▸ quoted from Colin Coe


On Mon, Oct 4, 2010 at 12:43 PM, Colin Coe <user-5b250cd7a540@xymon.invalid> wrote:

Hi all

I have the following in my hobbit-clients.cfg on the Xymon server
---
CLASS=win32
       LOAD 80 90 # Load threholds are in %
       PORT "LOCAL=%([.:]20000)$" TEXT=RemotelyAnywhere
       LOG %.*  %error -.* COLOR=yellow
       LOG eventlog:Security  %failure.* COLOR=yellow
       LOG eventlog:Application  %warning.* COLOR=yellow
IGNORE="%(Warning: IIS log failed to write entry|Many client computers
have not reported back|Unsuccessful logon attempt from IP address .*
Secure (SSL) Connection).*"
       LOG eventlog:System %error.* COLOR=yellow
---

I'm finding that I'm still getting warnings coming up from the WSUS
server regarding the clients that have not checked.

Could someone advise what I'm doing wrong here?

Thanks

CC

--
RHCE#805007969328369

--


RHCE#805007969328369

list Steve Holmes · Mon, 4 Oct 2010 20:47:08 -0400 ·

Wherever you go, there you are.

▸ quoted from Colin Coe

On Oct 4, 2010, at 8:15 PM, Colin Coe <user-5b250cd7a540@xymon.invalid> wrote:

Anyone have ideas on this?

CC

On Mon, Oct 4, 2010 at 12:43 PM, Colin Coe <user-5b250cd7a540@xymon.invalid> wrote:

Hi all

I have the following in my hobbit-clients.cfg on the Xymon server
---
CLASS=win32
       LOAD 80 90 # Load threholds are in %
       PORT "LOCAL=%([.:]20000)$" TEXT=RemotelyAnywhere
       LOG %.*  %error -.* COLOR=yellow
       LOG eventlog:Security  %failure.* COLOR=yellow
       LOG eventlog:Application  %warning.* COLOR=yellow
IGNORE="%(Warning: IIS log failed to write entry|Many client computers
have not reported back|Unsuccessful logon attempt from IP address .*
Secure (SSL) Connection).*"
       LOG eventlog:System %error.* COLOR=yellow
---

I'm finding that I'm still getting warnings coming up from the WSUS
server regarding the clients that have not checked.

Could someone advise what I'm doing wrong here?

Thanks

CC

--
RHCE#805007969328369

-- 
RHCE#805007969328369

Try removing the double quotes and replacing each space with a \s (backslash-s). That is what seems to work best for me. Steve

list Steve Holmes · Mon, 4 Oct 2010 20:48:29 -0400 ·

▸ quoted from Steve Holmes


Wherever you go, there you are.  
On Oct 4, 2010, at 8:15 PM, Colin Coe <user-5b250cd7a540@xymon.invalid> wrote:

Anyone have ideas on this?

CC

On Mon, Oct 4, 2010 at 12:43 PM, Colin Coe <user-5b250cd7a540@xymon.invalid> wrote:

Hi all

I have the following in my hobbit-clients.cfg on the Xymon server
---
CLASS=win32
       LOAD 80 90 # Load threholds are in %
       PORT "LOCAL=%([.:]20000)$" TEXT=RemotelyAnywhere
       LOG %.*  %error -.* COLOR=yellow
       LOG eventlog:Security  %failure.* COLOR=yellow
       LOG eventlog:Application  %warning.* COLOR=yellow
IGNORE="%(Warning: IIS log failed to write entry|Many client computers
have not reported back|Unsuccessful logon attempt from IP address .*
Secure (SSL) Connection).*"
       LOG eventlog:System %error.* COLOR=yellow
---

I'm finding that I'm still getting warnings coming up from the WSUS
server regarding the clients that have not checked.

Could someone advise what I'm doing wrong here?

Thanks

CC

--
RHCE#805007969328369

-- 
RHCE#805007969328369

Oh, and you don't need the .* on the end of the string. Steve

list Colin Coe · Tue, 5 Oct 2010 10:52:28 +0800 ·

▸ quoted from Steve Holmes

On Tue, Oct 5, 2010 at 8:48 AM, Steve Holmes <user-5425c7b245e1@xymon.invalid> wrote:


Wherever you go, there you are.

