Re: [hobbit] log file monitoring issues

["Gary B." <gmbfly98 (at) gmail.com>]

On 8/11/06, Henrik Stoerner <henrik (at) hswn.dk> wrote:
> On Fri, Aug 11, 2006 at 01:37:28PM -0400, Gary B. wrote:
> > Hmm.  Any ideas why the following wouldn't work?
> >
> > log:/var/log/messages:10240
> > ignore upsd* Client|Connection 127.0.0.1
> > ignore session opened|closed for user mailman|root
>
> Two errors:
>
> The first line has a wrong regex - it's a classic mistake to use
> "*" by itself to mean "anything", but that's not what it does.
> Your expression should be
>    ignore upsd.* Client|Connection 127.0.0.1

Ah.  I actually had that originally, but since it wasn't working, I
wasn't sure if it used "real" regexes, or "DOS command-line" regexes.

> Second, you can only have one "ignore" line. I admit that it would
> probably be useful to have multiple ignore lines, but that is
> not possible right now.
>
> > The "full log" output is still showing those lines.  Could it be the
> > same reason I wasn't seeing any data at all on the other servers; that
> > is, the log file just hasn't been updated, and it's still showing
> > those from previous lines?
>
> No, Hobbit processes all of the logfile data through the ignore- and
> trigger patterns each time it sends a message to the server.

Ah ha!  That explains it.  I removed the second ignore, and it's
working perfectly now.

> > If so, is there a way I could tell Hobbit to clear the existing data?
>
> Yes: Delete the ~hobbit/client/tmp/logfetch.HOSTNAME.status file.

Ah, that's simple.  Note to self: if there's something you want to do
with Hobbit, it's probably done fairly simply ;-)


Just ONE remaining issue now.  There are still additional log files I
want to check for that aren't showing up.  I have this specific
hosts's client-local.cfg entry defined as:

[master.homeoffice.none]
log:/var/log/samba/client.nmbd.log
log:/var/log/messages:10240
log:/var/log/maillog:10240
ignore relay=localhost\.localdomain
trigger denied

The "messages" and "maillog" entries are showing up just fine, but the
"client.nmbd.log" file is not showing up; not even with an empty "full
log" section.  Any ideas?

Also, do I need the escape character "\" to ignore the line that says
"relay=localhost.localdomain"?  I guess since "." means "any
character", it will work anyway without the "\"...