[Xymon] data flooding by bbwin clients
jlaidman at rebel-it.com.au
Fri Jun 28 06:17:35 CEST 2013
Yeah, "eventlog:security:5120" might only be supported in newer versions of
BBWin. Try "msgs:eventlog_security:5120" instead, or upgrade to latest.
On 28 June 2013 09:23, Phil Crooker <Phil.Crooker at orix.com.au> wrote:
> >>> On 26/06/2013 at 1:22 PM, in message
> <CAAnki7BXPyCqRJDmC4qNTRLNt7pnQ-giQfwSbzK9QN=jdmpTrQ at mail.gmail.com>,
> Jeremy Laidman <jlaidman at rebel-it.com.au> wrote:
> On 26 June 2013 12:41, Phil Crooker <Phil.Crooker at orix.com.au> wrote:
>> Yes, one is supposed to be able to filter what gets passed into xymon in
>> via client-local.cfg on the xymon server but the problem is xymond rejects
>> everything because of "flooding" before it can be filtered.
> No, the section in the client-local.cfg file gets sent to the client, so
> that the messages are filtered on the client before being sent to the Xymon
> server. The "client" messages can be made smaller when filtered this way.
> OK, did some experimentation:
> Using log:security:5120 (for example) results in "[logfile:log:security]
> ERROR: The system cannot find file specified". I read that someone had
> tried eventlog:security:5120 but that gets the same error with
> tlog:security being not found. This is from tcpdump and could not find it
> in any logs.
> So, randomly trying things, I don't get the error if I use
> msgs:security:5120 but is is unclear that this is recognised by the client.
> In all cases, all entries have no effect - having the entry for a specific
> eventlog or not, having ignore statements, even putting :128 to limit the
> amount of data) and all logs are sent to xymond in their entirety and
> appear on the msgs page for that host under "Full log".
> I'll perhaps take this up with the bbwin list.
> cheers, Phil
> Please consider the environment before printing this e-mail
> This message from ORIX Australia may contain confidential and/or
> privileged information. If you are not the intended recipient, any use,
> disclosure or copying of this message (or of any attachments to it) is not
> authorised. If you have received this message in error, please notify the
> sender immediately and delete the message and any attachments from your
> system. Please inform the sender if you do not wish to receive further
> communications by email. ORIX handles personal information according to a
> Please let us know if you would like a copy.
> It is also available at http://www.orix.com.au
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Xymon