On Oct 4, 2010, at 8:15 PM, Colin Coe <user-5b250cd7a540@xymon.invalid> wrote:

Anyone have ideas on this?

CC

On Mon, Oct 4, 2010 at 12:43 PM, Colin Coe <user-5b250cd7a540@xymon.invalid> wrote:

Hi all

I have the following in my hobbit-clients.cfg on the Xymon server
---
CLASS=win32
       LOAD 80 90 # Load threholds are in %
       PORT "LOCAL=%([.:]20000)$" TEXT=RemotelyAnywhere
       LOG %.*  %error -.* COLOR=yellow
       LOG eventlog:Security  %failure.* COLOR=yellow
       LOG eventlog:Application  %warning.* COLOR=yellow
IGNORE="%(Warning: IIS log failed to write entry|Many client computers
have not reported back|Unsuccessful logon attempt from IP address .*
Secure (SSL) Connection).*"
       LOG eventlog:System %error.* COLOR=yellow
---

I'm finding that I'm still getting warnings coming up from the WSUS
server regarding the clients that have not checked.

Could someone advise what I'm doing wrong here?

Thanks

CC

Oh, and you don't need the .* on the end of the string.
Steve

Hi Steve

Thanks for the tips but unfortunately, these strings are still not
being ignored.  I'm wondering if the problem is in 'client-local.cfg'.
 At the top of 'hobbit-clients.cfg' it says that both files need to be
configured but I don't see an example for Windows event logs.  How do
you have client-local.cfg configured for Windows logs?

Thanks

CC

-- 
RHCE#805007969328369

list Josh Luthman · Mon, 4 Oct 2010 23:00:52 -0400 ·

Are you sure your Windows clients are set for centralized configuration?
They may be sending green/red instead of the data for the server to decide.

Josh Luthman
Office: XXX-XXX-XXXX
Direct: XXX-XXX-XXXX
XXXX Wayne St
Suite XXXX
Troy, OH XXXXX

▸ quoted from Colin Coe



On Mon, Oct 4, 2010 at 10:52 PM, Colin Coe <user-5b250cd7a540@xymon.invalid> wrote:

On Tue, Oct 5, 2010 at 8:48 AM, Steve Holmes <user-5425c7b245e1@xymon.invalid> wrote:


Wherever you go, there you are.

On Oct 4, 2010, at 8:15 PM, Colin Coe <user-5b250cd7a540@xymon.invalid> wrote:

Anyone have ideas on this?

CC

On Mon, Oct 4, 2010 at 12:43 PM, Colin Coe <user-5b250cd7a540@xymon.invalid> wrote:

Hi all

I have the following in my hobbit-clients.cfg on the Xymon server
---
CLASS=win32
       LOAD 80 90 # Load threholds are in %
       PORT "LOCAL=%([.:]20000)$" TEXT=RemotelyAnywhere
       LOG %.*  %error -.* COLOR=yellow
       LOG eventlog:Security  %failure.* COLOR=yellow
       LOG eventlog:Application  %warning.* COLOR=yellow
IGNORE="%(Warning: IIS log failed to write entry|Many client computers
have not reported back|Unsuccessful logon attempt from IP address .*
Secure (SSL) Connection).*"
       LOG eventlog:System %error.* COLOR=yellow
---

I'm finding that I'm still getting warnings coming up from the WSUS
server regarding the clients that have not checked.

Could someone advise what I'm doing wrong here?

Thanks

CC

Oh, and you don't need the .* on the end of the string.
Steve

Hi Steve

Thanks for the tips but unfortunately, these strings are still not
being ignored.  I'm wondering if the problem is in 'client-local.cfg'.
 At the top of 'hobbit-clients.cfg' it says that both files need to be
configured but I don't see an example for Windows event logs.  How do
you have client-local.cfg configured for Windows logs?

Thanks

CC

--
RHCE#805007969328369

list Colin Coe · Tue, 5 Oct 2010 11:33:04 +0800 ·

Hi Josh

After setting BBWin to be in central mode on a few test machines,
hobbitd_client crashes and does not restart.

CC

On Tue, Oct 5, 2010 at 11:00 AM, Josh Luthman

▸ quoted from Josh Luthman

<user-4c45a83f15cb@xymon.invalid> wrote:

Are you sure your Windows clients are set for centralized configuration?
They may be sending green/red instead of the data for the server to decide.

