[hobbit] log file monitoring issues

Gary B. gmbfly98 at gmail.com
Thu Aug 10 03:47:50 CEST 2006 

Maybe I'm just missing something in the documentation, but I can't
seem to get the log file monitoring to work properly.  In the example
below, I'm trying to look at the "messages" and "maillog" files on
Linux.

Particularly, I'm trying to EXCLUDE the following "messages" lines:
Aug  9 21:19:45 www upsd[7860]: Connection from 127.0.0.1
Aug  9 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out
Aug  9 21:19:45 www upsd[7860]: Connection from 127.0.0.1

Aug  9 16:44:01 www crond(pam_unix)[5382]: session opened for user
root by (uid=0)
Aug  9 16:44:14 www crond(pam_unix)[5382]: session closed for user root
Aug  9 16:45:01 www crond(pam_unix)[5484]: session opened for user
mailman by (uid=0)
Aug  9 16:45:01 www crond(pam_unix)[5484]: session closed for user mailman

And EXCLUDE the following "maillog" lines:
Aug  6 11:55:02 www sendmail[15076]: k76Ft1pU015076:
from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1,
msgid=<200608061555.k76Ft1A2015075 at HOSTNAME>, proto=ESMTP, daemon=MTA,
relay=localhost.localdomain [127.0.0.1]


Below is the respective lines from the "client-local.cfg" file:
log:/var/log/messages:10240
ignore upsd* Client|Connection 127.0.0.1
ignore session opened|closed for user mailman|root
log:/var/log/maillog:10240
ignore relay=localhost.localdomain
trigger denied

And below the specific log entries I'm looking for from "hobbit-clients.cfg":
LOG     /var/log/maillog  "relaying denied"  color="yellow"


Now, the problem I'm having...
The "ignore" line for the /var/log/maillog file appears to be working
correctly, as it does indeed ignore such entries as shown above.  Also
working is the "ignore session opened..." line for the
/var/log/messages file.

What is NOT working is the "ignore" line for the "upsd*" lines in
/var/log/messages.  For the life of me, I just can't figure out how to
get that to work properly.  That is, two of the three "ignore" lines
are not working, as those lines still show up in the "full log"
output.  If anyone has any ideas, let me know.

I'm also having problems with some logs not showing up on the messages
page.  Do you need both a "LOG" entries in the hobbit-clients.cfg AND
client-local.cfg, or will an entry in only client-local.cfg be
sufficient to have it show up on the messages page?

More information about the Xymon mailing list