[Xymon] analysis.cfg - LOG - keyword matching

Jeremy Laidman jlaidman at rebel-it.com.au
Wed Aug 10 05:46:34 CEST 2016


Christian

On Tue, Aug 9, 2016 at 5:53 PM Becker Christian <
christian.becker at rhein-zeitung.net> wrote:
<snip>

> I was thinking, that this directive
>
>         LOG     %/var/(adm|log)/messages ERROR
> IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport)
> COLOR=red
>
> should msgs let go to red, since the message of the affected server
> contains the keyword “error”, even in lowercase. But the history of the
> msgs test for the affected server doesn’t show any red status.
>
> I do not have the statement (?-i) in the analysis.cfg as documented in
> the Xymon man-pages:
>
>
>
> *Note that Xymon defaults to case-insensitive pattern matching; if that is
> not what you want, put "(?-i)" between the "%" and the regular expression
> to turn this off. E.g. "%(?-i)WARNING" will match the word WARNING only
> when it is upper-case.*
>
>
>
> *Is my thinking wrong?*
>
A little.

The man page mentions using "%(?-i)" in the context of matching regular
expressions.  For non-regular-expressions, this doesn't apply.  The code
that performs a non-RE match is:

        return (strstr(datatosearch, pattern) != NULL);

"strstr()" is a case-sensitive string match, so "ERROR" will not match
"error".

You can either have a second line with the lower-case string, or convert to
regular expression, and take advantage of the case-insensitive match:

        LOG     %/var/(adm|log)/messages %ERROR
IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport)
COLOR=red

Cheers
Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20160810/a795b2e4/attachment.html>


More information about the Xymon mailing list