Josh Luthman
Office: XXX-XXX-XXXX
Direct: XXX-XXX-XXXX
XXXX Wayne St
Suite XXXX
Troy, OH XXXXX


On Mon, Oct 4, 2010 at 10:52 PM, Colin Coe <user-5b250cd7a540@xymon.invalid> wrote:

On Tue, Oct 5, 2010 at 8:48 AM, Steve Holmes <user-5425c7b245e1@xymon.invalid> wrote:


Wherever you go, there you are.

On Oct 4, 2010, at 8:15 PM, Colin Coe <user-5b250cd7a540@xymon.invalid> wrote:

Anyone have ideas on this?

CC

On Mon, Oct 4, 2010 at 12:43 PM, Colin Coe <user-5b250cd7a540@xymon.invalid> wrote:

Hi all

I have the following in my hobbit-clients.cfg on the Xymon server
---
CLASS=win32
       LOAD 80 90 # Load threholds are in %
       PORT "LOCAL=%([.:]20000)$" TEXT=RemotelyAnywhere
       LOG %.*  %error -.* COLOR=yellow
       LOG eventlog:Security  %failure.* COLOR=yellow
       LOG eventlog:Application  %warning.* COLOR=yellow
IGNORE="%(Warning: IIS log failed to write entry|Many client computers
have not reported back|Unsuccessful logon attempt from IP address .*
Secure (SSL) Connection).*"
       LOG eventlog:System %error.* COLOR=yellow
---

I'm finding that I'm still getting warnings coming up from the WSUS
server regarding the clients that have not checked.

Could someone advise what I'm doing wrong here?

Thanks

CC

Oh, and you don't need the .* on the end of the string.
Steve

Hi Steve

Thanks for the tips but unfortunately, these strings are still not
being ignored.  I'm wondering if the problem is in 'client-local.cfg'.
 At the top of 'hobbit-clients.cfg' it says that both files need to be
configured but I don't see an example for Windows event logs.  How do
you have client-local.cfg configured for Windows logs?

Thanks

CC

--
RHCE#805007969328369

--


RHCE#805007969328369

list Henrik Størner · Tue, 5 Oct 2010 06:00:56 +0000 (UTC) ·

Hi Colin,

▸ quoted from Colin Coe


On Tue, 05 Oct 2010 11:33:04 +0800 Colin Coe wrote:

On Tue, Oct 5, 2010 at 11:00 AM, Josh Luthman
<user-4c45a83f15cb@xymon.invalid> wrote:

Are you sure your Windows clients are set for centralized
configuration? They may be sending green/red instead of the data for
the server to decide.

After setting BBWin to be in central mode on a few test machines,
hobbitd_client crashes and does not restart.

as Josh pointed out, the Windows client (BBWin) must be running in 
centralized configuration if you want to be able to do the configuration
on the Xymon server. So an alternative solution could be to configure
this on the client side, in BBWin.cfg, if you continue to run the BBWin 
client in local mode.


I haven't tried playing with the centralized version of BBWin, so
I had a look at the client to see how it works. It seems that the
eventlog-configuration on the server uses "eventlog_LOGNAME" as 
the 'filename' in LOG configurations. So your config with

  LOG eventlog:Security  %failure.* COLOR=yellow
  LOG eventlog:Application  %warning.* COLOR=yellow
  LOG eventlog:System %error.* COLOR=yellow

should be

  LOG eventlog_Security %failure COLOR=yellow
  LOG eventlog_Application %warning COLOR=yellow
  LOG eventlog_System %error COLOR=yellow

(a '.*' at the end of a pattern is superfluous).


However, this entry looks suspicious, and might be the one that causes 
hobbitd_client to crash:

  LOG %.*  %error -.* COLOR=yellow

That "-.*" looks out of place. Is there a space in front of it that 
shouldn't be there ?


Try these changes for a start to see if the log entries get matched
and trigger a yellow status for "msgs". Then you can add the IGNORE
setting afterwards and see what needs to be done for that to work.


