[hobbit] hobbitclient + msgs test sugesstion

Asif Iqbal iqbala-hobbit at qwestip.net
Tue Nov 29 22:42:21 CET 2005


On Tue, Nov 29, 2005 at 10:09:48PM, Henrik Stoerner wrote:
> Hi Peter (and anyone else interested),
> 
> On Tue, Nov 29, 2005 at 08:26:14PM +0100, Peter Welter wrote:
> > 
> > Since the msgs-check is not available yet in the Hobbit display, I
> > want to make a suggestion to have it enabled relatively easy. I think
> > of two methods:
> > 
> > -1- A client must have read access to the file [client picks out the
> >     "interesting" bits]
> > 
> > -2- Your Hobbit server must _also_ be a central loghost. [allows
> >     centralized configuration of how to monitor the logs]
> 
> I'm not really thrilled with either of these - sorry! Each of them
> have some drawbacks: The first one moves the configuration of what
> logs to monitor away from the central hobbit server, and the 
> second one only works for logs that go through the syslog interface.
> If I want to monitor e.g. an Apache webserver error-log, or the
> custom logs from a BEA server, solution 2) won't work. I dont see
> how it can work with logs from a Windows server either. Plus it
> adds load to the central Hobbit server to deal with all of the
> logfiles.
> 
> So - I think some other solution is needed, and I've been thinking
> about how to do it. So far it's just ideas - no code. But I believe
> the log checking has to happen on each client, but controlled by
> a central configuration. So what I plan to implement is something
> like this:
> 
> * The configuration of what logs to monitor and what strings to
>   look for is maintained on the central Hobbit server, either as
>   an addition to the hobbit-clients.cfg file, or in a separate
>   file - that isn't really important.
> * When a client connects and sends in a client-side message, the
>   Hobbit server accepts the client message, but also sends back
>   the current log-check configuration info. By re-using the
>   client connection, the overhead involved in pushing the 
>   configuration to each client becomes almost nil.
> * When the client has a log-check configuration, it knows what logs
>   to check for what strings, and can include that information in
>   the normal client message it sends back to the Hobbit server.
>   That means the client will need a tool to do the logfile checking;
>   probably using a client-side regular-expression matching tool
>   like "grep". It can either be built into the Hobbit client, or
>   it could just rely on the existing "grep" utility found on the
>   system - this would probably be the simplest to implement.

Would it be possible to create a new hobbitd channel that will get
install with hobbit client. Then add that channel to the syslog.conf
which is kind a work like a pipe. So when syslog say related to
/var/adm/messages file get send to the hobbitd channel (or pipe) it will
scan right away against strings that needs to get alerted about. Also it
won't store anything in the channel. So there is no chance to scan the
same string on the same timestamp twice. Also if it is not receiving any
alert for say 5 mins it will check if syslogd is actually running by
sending a 'logger' output to the channel.

Sorry if I talking 'no sense' but throwing anything here while the idea
is still cooking :-)

Thanks

> 
> 
> Regards,
> Henrik
> 
> 
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
> 
> 

-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
"..there are two kinds of people: those who work and those who take the credit...try
 to be in the first group;...less competition there."  - Indira Gandhi



More information about the Xymon mailing list