Xymon on Mac OS X: Time Machine volumes; stopping after IGNORE
list Greg Earle
Huge thanks to Henrik for solving my earlier problem with .net alerts.
My Linux & Solaris hosts are humming along nicely, but I'm trying to add
a few Macs to the soup and have two minor issues to solve. I've installed
Xymon on my work Mac as a sandbox for this and here's what I'm running
into:
(1) My Mac has a Time Machine volume mounted on "/Volumes/Time Machine Backups".
It's often close to full and with a high percentage of used inodes:
[15:03] macmini:~ % df -h /Volumes/Time\ Machine\ Backups
Filesystem Size Used Avail Capacity iused ifree %iused Mounted on
/dev/disk1s2 931Gi 900Gi 31Gi 97% 236011707 8094959 97% /Volumes/Time Machine Backups
(2) We have Tripwire installed everywhere in a certain path. The Mac does
not have it installed. I want Xymon to ignore this and stop, rather
than falling down through to the global PROC setting for this path.
My RE smack-fu must be sorely lacking in my old age, because this isn't
working (in analysis.cfg):
HOST=macmini
INODE %^*.Time.Machine.Backups IGNORE
DISK %^*.Time.Machine.Backups 98 99
PROC "/opt/tripwire/te/agent/jre/bin/java" IGNORE STOP
(I'm guessing that in the case of (2), the STOP keyword is not recognized
when used in that file. I do see it picking up on the IGNORE in the
resultant alert e-mail; but then it falls through to the 2 PROC lines
I have at the bottom of the file and I get the alert for no Tripwire
anyway.)
Any help for mount paths with spaces in them, and ignoring a global PROC
setting on an individual host basis?
- Greg
list Adam Goryachev
▸
On 08/05/14 08:10, Greg Earle wrote:
My RE smack-fu must be sorely lacking in my old age, because this isn't
working (in analysis.cfg):
HOST=macmini
INODE %^*.Time.Machine.Backups IGNORE
DISK %^*.Time.Machine.Backups 98 99
PROC "/opt/tripwire/te/agent/jre/bin/java" IGNORE STOPI'm not 100%, but I think you will need something like this:
HOST=macmini
INODE %^.*.Time.Machine.Backups IGNORE
DISK %^.*.Time.Machine.Backups 98 99
PROC "/opt/tripwire/te/agent/jre/bin/java" IGNORE
Also, you will need to put this entry below the "default" entry for all
other clients. I think it is based on the order of the file only.
I'm not up to date with the versions though, so maybe some new features
will provide alternative solutions for you.
Regards,
Adam
--
Adam Goryachev Website Managers www.websitemanagers.com.au
list Jeremy Laidman
▸
On 8 May 2014 08:10, Greg Earle <user-8f45ae7a27f3@xymon.invalid> wrote:
My RE smack-fu must be sorely lacking in my old age, because this isn't
working (in analysis.cfg):
HOST=macmini
INODE %^*.Time.Machine.Backups IGNORE
DISK %^*.Time.Machine.Backups 98 99
PROC "/opt/tripwire/te/agent/jre/bin/java" IGNORE STOP
Firstly, you probably want ".*" instead of "*.". The "*" means "zero or more of the last character", so ".*" means "zero or more of any character". That's basic RE that you need to know. If you want to exactly match "/Volumes/Time Machine Backups" then you shouldn't need to use a regular expression at all, and just put the filesystem name in quotes (to allow spaces in the filesystem name): DISK "/Volumes/Time Machine Backups" 98 99 Unfortunately, that doesn't work. The parser does the right thing, but the filesystem matching code matches against the part of the filesystem name up to the first space. (Interestingly, "xymond_client --test" matches correctly.) So this would match your "Time Machine Backups" volume: DISK /Volumes/Time 98 99 But this would also match other filesystem names starting with "Time" when followed by a space, like "/Volumes/Time Magazine Photos". You probably don't want that. From what I can tell, a regular expression is the only way to match filesystem names containing spaces. If you want to match any volume mounted in a folder called "Time Machine backups", and mounted anywhere on the filesystem, then you don't need to anchor to the start with "^". Instead, you really want to anchor it to the end. You want to match (for example) "/any/where/Time Machine Backups" but not "/some/place/Time Machine Backups Copy", nor "/other/place/Copy of Time Machine Backups". So: DISK "%/Time Machine Backups$" 98 99 So this matches if the end of the mount point has a slash then the string "Time Machine Backups". Because it's in quotes, the spaces will be included in the regular expression. This is what I'd do. If you wanted to leave out the quotes for some reason, you could replace the spaces with dots: DISK %/Time.Machine.Backups$ 98 99 but that would also match "/Volumes/TimerMachine-Backups", which isn't strictly correct for your use-case, but will probably always do what you want anyway. A more correct way to match a whitespace character using "\s", like so: DISK %/Time\sMachine\sBackups$ 98 99 Technically, this is also not correct because it matches tabs also. But you can use an escaped octal or hex character to specify a space: DISK %/Time\040Machine\040Backups$ 98 99 This is almost certainly more than you wanted to know about the subject. But I hope that at least you'll understand why your attempt didn't work. Cheers Jeremy
list Paul Root
Should it be %^.*Time? For 2, Instead of having tripwire in your defaults, have it in the last entry before defaults like this: HOST=* EXHOST=macmini PROC "/opt/tripwire/te/agent/jre/bin/java" 1 1 red
▸
-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Greg Earle
Sent: Wednesday, May 07, 2014 5:10 PM
To: xymon at xymon.com
Subject: [Xymon] Xymon on Mac OS X: Time Machine volumes; stopping after IGNORE
Huge thanks to Henrik for solving my earlier problem with .net alerts.
