MSGS from BBWin client goes purple
list Ricardo Alberto Schutz
Can someone help on this?
We are having some trouble with BBWin. Our linux clients are configured in central mode, so all the configuration is made on the server. Now we have to watch some Windows clients, which are configured in local mode.
The problem is with the "msgs". One specific client goes purple sometimes. But not the entire host, only msgs column. Procs, disk, memory, svcs and etc are all green, only msgs column goes purple.
My BBWin.cfg is as follows
<?xml version="1.0" encoding="utf-8" ?> <configuration> <bbwin> <setting name="bbdisplay" value="ourbbdisplay:1984" />
...
<setting name="mode" value="local" /> <setting name="configclass" value="win32" /> ...
<load name="msgs" value="msgs.dll"/> <load name="procs" value="procs.dll"/> <load name="stats" value="stats.dll"/>
<load many others...>
...
</bbwin> <cpu> ...
</cpu> <disk> ...
</disk> <externals> ...
</externals> <memory> ...
</memory> <msgs> <setting name="alwaysgreen" value="false" /> <setting name="delay" value="30m" /> <match logfile="System" type="error" alarmcolor="red" /> <match logfile="System" type="warning" alarmcolor="yellow" /> <match logfile="Application" type="error" alarmcolor="red" /> <match logfile="Application" type="warning" alarmcolor="yellow" /> <match logfile="Security" type="fail" /> <ignore logfile="Security" eventid="537" /> <ignore logfile="Application" eventid="17" /> </msgs> <procs> ...
</procs> <svcs> ...
</svcs> <uptime> ...
</uptime> </configuration>
Is there something wrong with the configuration? How can I find out why is it going purple? There's no "Client data" avaliable, maybe because it's running in "local mode"?
Thanks.
--
Ricardo Alberto Schütz - Consultor
Redix - Gestão em T.I. com Software Livre
http://www.redix.com.br - user-5105202f6a95@xymon.invalid
Tel. Coml.: +55 (47) 3323-7313
Tel. Cel.: +55 (47) 9186-9868
list Etienne Grignon
Hello, 2008/4/22, Ricardo Alberto Schutz <user-14341ee58574@xymon.invalid>:
▸
Can someone help on this? We are having some trouble with BBWin. Our linux clients are configured in central mode, so all the configuration is made on the server. Now we have to watch some Windows clients, which are configured in local mode. The problem is with the "msgs". One specific client goes purple sometimes. But not the entire host, only msgs column. Procs, disk, memory, svcs and etc are all green, only msgs column goes purple. My BBWin.cfg is as follows <?xml version="1.0" encoding="utf-8" ?> <configuration> <bbwin> <setting name="bbdisplay" value="ourbbdisplay:1984" /> ... <setting name="mode" value="local" /> <setting name="configclass" value="win32" /> ... <load name="msgs" value="msgs.dll"/> <load name="procs" value="procs.dll"/> <load name="stats" value="stats.dll"/> <load many others...> ... </bbwin> <cpu> ... </cpu> <disk> ... </disk> <externals> ... </externals> <memory> ... </memory> <msgs> <setting name="alwaysgreen" value="false" /> <setting name="delay" value="30m" /> <match logfile="System" type="error" alarmcolor="red" /> <match logfile="System" type="warning" alarmcolor="yellow" /> <match logfile="Application" type="error" alarmcolor="red" /> <match logfile="Application" type="warning" alarmcolor="yellow" /> <match logfile="Security" type="fail" /> <ignore logfile="Security" eventid="537" /> <ignore logfile="Application" eventid="17" /> </msgs> <procs> ... </procs> <svcs> ... </svcs> <uptime> ... </uptime> </configuration> Is there something wrong with the configuration? How can I find out why is it going purple? There's no "Client data" avaliable, maybe because it's running in "local mode"?
The problem may be that there are too many events in your event log, so it takes too much time to get the last 30 minutes events to be sent to hobbit. Could you check how many events are generated in your event log every minute ? Regards, -- Etienne GRIGNON
list Ricardo Alberto Schutz
Well, I surely can't count on my fingers how many events are generated
every minute. But I can say it gets close to 200 security events per
second. What would result in something about 360k events every 30
minutes.
Hobbit client shouldn't analyze these events and return to the server only the matching ones?
Thank you.
Etienne Grignon wrote:
Hobbit client shouldn't analyze these events and return to the server only the matching ones?
Thank you.
▸
Ricardo Alberto Schütz - Consultor -------------------------------------------- Redix - Gestão em T.I. com Software Livre http://www.redix.com.br - user-5105202f6a95@xymon.invalid Tel. Coml.: +55 (47) 3323-7313 Tel. Cel.: +55 (47) 9186-9868 --------------------------------------------
Etienne Grignon wrote:
Hello, 2008/4/22, Ricardo Alberto Schutz :
▸
Can someone help on this? We are having some trouble with BBWin. Our linux clients are configured in central mode, so all the configuration is made on the server. Now we have to watch some Windows clients, which are configured in local mode. The problem is with the "msgs". One specific client goes purple sometimes. But not the entire host, only msgs column. Procs, disk, memory, svcs and etc are all green, only msgs column goes purple. My BBWin.cfg is as follows ... ... ... ... ... ... ... ... ... ... Is there something wrong with the configuration? How can I find out why is it going purple? There's no "Client data" avaliable, maybe because it's running in "local mode"?The problem may be that there are too many events in your event log, so it takes too much time to get the last 30 minutes events to be sent to hobbit. Could you check how many events are generated in your event log every minute ? Regards,
list Etienne Grignon
Hi Ricardo, 2008/4/25 Ricardo Alberto Schutz <user-14341ee58574@xymon.invalid>:
▸
Well, I surely can't count on my fingers how many events are generated every minute. But I can say it gets close to 200 security events per second. What would result in something about 360k events every 30 minutes. Hobbit client shouldn't analyze these events and return to the server only the matching ones?
If you have rules for the security event log, BBWin will parse every event from the last 30 minutes. So, 360k events takes some time to be parsed every 5 minutes. Regards, -- Etienne GRIGNON