log file monitoring issues
list Gary B.
Maybe I'm just missing something in the documentation, but I can't seem to get the log file monitoring to work properly. In the example below, I'm trying to look at the "messages" and "maillog" files on Linux. Particularly, I'm trying to EXCLUDE the following "messages" lines: Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 16:44:01 www crond(pam_unix)[5382]: session opened for user root by (uid=0) Aug 9 16:44:14 www crond(pam_unix)[5382]: session closed for user root Aug 9 16:45:01 www crond(pam_unix)[5484]: session opened for user mailman by (uid=0) Aug 9 16:45:01 www crond(pam_unix)[5484]: session closed for user mailman And EXCLUDE the following "maillog" lines: Aug 6 11:55:02 www sendmail[15076]: k76Ft1pU015076: from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1, msgid=<200608061555.k76Ft1A2015075 at HOSTNAME>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Below is the respective lines from the "client-local.cfg" file: log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root log:/var/log/maillog:10240 ignore relay=localhost.localdomain trigger denied And below the specific log entries I'm looking for from "hobbit-clients.cfg": LOG /var/log/maillog "relaying denied" color="yellow" Now, the problem I'm having... The "ignore" line for the /var/log/maillog file appears to be working correctly, as it does indeed ignore such entries as shown above. Also working is the "ignore session opened..." line for the /var/log/messages file. What is NOT working is the "ignore" line for the "upsd*" lines in /var/log/messages. For the life of me, I just can't figure out how to get that to work properly. That is, two of the three "ignore" lines are not working, as those lines still show up in the "full log" output. If anyone has any ideas, let me know. I'm also having problems with some logs not showing up on the messages page. Do you need both a "LOG" entries in the hobbit-clients.cfg AND client-local.cfg, or will an entry in only client-local.cfg be sufficient to have it show up on the messages page?
list Jerry Yu
You need both. clients-local.cfg is to tell the client to report on these logs hobbit-clients.cfg is tell hobbitd to check/alert against log data reported from clients
▸
On 8/9/06, Gary B. <user-33b796116d5f@xymon.invalid> wrote:Maybe I'm just missing something in the documentation, but I can't seem to get the log file monitoring to work properly. In the example below, I'm trying to look at the "messages" and "maillog" files on Linux. Particularly, I'm trying to EXCLUDE the following "messages" lines: Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 16:44:01 www crond(pam_unix)[5382]: session opened for user root by (uid=0) Aug 9 16:44:14 www crond(pam_unix)[5382]: session closed for user root Aug 9 16:45:01 www crond(pam_unix)[5484]: session opened for user mailman by (uid=0) Aug 9 16:45:01 www crond(pam_unix)[5484]: session closed for user mailman And EXCLUDE the following "maillog" lines: Aug 6 11:55:02 www sendmail[15076]: k76Ft1pU015076: from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1, msgid=<200608061555.k76Ft1A2015075 at HOSTNAME>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Below is the respective lines from the "client-local.cfg" file: log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root log:/var/log/maillog:10240 ignore relay=localhost.localdomain trigger denied And below the specific log entries I'm looking for from " hobbit-clients.cfg": LOG /var/log/maillog "relaying denied" color="yellow" Now, the problem I'm having... The "ignore" line for the /var/log/maillog file appears to be working correctly, as it does indeed ignore such entries as shown above. Also working is the "ignore session opened..." line for the /var/log/messages file. What is NOT working is the "ignore" line for the "upsd*" lines in /var/log/messages. For the life of me, I just can't figure out how to get that to work properly. That is, two of the three "ignore" lines are not working, as those lines still show up in the "full log" output. If anyone has any ideas, let me know. I'm also having problems with some logs not showing up on the messages page. Do you need both a "LOG" entries in the hobbit-clients.cfg AND client-local.cfg, or will an entry in only client-local.cfg be sufficient to have it show up on the messages page?
list Gary B.
...I'm still having issues with "Permission denied" errors from Hobbit in trying to access /var/log/maillog on all my OpenBSD boxes. Apparently, the only way I've been able to get Hobbit to read them is if I set them 644. However, every time OpenBSD rotates the logs, it resets the permissions to 600. Is there any way to get this to work properly without having to run the Hobbit client as root?
▸
You need both. clients-local.cfg is to tell the client to report on these logs hobbit-clients.cfg is tell hobbitd to check/alert against log data reported from clients On 8/9/06, Gary B. <user-33b796116d5f@xymon.invalid> wrote:Maybe I'm just missing something in the documentation, but I can't seem to get the log file monitoring to work properly. In the example below, I'm trying to look at the "messages" and "maillog" files on Linux. Particularly, I'm trying to EXCLUDE the following "messages" lines: Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 16:44:01 www crond(pam_unix)[5382]: session opened for user root by (uid=0) Aug 9 16:44:14 www crond(pam_unix)[5382]: session closed for user root Aug 9 16:45:01 www crond(pam_unix)[5484]: session opened for user mailman by (uid=0) Aug 9 16:45:01 www crond(pam_unix)[5484]: session closed for user mailman And EXCLUDE the following "maillog" lines: Aug 6 11:55:02 www sendmail[15076]: k76Ft1pU015076: from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1, msgid=<200608061555.k76Ft1A2015075 at HOSTNAME >, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Below is the respective lines from the "client-local.cfg" file: log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root log:/var/log/maillog:10240 ignore relay=localhost.localdomain trigger denied And below the specific log entries I'm looking for from " hobbit-clients.cfg": LOG /var/log/maillog "relaying denied" color="yellow" Now, the problem I'm having... The "ignore" line for the /var/log/maillog file appears to be working correctly, as it does indeed ignore such entries as shown above. Also working is the "ignore session opened..." line for the /var/log/messages file. What is NOT working is the "ignore" line for the "upsd*" lines in /var/log/messages. For the life of me, I just can't figure out how to get that to work properly. That is, two of the three "ignore" lines are not working, as those lines still show up in the "full log" output. If anyone has any ideas, let me know. I'm also having problems with some logs not showing up on the messages page. Do you need both a "LOG" entries in the hobbit-clients.cfg AND client-local.cfg , or will an entry in only client-local.cfg be sufficient to have it show up on the messages page?