My Linux & Solaris hosts are humming along nicely, but I'm trying to add
a few Macs to the soup and have two minor issues to solve. I've installed
Xymon on my work Mac as a sandbox for this and here's what I'm running
into:
(1) My Mac has a Time Machine volume mounted on "/Volumes/Time Machine Backups".
It's often close to full and with a high percentage of used inodes:
[15:03] macmini:~ % df -h /Volumes/Time\ Machine\ Backups
Filesystem Size Used Avail Capacity iused ifree %iused Mounted on
/dev/disk1s2 931Gi 900Gi 31Gi 97% 236011707 8094959 97% /Volumes/Time Machine Backups
(2) We have Tripwire installed everywhere in a certain path. The Mac does
not have it installed. I want Xymon to ignore this and stop, rather
than falling down through to the global PROC setting for this path.
My RE smack-fu must be sorely lacking in my old age, because this isn't
working (in analysis.cfg):
HOST=macmini
INODE %^*.Time.Machine.Backups IGNORE
DISK %^*.Time.Machine.Backups 98 99
PROC "/opt/tripwire/te/agent/jre/bin/java" IGNORE STOP
(I'm guessing that in the case of (2), the STOP keyword is not recognized
when used in that file. I do see it picking up on the IGNORE in the
resultant alert e-mail; but then it falls through to the 2 PROC lines
I have at the bottom of the file and I get the alert for no Tripwire
anyway.)
Any help for mount paths with spaces in them, and ignoring a global PROC
setting on an individual host basis?
- Greg
list Greg Earle
Thanks to Adam Goryachev, Jeremy Laidman, and the mysterious "Paul T Root" at Century Link for responding. I wasn't familiar with EXHOST (more examples in the .cfg files would be helpful, Mr. Author sir), but I used "Paul"'s solution for the Tripwire exclusion and it works great:
▸
"For 2, Instead of having tripwire in your defaults, have it in the last entry
before defaults like this:
HOST=* EXHOST=macmini
PROC "/opt/tripwire/te/agent/jre/bin/java" 1 1 red"
Thanks for that - I can use it in other places, like on my Linux RAID boxes where all but 2 of them run a 3ware daemon, etc. Anyway, back to Time Machine and volumes with spaces, unfortunately I'm still getting the INODE alerts. I've tried every RE in Jeremy's post and none of them are working. :-( (As Jeremy and "Paul" pointed out, apparently when I am editing files at 4 AM, the dyslexia kicks in and I biffed the RE. Fixed now.) Maybe if I show you the alert message it will help. I'm baffled by the "<!-- ID=/Volumes/Time Machine Backups --> /Volumes/Time Machine Backups" string construct in the tag I'm seeing, and wondering if that string isn't what is screwing things up with all these RE's I've been trying. - Greg -------- Begin Forwarded Message From: xymon Monitor <user-cf0ff58665e8@xymon.invalid> Subject: Xymon [169050] macmini:inode CRITICAL (RED) Date: May 8, 2014 3:36:14 PM PDT To: Super User <user-c2a5af7c8254@xymon.invalid> red Thu May 8 15:33:12 PDT 2014 - Filesystems NOT ok &red <!-- ID=/Volumes/Time Machine Backups --> /Volumes/Time Machine Backups (97% used) has reached the PANIC level (95%) &yellow <!-- ID=/Volumes/Macintosh HD --> /Volumes/Macintosh HD (93% used) has reached the WARNING level (90%) Filesystem itotal iused ifree %iused Mounted /dev/disk0s2 237145994 178167303 58978691 75% / /dev/disk1s2 244106666 236045350 8061316 97% /Volumes/Time Machine Backups /dev/disk2s2 176632084 164649661 11982423 93% /Volumes/Macintosh HD See http://mgmt/xymon-cgi/svcstatus.sh?HOST=macmini&SERVICE=inode -------- End of Forwarded Message