[Xymon] alert for non 200 status from log monitoring

Bill Arlofski waa-hobbitml at revpol.com
Sat Nov 1 21:28:07 CET 2014


On 10/31/2014 04:39 PM, deepak deore wrote:
> Hi,
> 
> I want to trigger alert if there is non 200 status in below tomcat access
> logs. I have enabled logs monitoring in client-local.cfg, eg. below log has
> non-200 status in 3rd field from last.
> 
> 10.10.10.10 - - [31/Oct/2013:15:45:56 +0000] GET /some/long/url HTTP/1.0
> 404 2531 161
> 
> How can i define that pattern in analysis.cfg, i can define for 404 as
> below but would like to alert for all non 200.
> 
> LOG %/path/to/log_file/access\.[0-9]*-[0-9]*-[0-9]*\.log " 404 " COLOR=red
> 
> Thanks,
> Deepak


Hi Deepak

If you want the test to turn red on any non 200 status, you can omit
the COLOR=red because that is the default. You can also leave it for clarity
though. :)

I think the following will work. Replace your " 404 " with:

"%HTTP/1\.(1|0)[[:space:]][345][[:digit:]]{2}[[:space:]][[:digit:]]"

That should catch all HTTP/1.0 or HTTP/1.1 requests, followed by a literal
space, followed by a 3, or 4, or 5 followed by two more digits (to cover all
300, 400 and 500 series http response codes), followed by a literal space,
followed by a digit.

If you don't look for the HTTP/1.(0|1) at the front, you will catch all other
300, 400, 500 numbers that are surrounded by spaces in your logs. For example,
the size of the request (if it is three digits) which follows the response
code in your example.


In my Apache log entries, the GET or POST requests are double-quoted like so:

.... "GET /wtf HTTP/1.1" 404 270 "-" "Mozilla/5.0 ....."

so I could use:

"%[[:punct:]][[:space:]][345][[:digit:]]{2}[[:space:]][[:digit:]]"

Which ignores the HTTP/1.(1|0) and just catches the closing double-quote after
the HTTP/1.0 or HTTP/1.1, the literal space, and then the non-200 response
code, followed by a space.


Also, you may not want to catch the 300 series response codes because they
mainly consist of non-warning or non-critical things like redirects.

Hope this helps.


-- 
Bill Arlofski
Reverse Polarity, LLC
http://www.revpol.com/
-- Not responsible for anything below this line --



More information about the Xymon mailing list