Regards,
Henrik

list Colin Coe · Wed, 6 Oct 2010 08:55:35 +0800 ·

I've fixed there errors in /etc/xymon/server/hobbit-clients.cfg, in
fact I've commented out all the Windows related lines in the file.
I'm no longer getting core dumps but the hobbitd_client status in the
webUI is still purple.  I've restarted Xymon server 45 minutes ago and
still purple.

I've set the Windows machines to all be in central mode.

Any pointers on resolving the purple status of hobbitd_client would be great.

Thanks

▸ quoted from Henrik Størner


CC

On Tue, Oct 5, 2010 at 2:00 PM, Henrik Størner <user-ce4a2c883f75@xymon.invalid> wrote:

Hi Colin,

On Tue, 05 Oct 2010 11:33:04 +0800 Colin Coe wrote:

On Tue, Oct 5, 2010 at 11:00 AM, Josh Luthman
<user-4c45a83f15cb@xymon.invalid> wrote:

Are you sure your Windows clients are set for centralized
configuration? They may be sending green/red instead of the data for
the server to decide.

After setting BBWin to be in central mode on a few test machines,
hobbitd_client crashes and does not restart.

as Josh pointed out, the Windows client (BBWin) must be running in
centralized configuration if you want to be able to do the configuration
on the Xymon server. So an alternative solution could be to configure
this on the client side, in BBWin.cfg, if you continue to run the BBWin
client in local mode.


I haven't tried playing with the centralized version of BBWin, so
I had a look at the client to see how it works. It seems that the
eventlog-configuration on the server uses "eventlog_LOGNAME" as
the 'filename' in LOG configurations. So your config with

 LOG eventlog:Security  %failure.* COLOR=yellow
 LOG eventlog:Application  %warning.* COLOR=yellow
 LOG eventlog:System %error.* COLOR=yellow

should be

 LOG eventlog_Security %failure COLOR=yellow
 LOG eventlog_Application %warning COLOR=yellow
 LOG eventlog_System %error COLOR=yellow

(a '.*' at the end of a pattern is superfluous).


However, this entry looks suspicious, and might be the one that causes
hobbitd_client to crash:

 LOG %.*  %error -.* COLOR=yellow

That "-.*" looks out of place. Is there a space in front of it that
shouldn't be there ?


Try these changes for a start to see if the log entries get matched
and trigger a yellow status for "msgs". Then you can add the IGNORE
setting afterwards and see what needs to be done for that to work.


Regards,
Henrik

--


RHCE#805007969328369

list Henrik Størner · Wed, 6 Oct 2010 05:27:43 +0000 (UTC) ·

▸ quoted from Colin Coe

In <AANLkTi=user-d7e2f4a48705@xymon.invalid> Colin Coe <user-5b250cd7a540@xymon.invalid> writes:

Any pointers on resolving the purple status of hobbitd_client would be great.

hobbitd_client is a status that only shows up if hobbitd_client has
had some sort of fatal problem - like crashing. That's why it doesn't
get updated, and hence go purple after 30 minutes. It's just there
as a way of alerting you to the fact that it did crash.

And it seems to work :-)

To get rid of it, just "drop" it: On your Xymon server, run

   bb 127.0.0.1 "drop HOBBITSERVERNAME hobbitd_client"


Regards,
Henrik

list Colin Coe · Wed, 6 Oct 2010 13:55:11 +0800 ·

lol

OK, that makes sense.

▸ quoted from Henrik Størner


On Wed, Oct 6, 2010 at 1:27 PM, Henrik Størner <user-ce4a2c883f75@xymon.invalid> wrote:

In <AANLkTi=user-d7e2f4a48705@xymon.invalid> Colin Coe <user-5b250cd7a540@xymon.invalid> writes:

Any pointers on resolving the purple status of hobbitd_client would be great.

hobbitd_client is a status that only shows up if hobbitd_client has
had some sort of fatal problem - like crashing. That's why it doesn't
get updated, and hence go purple after 30 minutes. It's just there
as a way of alerting you to the fact that it did crash.

And it seems to work :-)

To get rid of it, just "drop" it: On your Xymon server, run

  bb 127.0.0.1 "drop HOBBITSERVERNAME hobbitd_client"


Regards,
Henrik

--


RHCE#805007969328369

Ignoring strings in event logs 🔗 link

Ignoring strings in event logs