[Xymon] Bug in msgs test in 4.3.19

J.C. Cleaver cleaver at terabithia.org
Fri Apr 17 01:42:37 CEST 2015 


On Thu, April 16, 2015 7:24 am, Johan Sjöberg wrote:
> Hi.
>
> I upgraded our Xymon server to 4.3.19. Unfortunately, I experienced
> problems with the msgs test for the Xymon server itself.
> The most serious bug is that I am getting log rows associated with the
> wrong log file, and triggering alerts for that file.
>
> If I look in the client data, I can see that a few lines are from the
> correct file, but then it switches over to another log file's content:
>
> [msgs:/var/log/server01.log]
> <...SKIPPED...>
> Apr 16 15:53:32 server01 AppMailImporter[INFO]: KTRO2155 Successfully made
> deed avaliable to registrator group propID = 10029300
> Apr 16 15:54:38 server01 AppMailImporter[INFO]: KESK2216 Email did not
> have a body or contains crap from scanners only. Not creating deed, but
> for attachments!
> Apr 16 15:54:38 server01 AppMailImporter[INFO]: KESK2216 PostList item
> created with propID = 10101563
> Apr 16 15:54:38 server01 AppMailImporter[INFO]: KESK2216 Attachment
> written to disk with GUID = 6fc966f7-796b-427f-b114-173f927ae451.pdf
> Apr 16 15:54:39 server01 AppMailImporter[INFO]: KESK2216 Created document
> with propID = 10101564 and ObjectID = 15612
> <...CURRENT...>
> Apr 16 15:54:39 server01 AppMailImporter[INFO]: KESK2216 Successfully
> connected document with deed propID = 10101563 and ObjectID = 15612
> cal proxy 192.168.105.10/255.255.255.255/0/0 on interface outside

> Apr 16 15:51:02 fw2-v10 %ASA-3-713902: Group = 192.168.206.250, IP =
> 192.168.206.250, QM FSM error (P2 struct &0x00007fff4a020c40, mess id
> 0x5ac031d1)!
> Apr 16 15:51:02 fw2-v10 %ASA-3-713902: Group = 192.168.206.250, IP =
> 192.168.206.250, Removing peer from correlator table failed, no match!
>
> The logs for "server01" are from the correct file, but the ones from
> "fw2-v10" are from  a different log file which has different alert match
> rules.
> The log file for fw2-v10 is also included in the client data, as a
> separate section


Johan,

Thanks... Can you send your maxbytes configuration for this (direct is
fine), and possibly a run of it in --debug mode? (Manually edit
xymonclient.sh to add --debug=stderr to the logfetch execution.)

For the second log file, do you have multiple triggers and ignores being
used in selection of the lines to come in?



>
> Also, if I alert on all log entries, I now get alerts for <...CURRENT...>,
> which I guess is some tag that is added internally by Xymon. This I can
> avoid by adding ignore for this string, so it's not a big problem.

Correct, an analysis.cfg line like:

    LOG logfilename . COLOR=red

... will pick this up. An IGNORE= at the end would be your best option.
The docs should be updated for this use case.



Regards,

-jc

More information about the Xymon mailing list