list Francesco Duranti
I don't know openbsd... If it work like some linux machine you have to check the script or program that is rotating the logs to make them world readable or group readable and create as the hobbit group. If your system is using logrotate you can try to put the "create mode owner group" directive into the specific logrotate file or change the default one that should be in /etc/logrotate.conf -----Messaggio originale----- Da: Gary B. [mailto:user-33b796116d5f@xymon.invalid] Inviato: venerdì 11 agosto 2006 15.21 A: user-ae9b8668bcde@xymon.invalid Oggetto: Re: [hobbit] log file monitoring issues
▸
...I'm still having issues with "Permission denied" errors from Hobbit in trying to access /var/log/maillog on all my OpenBSD boxes.
Apparently, the only way I've been able to get Hobbit to read them is if I set them 644. However, every time OpenBSD rotates the logs, it resets the permissions to 600. Is there any way to get this to work properly without having to run the Hobbit client as root?
You need both. clients-local.cfg is to tell the client to report on these logs hobbit-clients.cfg is tell hobbitd to check/alert against log data reported from clients On 8/9/06, Gary B. <user-33b796116d5f@xymon.invalid> wrote:Maybe I'm just missing something in the documentation, but I can't seem to get the log file monitoring to work properly. In the example below, I'm trying to look at the "messages" and "maillog" files on Linux. Particularly, I'm trying to EXCLUDE the following "messages" lines: Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 16:44:01 www crond(pam_unix)[5382]: session opened for user root by (uid=0) Aug 9 16:44:14 www crond(pam_unix)[5382]: session closed for user root Aug 9 16:45:01 www crond(pam_unix)[5484]: session opened for user mailman by (uid=0) Aug 9 16:45:01 www crond(pam_unix)[5484]: session closed for user mailman And EXCLUDE the following "maillog" lines: Aug 6 11:55:02 www sendmail[15076]: k76Ft1pU015076: from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1, msgid=<200608061555.k76Ft1A2015075 at HOSTNAME >, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Below is the respective lines from the "client-local.cfg" file: log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root log:/var/log/maillog:10240 ignore relay=localhost.localdomain trigger denied And below the specific log entries I'm looking for from " hobbit-clients.cfg": LOG /var/log/maillog "relaying denied" color="yellow" Now, the problem I'm having... The "ignore" line for the /var/log/maillog file appears to be working correctly, as it does indeed ignore such entries as shown above. Also working is the "ignore session opened..." line for the /var/log/messages file. What is NOT working is the "ignore" line for the "upsd*" lines in /var/log/messages. For the life of me, I just can't figure out how to get that to work properly. That is, two of the three "ignore" lines are not working, as those lines still show up in the "full log" output. If anyone has any ideas, let me know. I'm also having problems with some logs not showing up on the messages page. Do you need both a "LOG" entries in the hobbit-clients.cfg AND client-local.cfg , or will an entry in only client-local.cfg be sufficient to have it show up on the messages page?
list Dominique Frise
▸
Gary B. wrote:
...I'm still having issues with "Permission denied" errors from Hobbit in trying to access /var/log/maillog on all my OpenBSD boxes. Apparently, the only way I've been able to get Hobbit to read them is if I set them 644. However, every time OpenBSD rotates the logs, it resets the permissions to 600. Is there any way to get this to work properly without having to run the Hobbit client as root?You need both. clients-local.cfg is to tell the client to report on these logs hobbit-clients.cfg is tell hobbitd to check/alert against log data reported from clients On 8/9/06, Gary B. <user-33b796116d5f@xymon.invalid> wrote:Maybe I'm just missing something in the documentation, but I can't seem to get the log file monitoring to work properly. In the example below, I'm trying to look at the "messages" and "maillog" files on Linux. Particularly, I'm trying to EXCLUDE the following "messages" lines: Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 16:44:01 www crond(pam_unix)[5382]: session opened for user root by (uid=0) Aug 9 16:44:14 www crond(pam_unix)[5382]: session closed for user root Aug 9 16:45:01 www crond(pam_unix)[5484]: session opened for user mailman by (uid=0) Aug 9 16:45:01 www crond(pam_unix)[5484]: session closed for user mailman And EXCLUDE the following "maillog" lines: Aug 6 11:55:02 www sendmail[15076]: k76Ft1pU015076: from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1, msgid=<200608061555.k76Ft1A2015075 at HOSTNAME >, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Below is the respective lines from the "client-local.cfg" file: log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root log:/var/log/maillog:10240 ignore relay=localhost.localdomain trigger denied And below the specific log entries I'm looking for from " hobbit-clients.cfg": LOG /var/log/maillog "relaying denied" color="yellow" Now, the problem I'm having... The "ignore" line for the /var/log/maillog file appears to be working correctly, as it does indeed ignore such entries as shown above. Also working is the "ignore session opened..." line for the /var/log/messages file. What is NOT working is the "ignore" line for the "upsd*" lines in /var/log/messages. For the life of me, I just can't figure out how to get that to work properly. That is, two of the three "ignore" lines are not working, as those lines still show up in the "full log" output. If anyone has any ideas, let me know. I'm also having problems with some logs not showing up on the messages page. Do you need both a "LOG" entries in the hobbit-clients.cfg AND client-local.cfg , or will an entry in only client-local.cfg be sufficient to have it show up on the messages page?
