[Xymon] PORTS and STATE syntax

Boldt, David dboldt at usgs.gov
Wed Mar 9 15:09:16 CET 2016 

I'm not successful filtering on the connection state associated with a port.
None of the syntax variations I have tried have been successful.
If I remove the STATE specifier, matches are found.

There are multiple hosts connecting to the same port:

ESTAB      0      0              10.160.8.130:61617         10.160.8.132:57765
ESTAB      0      0              10.160.8.130:61617         10.160.8.132:57766
ESTAB      0      0              10.160.8.130:61617         10.160.8.132:57768
ESTAB      0      0              10.160.8.130:61617         10.160.8.133:45096
ESTAB      0      0              10.160.8.130:61617         10.160.8.133:45104
ESTAB      0      0              10.160.8.130:61617         10.160.8.133:45107
ESTAB      0      0              10.160.8.130:61617          130.118.4.2:36141
ESTAB      0      0              10.160.8.130:61617          130.118.4.2:36150
ESTAB      0      0              10.160.8.130:61617          130.118.4.2:36151
ESTAB      0      0              10.160.8.130:61617         136.177.16.3:34320
ESTAB      0      0              10.160.8.130:61617         136.177.16.3:34321
ESTAB      0      0              10.160.8.130:61617         136.177.16.3:34324
ESTAB      0      0              10.160.8.130:61617       137.227.240.32:50726
ESTAB      0      0              10.160.8.130:61617       137.227.240.32:50727
ESTAB      0      0              10.160.8.130:61617       137.227.240.32:50729
LISTEN     0      0                         *:61617                    *:*

I've set up several port monitoring specifications, but none of them
match the state (the first example where no state is specified
succeeds):

PORT LOCAL=%[:](61617) REMOTE=%10.160.8.132   MIN=3 MAX=3 COLOR=yellow
TEXT=ActiveMQ-DHCP
PORT LOCAL=%[:](61617) REMOTE=%10.160.8.133   STATE=ESTABLISHED MIN=3
MAX=3 COLOR=yellow TEXT=ActiveMQ-nsp.er
PORT LOCAL=%[:](61617) REMOTE=%136.177.16.3   STATE=ESTAB MIN=3 MAX=3
COLOR=yellow TEXT=ActiveMQ-ns.cr
PORT LOCAL=%[:](61617) REMOTE=%137.227.240.32 STATE=%ESTAB MIN=3 MAX=3
COLOR=yellow TEXT=ActiveMQ-ns.er
PORT LOCAL=%[:](61617) REMOTE=%130.118.4.2    STATE=%ESTAB* MIN=3
MAX=3 COLOR=yellow TEXT=ActiveMQ-ns.wr

Note: On this server netstat does not exist and ss is being used,.


Observation: Discovering the syntax for REMOTE was trial and error.
Specifying the IP address alone did not work, and I found no examples
for the type of filtering above.

-- 
                                         -- David Boldt
                                            <dboldt at usgs.gov>


   "Discovery consists of seeing what everybody has seen and thinking
what nobody has thought."
    --Albert Szent-Gyorgyi (1893 - 1986)

More information about the Xymon mailing list