[hobbit] LOG monitoring from serverside

ZanDAhaR allan at zandahar.net
Fri Jun 9 06:38:05 CEST 2006 

David Gore wrote:
> ZanDAhaR wrote:
>> Dominique Frise wrote:
>>> ZanDAhaR wrote:
>>>> Hi All
>>>>
>>>> I have been playing with the latest release of the client and sever 
>>>> over the past few days and have managed to get everything working 
>>>> (and some cool new bits) apart from the log file monitoring. I can 
>>>> get it so it shows the log file on the hobbit display/web but I 
>>>> cannot get it to search for anything and cause a status change
>>>>
>>>> I have this in client-local.cfg
>>>> [db184.corporatesystems.com.au]
>>>> file:/usr/bin/make
>>>> file:/usr/bin/gcc
>>>> log:/var/log/messages:10240
>>>>
>>>> And then this in the hobbit-clients.cfg
>>>>
>>>> HOST=db184.corporatesystems.com.au
>>>>    PORT "LOCAL=%([.:]10042)" state=LISTEN TEXT=WEBMIN
>>>>    PORT "LOCAL=%([.:]22)" state=LISTEN TEXT=SSH
>>>>    PORT "LOCAL=%([.:]50000)" state=LISTEN TEXT=DB2
>>>>    PROC cron 1 -1 yellow
>>>>    FILE /usr/bin/make MODE=644
>>>>    FILE /usr/bin/gcc MODE=644
>>>>    LOG /var/log/messages verify COLOR=yellow
>>>>
>>>> This is a few lines from the log
>>>>
>>>> [root at db184 root]# cat /var/log/messages |grep Verify
>>>> Jun  5 03:00:04 db184 kernel: 3w-xxxx: scsi2: AEN: INFO: Verify 
>>>> started: Unit #0.
>>>> Jun  5 05:41:17 db184 kernel: 3w-xxxx: scsi2: AEN: INFO: Verify 
>>>> complete: Unit #0.
>>>> Jun  8 15:30:27 db184 kernel: 3w-xxxx: scsi2: AEN: INFO: Verify 
>>>> started: Unit #0.
>>>> Jun  8 15:30:29 db184 3w-xxxx[29749]: INFORMATION: Verify started 
>>>> on unit 0 on controller ID:2. (0x29)
>>>>
>>>> I have tried regex entries and all sorts and still cant get 
>>>> anything out of it and I'm going crazy. 'verify' is part of a 
>>>> string that comes out when you start a verify on the 3ware raid 
>>>> controller in that server. The man page says the matching string is 
>>>> case insensitive but I have tried it with proper case also.
>>>>
>>>> Can someone please help point out the stupid thing I'm doing as I'm 
>>>> sure the log file monitoring does actually work :)
>>>>
>>>> Cheers
>>>>
>>>> Allan
>>>>
>>>> To unsubscribe from the hobbit list, send an e-mail to
>>>> hobbit-unsubscribe at hswn.dk
>>>>
>>>>
>>> Extract of hobbit-clients.cfg man page:
>>>
>>>      Note that Hobbit defaults to  case-
>>>      insensitive  pattern matching; if that is not what you want,
>>>      put "(?-i)" between the "%" and the  regular  expression  to
>>>      turn  this off.
>>>
>>>
>>> Try this:
>>>
>>> LOG /var/log/messages %(?-i)verify COLOR=yellow
>>>
>>>
>>>
>>> Dominique
>>> UNIL - University of Lausanne
>>>
>>> To unsubscribe from the hobbit list, send an e-mail to
>>> hobbit-unsubscribe at hswn.dk
>>>
>> I had already tried that as per the man page and I also tried against 
>> a lower case string such as 'session' which gets written everytime 
>> you open an ssh connection and even that didnt do anything.
>>
>> Also something that I havent found clear is how do you define 
>> multiple strings ? On the same line with spaces or one LOG line per 
>> string ?
>>
>> Allan
>>
>> To unsubscribe from the hobbit list, send an e-mail to
>> hobbit-unsubscribe at hswn.dk
>>
>>
> You do have to be very careful, if the log file is logging A LOT of 
> messages.  Specifically  more than the 10240 bytes you are asking 
> for.  In other words, if the log file grows by more than 10240 bytes 
> every five minutes you will lose part of the log file.
>
>
> Your config entries look OK to me, those are both on the hobbit server 
> right?  Do you see the 'Verify' string in the output on the web page, 
> Client data link?
>
> ~David
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
No chance of the log growing that much it only spits out about 2 lines 
to the messages log per day.

And yes I have defined the log in the local.cfg and also the log and the 
string to match in the hobbit-clients.cfg under the appropriate host 
definition.
I can see the parts of the log coming out in the client data link, and 
also it appears on the web page itself where it says Full Log 
/var/log/messages

I might try do some testing on a different client and see if I get 
anything different.

Allan

More information about the Xymon mailing list