This is what we do under: Linux RH # chgrp <hobbit-group> /var/log/messages* # chmod g+r /var/log/messages* Debian # addgroup <hobbit-user> adm The files rotation preserve these settings. Dominique UNIL - University of Lausanne
list Gary B.
Hmm, another issue I'm finding is that even with the permissions set so that the Hobbit client can read the log files, they still aren't reporting back any data. That is, the "Full log <log file>" section of the appropriate messages page has nothing.
▸
On 8/11/06, Dominique Frise <user-78ab6673b600@xymon.invalid> wrote:Gary B. wrote:...I'm still having issues with "Permission denied" errors from Hobbit in trying to access /var/log/maillog on all my OpenBSD boxes. Apparently, the only way I've been able to get Hobbit to read them is if I set them 644. However, every time OpenBSD rotates the logs, it resets the permissions to 600. Is there any way to get this to work properly without having to run the Hobbit client as root?You need both. clients-local.cfg is to tell the client to report on these logs hobbit-clients.cfg is tell hobbitd to check/alert against log data reported from clients On 8/9/06, Gary B. <user-33b796116d5f@xymon.invalid> wrote:Maybe I'm just missing something in the documentation, but I can't seem to get the log file monitoring to work properly. In the example below, I'm trying to look at the "messages" and "maillog" files on Linux. Particularly, I'm trying to EXCLUDE the following "messages" lines: Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 16:44:01 www crond(pam_unix)[5382]: session opened for user root by (uid=0) Aug 9 16:44:14 www crond(pam_unix)[5382]: session closed for user root Aug 9 16:45:01 www crond(pam_unix)[5484]: session opened for user mailman by (uid=0) Aug 9 16:45:01 www crond(pam_unix)[5484]: session closed for user mailman And EXCLUDE the following "maillog" lines: Aug 6 11:55:02 www sendmail[15076]: k76Ft1pU015076: from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1, msgid=<200608061555.k76Ft1A2015075 at HOSTNAME >, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Below is the respective lines from the "client-local.cfg" file: log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root log:/var/log/maillog:10240 ignore relay=localhost.localdomain trigger denied And below the specific log entries I'm looking for from " hobbit-clients.cfg": LOG /var/log/maillog "relaying denied" color="yellow" Now, the problem I'm having... The "ignore" line for the /var/log/maillog file appears to be working correctly, as it does indeed ignore such entries as shown above. Also working is the "ignore session opened..." line for the /var/log/messages file. What is NOT working is the "ignore" line for the "upsd*" lines in /var/log/messages. For the life of me, I just can't figure out how to get that to work properly. That is, two of the three "ignore" lines are not working, as those lines still show up in the "full log" output. If anyone has any ideas, let me know. I'm also having problems with some logs not showing up on the messages page. Do you need both a "LOG" entries in the hobbit-clients.cfg AND client-local.cfg , or will an entry in only client-local.cfg be sufficient to have it show up on the messages page?This is what we do under: Linux RH # chgrp <hobbit-group> /var/log/messages* # chmod g+r /var/log/messages* Debian # addgroup <hobbit-user> adm The files rotation preserve these settings. Dominique UNIL - University of Lausanne
list Henrik Størner
▸
On Fri, Aug 11, 2006 at 10:28:40AM -0400, Gary B. wrote:
Hmm, another issue I'm finding is that even with the permissions set so that the Hobbit client can read the log files, they still aren't reporting back any data. That is, the "Full log <log file>" section of the appropriate messages page has nothing.
Probably because your client has been running for some time, and there haven't been any new entries (the file size hasn't changed). Regards, Henrik
list Gary B.
▸
On 8/11/06, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:
On Fri, Aug 11, 2006 at 10:28:40AM -0400, Gary B. wrote:Hmm, another issue I'm finding is that even with the permissions set so that the Hobbit client can read the log files, they still aren't reporting back any data. That is, the "Full log <log file>" section of the appropriate messages page has nothing.Probably because your client has been running for some time, and there haven't been any new entries (the file size hasn't changed). Regards, Henrik
Oh... Duh... Yep, that's it. Just wrote a test entry via logger and it picked that up. Now if I can just get my "ignore" lines to work properly, I'll be all set. When using regular expressions on the "ignore" lines, do you need to surround them as %"" like with regexes in hobbit-alerts.cfg and such?
list Henrik Størner
▸
On Fri, Aug 11, 2006 at 11:54:45AM -0400, Gary B. wrote:
Now if I can just get my "ignore" lines to work properly, I'll be all set. When using regular expressions on the "ignore" lines, do you need to surround them as %"" like with regexes in hobbit-alerts.cfg and such?
No, the strings in client-local.cfg are always treated as regular expressions. Regards, Henrik
list Gary B.
Hmm. Any ideas why the following wouldn't work? log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root The "full log" output is still showing those lines. Could it be the same reason I wasn't seeing any data at all on the other servers; that is, the log file just hasn't been updated, and it's still showing those from previous lines? If so, is there a way I could tell Hobbit to clear the existing data?
▸
On 8/11/06, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:On Fri, Aug 11, 2006 at 11:54:45AM -0400, Gary B. wrote:Now if I can just get my "ignore" lines to work properly, I'll be all set. When using regular expressions on the "ignore" lines, do you need to surround them as %"" like with regexes in hobbit-alerts.cfg and such?No, the strings in client-local.cfg are always treated as regular expressions. Regards, Henrik
list Henrik Størner
▸
On Fri, Aug 11, 2006 at 01:37:28PM -0400, Gary B. wrote:
Hmm. Any ideas why the following wouldn't work? log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root
Two errors: The first line has a wrong regex - it's a classic mistake to use "*" by itself to mean "anything", but that's not what it does. Your expression should be ignore upsd.* Client|Connection 127.0.0.1 Second, you can only have one "ignore" line. I admit that it would probably be useful to have multiple ignore lines, but that is not possible right now.
▸
The "full log" output is still showing those lines. Could it be the same reason I wasn't seeing any data at all on the other servers; that is, the log file just hasn't been updated, and it's still showing those from previous lines?
No, Hobbit processes all of the logfile data through the ignore- and trigger patterns each time it sends a message to the server.
If so, is there a way I could tell Hobbit to clear the existing data?
Yes: Delete the ~hobbit/client/tmp/logfetch.HOSTNAME.status file. Regards, Henrik
list Gary B.
▸
On 8/11/06, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:
On Fri, Aug 11, 2006 at 01:37:28PM -0400, Gary B. wrote:Hmm. Any ideas why the following wouldn't work? log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|rootTwo errors: The first line has a wrong regex - it's a classic mistake to use "*" by itself to mean "anything", but that's not what it does. Your expression should be ignore upsd.* Client|Connection 127.0.0.1
Ah. I actually had that originally, but since it wasn't working, I wasn't sure if it used "real" regexes, or "DOS command-line" regexes.
▸
Second, you can only have one "ignore" line. I admit that it would probably be useful to have multiple ignore lines, but that is not possible right now.The "full log" output is still showing those lines. Could it be the same reason I wasn't seeing any data at all on the other servers; that is, the log file just hasn't been updated, and it's still showing those from previous lines?No, Hobbit processes all of the logfile data through the ignore- and trigger patterns each time it sends a message to the server.
Ah ha! That explains it. I removed the second ignore, and it's working perfectly now.
▸
If so, is there a way I could tell Hobbit to clear the existing data?Yes: Delete the ~hobbit/client/tmp/logfetch.HOSTNAME.status file.
Ah, that's simple. Note to self: if there's something you want to do with Hobbit, it's probably done fairly simply ;-) Just ONE remaining issue now. There are still additional log files I want to check for that aren't showing up. I have this specific hosts's client-local.cfg entry defined as: [master.homeoffice.none] log:/var/log/samba/client.nmbd.log log:/var/log/messages:10240 log:/var/log/maillog:10240 ignore relay=localhost\.localdomain trigger denied The "messages" and "maillog" entries are showing up just fine, but the "client.nmbd.log" file is not showing up; not even with an empty "full log" section. Any ideas? Also, do I need the escape character "\" to ignore the line that says "relay=localhost.localdomain"? I guess since "." means "any character", it will work anyway without the "\"...
list Chris Morris
Try putting the :SIZE parameter on your log:/var/log/samba/client.nmbd.log entry. Chris
▸
-----Original Message----- From: Gary B. [SMTP:user-33b796116d5f@xymon.invalid] Sent: Saturday, August 12, 2006 1:08 AM To: user-ae9b8668bcde@xymon.invalid Subject: Re: [hobbit] log file monitoring issues On 8/11/06, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:On Fri, Aug 11, 2006 at 01:37:28PM -0400, Gary B. wrote:Hmm. Any ideas why the following wouldn't work? log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|rootTwo errors: The first line has a wrong regex - it's a classic mistake to use "*" by itself to mean "anything", but that's not what it does. Your expression should be ignore upsd.* Client|Connection 127.0.0.1Ah. I actually had that originally, but since it wasn't working, I wasn't sure if it used "real" regexes, or "DOS command-line" regexes.Second, you can only have one "ignore" line. I admit that it would probably be useful to have multiple ignore lines, but that is not possible right now.The "full log" output is still showing those lines. Could it be the same reason I wasn't seeing any data at all on the other servers; that is, the log file just hasn't been updated, and it's still showing those from previous lines?No, Hobbit processes all of the logfile data through the ignore- and trigger patterns each time it sends a message to the server.Ah ha! That explains it. I removed the second ignore, and it's working perfectly now.If so, is there a way I could tell Hobbit to clear the existing data?Yes: Delete the ~hobbit/client/tmp/logfetch.HOSTNAME.status file.Ah, that's simple. Note to self: if there's something you want to do with Hobbit, it's probably done fairly simply ;-) Just ONE remaining issue now. There are still additional log files I want to check for that aren't showing up. I have this specific hosts's client-local.cfg entry defined as: [master.homeoffice.none] log:/var/log/samba/client.nmbd.log log:/var/log/messages:10240 log:/var/log/maillog:10240 ignore relay=localhost\.localdomain trigger denied The "messages" and "maillog" entries are showing up just fine, but the "client.nmbd.log" file is not showing up; not even with an empty "full log" section. Any ideas? Also, do I need the escape character "\" to ignore the line that says "relay=localhost.localdomain"? I guess since "." means "any character", it will work anyway without the "\"...
****************************************************************************
The information contained in this email is intended only for the use of the intended recipient at the email address to which it has been addressed. If the reader of this message is not an intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination or copying of the message or associated attachments is strictly prohibited.
If you have received this email in error, please contact the sender by return email or call 01793 877777 and ask for the sender and then delete it immediately from your system.Please note that neither RWE npower nor the sender accepts any responsibility for viruses and it is your responsibility to scan attachments (if any).
*****************************************************************************
list Henrik Størner
▸
On Fri, Aug 11, 2006 at 08:07:34PM -0400, Gary B. wrote:
Second, you can only have one "ignore" line. I admit that it would probably be useful to have multiple ignore lines, but that is not possible right now.
I've made an enhancement to the client-side "logfetch" utility so that multiple ignore- and trigger-lines is possible. I just need to do a bit more testing, and then I'll make it available.
▸
Just ONE remaining issue now. There are still additional log files I want to check for that aren't showing up. I have this specific hosts's client-local.cfg entry defined as: [master.homeoffice.none] log:/var/log/samba/client.nmbd.log log:/var/log/messages:10240 log:/var/log/maillog:10240 ignore relay=localhost\.localdomain trigger denied The "messages" and "maillog" entries are showing up just fine, but the "client.nmbd.log" file is not showing up; not even with an empty "full log" section. Any ideas?
Check if the configuration data makes it to the client. Does this data show up in the client's ~hobbit/client/tmp/logfetch.HOSTNAME.cfg file ? If it does, then pick any status page from this host and click on the "Client data" link near the bottom of the page. Look for the "[msgs:...]" and "[logfile:...]" sections. Is there one for the client.nmbd.log file ? Regards, Henrik
list Gary B.
▸
Second, you can only have one "ignore" line. I admit that it would probably be useful to have multiple ignore lines, but that is not possible right now.I've made an enhancement to the client-side "logfetch" utility so that multiple ignore- and trigger-lines is possible. I just need to do a bit more testing, and then I'll make it available.
Awesome!
▸
Just ONE remaining issue now. There are still additional log files I want to check for that aren't showing up. I have this specific hosts's client-local.cfg entry defined as: [master.homeoffice.none] log:/var/log/samba/client.nmbd.log log:/var/log/messages:10240 log:/var/log/maillog:10240 ignore relay=localhost\.localdomain trigger denied The "messages" and "maillog" entries are showing up just fine, but the "client.nmbd.log" file is not showing up; not even with an empty "full log" section. Any ideas?Check if the configuration data makes it to the client. Does this data show up in the client's ~hobbit/client/tmp/logfetch.HOSTNAME.cfg file ? If it does, then pick any status page from this host and click on the "Client data" link near the bottom of the page. Look for the "[msgs:...]" and "[logfile:...]" sections. Is there one for the client.nmbd.log file ?
A thanks to Chris Morris for solving this issue. I can't believe I missed it after staring that file for quite a while, but I was missing the :SIZE part. Adding that fixed it, and now the additional logs are showing up. I still have an issue with file permissions in OpenBSD, but at least now it's not a Hobbit-related issue.
list Gary B.
Okay, the logs are showing up in the "Full log" section correctly now, but my LOG keyword monitoring isn't working. Ex) [<server name>] . . . LOG /var/log/maillog did not issue MAIL/EXPN/VRFY/ETRN COLOR=yellow . . . LOG /var/log/httpd/intranet/error_log client denied COLOR=yellow Does "client denied" and "did not issue MAIL/EXPN/VRFY/ETRN" have to be in quotes?
▸
Just ONE remaining issue now. There are still additional log files I want to check for that aren't showing up. I have this specific hosts's client-local.cfg entry defined as: [master.homeoffice.none] log:/var/log/samba/client.nmbd.log log:/var/log/messages:10240 log:/var/log/maillog:10240 ignore relay=localhost\.localdomain trigger denied The "messages" and "maillog" entries are showing up just fine, but the "client.nmbd.log" file is not showing up; not even with an empty "full log" section. Any ideas?Check if the configuration data makes it to the client. Does this data show up in the client's ~hobbit/client/tmp/logfetch.HOSTNAME.cfg file ? If it does, then pick any status page from this host and click on the "Client data" link near the bottom of the page. Look for the "[msgs:...]" and "[logfile:...]" sections. Is there one for the client.nmbd.log file ?A thanks to Chris Morris for solving this issue. I can't believe I missed it after staring that file for quite a while, but I was missing the :SIZE part. Adding that fixed it, and now the additional logs are showing up. I still have an issue with file permissions in OpenBSD, but at least now it's not a Hobbit-related issue.
list Henrik Størner
▸
On Mon, Aug 14, 2006 at 04:12:19PM -0400, Gary B. wrote:
Okay, the logs are showing up in the "Full log" section correctly now, but my LOG keyword monitoring isn't working. Ex) [<server name>] . . . LOG /var/log/maillog did not issue MAIL/EXPN/VRFY/ETRN COLOR=yellow . . . LOG /var/log/httpd/intranet/error_log client denied COLOR=yellow Does "client denied" and "did not issue MAIL/EXPN/VRFY/ETRN" have to be in quotes?
Yes. Regards, Henrik
list Rolf Schrittenlocher
Hi folks, I have a problem with msgs on solaris9 with hobbit 4.2. For all servers I get: No entries in /var/adm/messages <http://lbsbb.rz.uni-frankfurt.de/hobbit-cgi/bb-hostsvc.sh?CLIENT=wiesel&SECTION=msgs:/var/adm/messages>; while messages isn't empty: cat /var/adm/messages ... Nov 2 03:30:16 wiesel sshd[27574]: [ID 800047 auth.error] error: select: Falsche Dateinummer The link bb-hostsvc.sh?CLIENT=wiesel&SECTION=msgs:/var/adm/messages shows: [msgs:/var/adm/messages] My configs: hobbit-clients.cfg LOG /var/adm/messages error COLOR=yellow client-local.cfg (untouched) [sunos] log:/var/adm/messages:10240 On the client the tmp-files are: wiesel bb> cat logfetch.wiesel.status /var/adm/messages:654:654:654:654:654:654:654 wiesel bb> cat logfetch.wiesel.cfg log:/var/adm/messages:10240 "client data" shows: [msgs:/var/adm/messages] [logfile:/var/adm/messages] type:100000 (file) mode:644 (-rw-r--r--) linkcount:1 owner:0 (root) group:0 (root) size:654 clock:1162464626 (2006/11/02-11:50:26) atime:1162464626 (2006/11/02-11:50:26) ctime:1162434616 (2006/11/02-03:30:16) mtime:1162434616 (2006/11/02-03:30:16) Any ideas? Thanks! Rolf -- Mit freundlichen Gruessen Rolf Schrittenlocher HRZ/BDV, Senckenberganlage 31, 60054 Frankfurt Tel: (XX) XX - XXX XXXXX Fax: (XX) XX - XXX XXXXX LBS: user-1e39a1813094@xymon.invalid Persoenlich: user-6ea8e907e200@xymon.invalid
list Henrik Størner
The logfile monitor only includes the last 30 minutes of data from the logfile. It does this by tracking where it last read from the logfile; you have:
On the client the tmp-files are: wiesel bb> cat logfetch.wiesel.status /var/adm/messages:654:654:654:654:654:654:654
meaning that for the past 7 runs of the Hobbit client, the logfile was 654 bytes. If it doesn't grow, no data is sent to Hobbit. And before you ask: No, there is currently no configuration option which lets you can change that interval of 30 minutes. Regards, Henrik
list Rolf Schrittenlocher
Hi Henrik, thanks for the help and the fast reply! But one more question: Even though the client doesn't send new data, is it possible that the server displays the old data if you click on the "Full log /var/adm/messages" link (or any other log) on the page "...bb-hostsvc.sh?HOST=lbsdb&SERVICE=msgs"? Is the data still available on the server or is it overwritten each time the client sends something? If so, I'd like to modify hobbit in a way that each time a new log arrives at the server this is stored somewhere else and we would make it available with a link. Could you indicate the files to edit for that purpose? Or perhaps, if there is already a command for cutting the section code out from a clients message we could trigger that each time a client sends something new. This would be helpful to monitor logs manually. Reason: We often have customers demands' to look for special entries in (application)logs which don't trigger a yellow or red alarm. These logs are spread all over the machines and we hope to get a single point of entry for all logs using hobbit. kind regards Rolf
▸
The logfile monitor only includes the last 30 minutes of data from the logfile. It does this by tracking where it last read from the logfile; you have:On the client the tmp-files are: wiesel bb> cat logfetch.wiesel.status /var/adm/messages:654:654:654:654:654:654:654meaning that for the past 7 runs of the Hobbit client, the logfile was 654 bytes. If it doesn't grow, no data is sent to Hobbit. And before you ask: No, there is currently no configuration option which lets you can change that interval of 30 minutes. Regards, Henrik
-- Mit freundlichen Gruessen Rolf Schrittenlocher HRZ/BDV, Senckenberganlage 31, 60054 Frankfurt Tel: (XX) XX - XXX XXXXX Fax: (XX) XX - XXX XXXXX LBS: user-1e39a1813094@xymon.invalid Persoenlich: user-6ea8e907e200@xymon.invalid
list Joshua Krause
I have a question about log file monitoring. I have a file that i am expecting to see the word "SIP" and if it is not there then I would want to be paged and have it go red. But the only thing I can find is to have it MATCH a certain phrase. Josh
list Steve Holmes
Can you explain the difference between "expecting to see" and "have it MATCH"? Thanks, Steve
▸
On 9/24/07, Joshua Krause <user-f8009a939286@xymon.invalid> wrote:I have a question about log file monitoring. I have a file that i am expecting to see the word "SIP" and if it is not there then I would want to be paged and have it go red. But the only thing I can find is to have it MATCH a certain phrase. Josh
list Rob MacGregor
▸
On 9/24/07, Steve Holmes <user-ec1bf77b1b44@xymon.invalid> wrote:
Can you explain the difference between "expecting to see" and "have it MATCH"?
Reading Joshua's post it seems he wants to be alerted if the file DOES
NOT contain the word "SIP" - an inverse match. The help does say that
regex's are supported, but I don't know if that includes the not
operator.
--
Please keep list traffic on the list.
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche
list Joshua Krause
My concern is when I stop seeing the word "SIP" then I have a problem. So I need Hobbit to go red when the word "SIP" isn't seen.
▸
On Sep 24, 2007, at 7:55 AM, Steve Holmes wrote:
Can you explain the difference between "expecting to see" and "have it MATCH"? Thanks, Steve On 9/24/07, Joshua Krause < user-f8009a939286@xymon.invalid> wrote: I have a question about log file monitoring. I have a file that i am expecting to see the word "SIP" and if it is not there then I would want to be paged and have it go red. But the only thing I can find is to have it MATCH a certain phrase. Josh
list Steve Holmes
Right. I missed the 'not'. Steve.
▸
On 9/24/07, Rob MacGregor <user-07c9d92ae079@xymon.invalid> wrote:On 9/24/07, Steve Holmes <user-ec1bf77b1b44@xymon.invalid> wrote:Can you explain the difference between "expecting to see" and "have it MATCH"?Reading Joshua's post it seems he wants to be alerted if the file DOES NOT contain the word "SIP" - an inverse match. The help does say that regex's are supported, but I don't know if that includes the not operator. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche
--
We who are strong ought to put up with the failings of the weak, and not to
please ourselves. Each of us must please our neighbor for the good purpose
of building up the neighbor.
-Romans 15:1
Nonviolence means avoiding not only
external physical violence but also
internal violence of spirit. You not only
refuse to shoot a man, but you refuse to
hate him.
-Martin Luther King, Jr., civil-rights leader (1929-1968)
list Robert Manocchia
Hello. I have a problem using wildcards in logfile monitoring. I need to monitor the following log files for a specific message: /wls_domains/*/servers/*adminServer/logs/*domain.log In my client-local.cfg file I have the following: [server] log:/wls_domains/*/servers/*adminServer/logs/*domain.log:10240 In my hobbit-clients.cfg file I have the following: LOG "%/wls_domains/.*/servers/.*adminServer/logs/.*domain.log" "java.lang.OutOfMemoryError" COLOR=red I check the following file exists. /wls_domains/demo_alsb_domain/servers/demo_alsb_adminServer/logs/demo_al sb_domain.log There must be something I'm missing. Any help would be greatly appreciated. Thanks Bob Manocchia The email message I get from hobbit is that the log file is not accessible.
list Alan Sparks
I think your first problem, as I understand, is that wildcards are not understood in the LOG directive. If you need to use wildcards, or handle conditions where the exact full file pathname is not known, you need to use backticks and give a command that can print the exact filenames. You might experiment with using a client-local.cfg directive something like: log:`/bin/ls /wls_domains/*/servers/*adminServer/logs/*domain.log`:10240 or log:`/bin/echo /wls_domains/*/servers/*adminServer/logs/*domain.log`:10240 I have done similar things using a "find" command, as well. -Alan
▸
Hello. I have a problem using wildcards in logfile monitoring. I need to monitor the following log files for a specific message: /wls_domains/*/servers/*adminServer/logs/*domain.log In my client-local.cfg file I have the following: [server] log:/wls_domains/*/servers/*adminServer/logs/*domain.log:10240
list Neil Simmonds
Hi all, Perhaps we have unusual requirements but I've discovered an issue with Log file monitoring that I could do with a solution for. If we get some error messages in a log file than the msgs icon will successfully change colour, however if the next polling interval get's no error messages then it will revert to green. Unfortunately in our environment it is entirely possible that this brief colour change could be missed. I know I can configure alerts.cfg to send an alert out if we get any errors but what I would really like is a way to keep the colour change for a period of time after the log file entries appear. A bit like the new delayred/delayyellow functions but in reverse. Regards, Neil Simmonds Operations Analyst Operations Support Group Express Gifts Ltd. user-8188d25e65e4@xymon.invalid Tel :- 01254 303092 Fax :- 01254 303100 Name & Registered Office: EXPRESS GIFTS LIMITED, 2 GREGORY ST, HYDE, CHESHIRE, ENGLAND, SK14 4TH, Company No. 00718151. Express Gifts Limited is authorised and regulated by the Financial Services Authority NOTE: This email and any information contained within or attached in a separate file is confidential and intended solely for the Individual to whom it is addressed. The information or data included is solely for the purpose indicated or previously agreed. Any information or data included with this e-mail remains the property of Findel PLC and the recipient will refrain from utilising the information for any purpose other than that indicated and upon request will destroy the information and remove it from their records. Any views or opinions presented are solely those of the author and do not necessarily represent those of Findel PLC. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. No warranties or assurances are made in relation to the safety and content of this e-mail and any attachments. No liability is accepted for any consequences arising from it. Findel Plc reserves the right to monitor all e-mail communications through its internal and external networks. If you have received this email in error please notify our IT helpdesk on +44(0) 1254 303030
list Neil Simmonds
Hi all, As far as I can see there is no built in way in Xymon to monitor a log for the number of times a string has occurred in a specified time period. Is this something that other people would find useful? (even if it was only a count of occurrences within the last 30 minutes and not a configurable time). Is there any chance something like this may be in a future release Henrik? Regards, Neil Simmonds Senior Operations Analyst (Operations Support Group) Express Gifts Limited Express House Clayton Business Park Accrington Lancashire BB5 5JY T: 01254 303092 | E: <mailto:user-8188d25e65e4@xymon.invalid> user-8188d25e65e4@xymon.invalid
list W.J.M. Nelis
Hello,
▸
Hi all, As far as I can see there is no built in way in Xymon to monitor a log for the number of times a string has occurred in a specified time period. Is this something that other people would find useful? (even if it was only a count of occurrences within the last 30 minutes and not a configurable time).
This is a useful feature, but I doubt if I will use it if implemented in Xymon. I've written two custom scripts which do just this type of data collection. One script counts the number of denied licence requests from the FLEXlm log file (one log file per product), the other one counts the number of DHCP discovers, requests etc. from the ISC dhcpd log file. Both scripts use quit different counting strategies. The first script counts the number of denied license request since the start of this year. The result is fed into RRD, using a DS of type DERIVE with a minimum of zero. The minimum suppresses the negative spike at each new year. The second script starts reading the log file at the location where it stopped the last time. This is a faster method, but it introduces small errors. Some (small) parts of the log file can be scanned twice or some (small) parts are never scanned, depending on the moment the file size (which is the starting point for the next pass) is retrieved. Both scripts do something special with fast repeating entries: if two or more license requests from one requester for one particular product are denied within two seconds the set of di=enials is counted as one denial, and hosts which send many DHCP requests are reported. Hence the doubt if I will use a similar functionality in Xymon. Regards, Wim Nelis. ****************************************************************************************************************** The NLR disclaimer is valid for NLR e-mail messages. This message is only meant for providing information. Nothing in this e-mail message amounts to a contractual or legal commitment on the part of the sender. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. Sender accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. ******************************************************************************************************************
list Hernán Berman
hi guys, to analize logs you can use "sec.pl" this is a powerful open source tool http://simple-evcorr.sourceforge.net/ Regards HB On Mon, Mar 3, 2014 at 10:17 AM, Neil Simmonds
▸
<user-feff97fabd3d@xymon.invalid>wrote:
Hi all, As far as I can see there is no built in way in Xymon to monitor a log for the number of times a string has occurred in a specified time period. Is this something that other people would find useful? (even if it was only a count of occurrences within the last 30 minutes and not a configurable time). Is there any chance something like this may be in a future release Henrik? *Regards,* *Neil Simmonds* *Senior Operations Analyst (Operations Support Group)* *Express Gifts Limited* Express House Clayton Business Park Accrington Lancashire BB5 5JY
T: 01254 303092 | E: user-8188d25e65e4@xymon.invalid
list Andy Smith
Hernán Berman wrote:
hi guys, to analize logs you can use "sec.pl <http://sec.pl>"; this is a powerful open source tool
▸
http://simple-evcorr.sourceforge.net/ Regards HB On Mon, Mar 3, 2014 at 10:17 AM, Neil Simmonds <user-feff97fabd3d@xymon.invalid <mailto:user-feff97fabd3d@xymon.invalid>> wrote: Hi all,____ __ __ As far as I can see there is no built in way in Xymon to monitor a log for the number of times a string has occurred in a specified time period. Is this something that other people would find useful? (even if it was only a count of occurrences within the last 30 minutes and not a configurable time). ____ __ __ Is there any chance something like this may be in a future release Henrik?____ __ __ __ __ *Regards,*____ ____ *Neil Simmonds*____
We also make use of the Simple Event Corrulator both on clients to analyze fast moving logs (and/or logs in real time) and also on the Xymon Server to analyze trap logs in the manner of http://cerebro.victoriacollege.edu/hobbit-trap.html (which is linked under Tips and Tricks on the Help pages). We have a perl module that can be integrated with SEC which makes it possible to install SEC on clients completely independently from any Xymon Client software if necessary. It is still a pain having to manage SEC rules locally on every client, but you can overcome this by keeping the rules on the Xymon server and use the Xymon download command from within SEC to keep these in sync. -- Andy
list Jeremy Laidman
▸
On 4 March 2014 00:17, Neil Simmonds <user-feff97fabd3d@xymon.invalid> wrote:
As far as I can see there is no built in way in Xymon to monitor a log for the number of times a string has occurred in a specified time period.
Sure there is. From the client-local.cfg file comments: # "linecount:FILENAME" # Monitor the text-based logfile FILENAME, but just # count the number of times certain expressions appear. # This processes the entire file every time. It must # be followed by one or more lines with # "KEYWORD PATTERN" # KEYWORD identifies this count. You can use any string # except whitespace. PATTERN is a regular expression # that you want to search for in the file. I use this to monitor the count of "xfer-in" and "xfer-out" messages on my DNS servers. There's already a graphs.cfg definition called [lines] that presents them nicely in a graph. J
list Neil Simmonds
▸
From: Jeremy Laidman [mailto:user-71895fb2e44c@xymon.invalid] Sent: 14 March 2014 22:14 To: Neil Simmonds Cc: xymon at xymon.com Subject: Re: [Xymon] Log file monitoring On 4 March 2014 00:17, Neil Simmonds <user-feff97fabd3d@xymon.invalid <mailto:user-feff97fabd3d@xymon.invalid> > wrote: As far as I can see there is no built in way in Xymon to monitor a log for the number of times a string has occurred in a specified time period. Sure there is. From the client-local.cfg file comments: # "linecount:FILENAME" # Monitor the text-based logfile FILENAME, but just # count the number of times certain expressions appear. # This processes the entire file every time. It must # be followed by one or more lines with # "KEYWORD PATTERN" # KEYWORD identifies this count. You can use any string # except whitespace. PATTERN is a regular expression # that you want to search for in the file. I use this to monitor the count of "xfer-in" and "xfer-out" messages on my DNS servers. There's already a graphs.cfg definition called [lines] that presents them nicely in a graph. J
II've just had a chance to look at this and it still doesn't fir my original
requirements. I want to count the number of lines matching a regex within a
specific time period. So for example I might want to alert if I get 10
warning messages in 30 minutes.
Built in Xymon functionality does not seem to give me a way of doing this.
I'm looking into Simple Event Correlator as suggested by Henrik as a
solution for this but it seems a little heavy solution for a simple
requirement. I'm hopeful other requirements will occur in the future to
justify the time spent on SEC,
Given the fact that once people hear of the capability they'll come up with
all sorts of ways of using it, I'm guessing it will get used.
Neil.