Alert HOST + EXHOST rules not working correctly

Gary Baluha gumby3203 at gmail.com
Thu Mar 27 19:05:45 CET 2008 

Heh, as usual, I figured out the answer to my own obscure question.

It appears that you _can't_ have multiple EXHOST entries per line.  However,
this is no big deal, as I simply changed the way the alert rules were set
up.  With this setup, there's even no need to change to code to allow for
multiple HOST or EXHOST entries per line.

***New alert rules that WORK***

$MARK_STAG=^marketing-stag-.*
$INFRA_STAG=^infra-stag-.*

HOST=%(.*-stag.*) EXHOST=%($MARK_STAG|$INFRA_STAG) TIME=*:0800:2100
RECOVERED DURATION>11m
        SCRIPT $SMSPLUS $WLI_STAGMAN_EMAIL REPEAT=1h

HOST=%$MARK_STAG TIME=*:0800:2100 RECOVERED
        SCRIPT $SMSPLUS $WLI_MKT_STAG_EMAIL REPEAT=1h

HOST=%$INFRA_STAG TIME=*:0800:2100 RECOVERED
        SCRIPT $SMSPLUS $WLI_INFRA_STAG_EMAIL REPEAT=1h

On Mon, Mar 24, 2008 at 1:02 PM, