False alarm on proc
list Jaime Kikpole
My xymon system has been running well for years and it just started showing a red alarm on one of my host's processes list. It claims that there are 0 (zero) instances of every process it is checking for, but I can still ssh over to that host and see the processes in a ps command. I'm honestly at a loss. I'm not sure how to troubleshoot this. Any advice? Jaime Kikpole Director of Technology & Innovations Cairo-Durham Central School District (XXX) XXX-XXXX, x59500 cairodurham.org <http://www.cairodurham.org>; Technical Support: user-2eed5d3dd752@xymon.invalid go.cairodurham.org/techtips <https://www.credential.net/d24m9rrp>; -- This electronic message and any attachment(s) may contain confidential or legally privileged information protected by law from further disclosure and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agency responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachment(s). Please notify the sender immediately by return email or telephone and permanently delete this message and attachment(s) from your system.
list Paul Root
Look in your xymond test on your server. I?d bet that you are getting oversized messages coming in from that host, and so processes is getting truncated. Or look at processes for that host. And you will see that the process table isn?t complete. Ultimately, you?ll need to increase messages in your configuration file.
▸
From: Jaime Kikpole <user-c575ba5bb612@xymon.invalid>
Sent: Wednesday, May 06, 2020 2:52 PM
To: xymon at xymon.com
Subject: False alarm on proc
My xymon system has been running well for years and it just started showing a red alarm on one of my host's processes list. It claims that there are 0 (zero) instances of every process it is checking for, but I can still ssh over to that host and see the processes in a ps command.
I'm honestly at a loss. I'm not sure how to troubleshoot this. Any advice?
[https://s3.amazonaws.com/htmlsig-assets/spacer.gif]
▸
Jaime Kikpole
Director of Technology & Innovations
Cairo-Durham Central School District
(XXX) XXX-XXXX, x59500cairodurham.org<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.cairodurham.org&umid=33760788-A500-3905-8BC8-4967B16CB618&auth=19120be9529b25014b618505cb01789c5433dae7-0cd119db5bbfc7260beb80640b84368f5878c1f1>; Technical Support: user-2eed5d3dd752@xymon.invalid<mailto:user-2eed5d3dd752@xymon.invalid> go.cairodurham.org/techtips<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fgo.cairodurham.org%2ftechtips&umid=33760788-A500-3905-8BC8-4967B16CB618&auth=19120be9529b25014b618505cb01789c5433dae7-3f1cdf5014891be60a8d9cfac22252e12e3f30eb>; [https://drive.google.com/a/cairodurham.org/uc?id=11_6AEsVwBo6dOoVtRQGLMe9sQ-0t0-ga&export=download]<https://imss91-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fwww.credential.net%2fd24m9rrp&umid=33760788-A500-3905-8BC8-4967B16CB618&auth=19120be9529b25014b618505cb01789c5433dae7-2141eb3834e531da3de3ee87bf004f2f49b91746>[https://api.accredible.com/v1/frontend/credential_website_embed_image/badge/13415328] This electronic message and any attachment(s) may contain confidential or legally privileged information protected by law from further disclosure and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agency responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachment(s). Please notify the sender immediately by return email or telephone and permanently delete this message and attachment(s) from your system. This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
list Jaime Kikpole
You're not going to believe this, but the FreeBSD system running Xymon is listing Windows processes in the proc test. Which is why it can't see httpd, sshd, etc. processes. I just set up a new Windows Server 2019 VM yesterday and added the PowerShell version of the Xymon client. I accidentally put the server's name in the configuration file where the host's name is supposed to go. The server must have accepted it at its word, pulled in the process list after it read its own process list, and overwritten the process list. Thus the alert is logical, but the sysadmin isn't. :) Thanks for pointing out the process list and making me realize this.
▸
Jaime Kikpole Director of Technology & Innovations Cairo-Durham Central School District (XXX) XXX-XXXX, x59500 cairodurham.org <http://www.cairodurham.org>; Technical Support: user-2eed5d3dd752@xymon.invalid go.cairodurham.org/techtips <https://www.credential.net/d24m9rrp>;
On Wed, May 6, 2020 at 4:16 PM Root, Paul T <user-76fdb6883669@xymon.invalid>
▸
wrote:
Look in your xymond test on your server. I?d bet that you are getting oversized messages coming in from that host, and so processes is getting truncated. Or look at processes for that host. And you will see that the process table isn?t complete. Ultimately, you?ll need to increase messages in your configuration file. *From:* Jaime Kikpole <user-c575ba5bb612@xymon.invalid> *Sent:* Wednesday, May 06, 2020 2:52 PM *To:* xymon at xymon.com *Subject:* False alarm on proc My xymon system has been running well for years and it just started showing a red alarm on one of my host's processes list. It claims that there are 0 (zero) instances of every process it is checking for, but I can still ssh over to that host and see the processes in a ps command. I'm honestly at a loss. I'm not sure how to troubleshoot this. Any advice? *Jaime Kikpole* *Director of Technology & Innovations* *Cairo-Durham Central School District* (XXX) XXX-XXXX, x59500 cairodurham.org
<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.cairodurham.org&umid=33760788-A500-3905-8BC8-4967B16CB618&auth=19120be9529b25014b618505cb01789c5433dae7-0cd119db5bbfc7260beb80640b84368f5878c1f1>; *Technical Support:* user-2eed5d3dd752@xymon.invalid go.cairodurham.org/techtips <https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fgo.cairodurham.org%2ftechtips&umid=33760788-A500-3905-8BC8-4967B16CB618&auth=19120be9529b25014b618505cb01789c5433dae7-3f1cdf5014891be60a8d9cfac22252e12e3f30eb>; <https://imss91-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fwww.credential.net%2fd24m9rrp&umid=33760788-A500-3905-8BC8-4967B16CB618&auth=19120be9529b25014b618505cb01789c5433dae7-2141eb3834e531da3de3ee87bf004f2f49b91746>;
▸
This electronic message and any attachment(s) may contain confidential or
legally privileged information protected by law from further disclosure and
is intended only for the individual or entity identified above as the
addressee. If you are not the addressee (or the employee or agency
responsible to deliver it to the addressee), or if this message has been
addressed to you in error, you are hereby notified that you may not copy,
forward, disclose or use any part of this message or any attachment(s).
Please notify the sender immediately by return email or telephone and
permanently delete this message and attachment(s) from your system.
This communication is the property of CenturyLink and may contain
confidential or privileged information. Unauthorized use of this
communication is strictly prohibited and may be unlawful. If you have
received this communication in error, please immediately notify the sender
by reply e-mail and destroy all copies of the communication and any
attachments.
-- This electronic message and any attachment(s) may contain confidential or legally privileged information protected by law from further disclosure and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agency responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachment(s). Please notify the sender immediately by return email or telephone and permanently delete this message and attachment(s) from your system.
list Ralph Mitchell
Take a look at the Client Log that the Xymon server received. It could be the report has grown to the point where not all of it is being delivered. The process list may be being truncated. The last thing in the report should be the [clock] section: [clientversion] Xymon version 4.3.30 [clock] epoch: 1588807860.530185 local: 2020-05-06 19:31:00 EDT UTC: 2020-05-06 23:31:00 GMT Ralph Mitchell On Wed, May 6, 2020 at 4:00 PM Jaime Kikpole via Xymon <xymon at xymon.com> wrote:
---------- Forwarded message ---------- From: Jaime Kikpole <user-c575ba5bb612@xymon.invalid> To: xymon at xymon.com Cc: Bcc: Date: Wed, 6 May 2020 15:52:08 -0400
▸
Subject: False alarm on proc My xymon system has been running well for years and it just started showing a red alarm on one of my host's processes list. It claims that there are 0 (zero) instances of every process it is checking for, but I can still ssh over to that host and see the processes in a ps command. I'm honestly at a loss. I'm not sure how to troubleshoot this. Any advice? Jaime Kikpole Director of Technology & Innovations Cairo-Durham Central School District (XXX) XXX-XXXX, x59500 cairodurham.org <http://www.cairodurham.org>; Technical Support: user-2eed5d3dd752@xymon.invalid go.cairodurham.org/techtips <https://www.credential.net/d24m9rrp>; This electronic message and any attachment(s) may contain confidential or legally privileged information protected by law from further disclosure and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agency responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachment(s). Please notify the sender immediately by return email or telephone and permanently delete this message and attachment(s) from your system.
---------- Forwarded message ----------
From: Jaime Kikpole via Xymon <xymon at xymon.com>
To: xymon at xymon.com
Cc:
Bcc:
Date: Wed, 6 May 2020 15:52:08 -0400
Subject: [Xymon] False alarm on proc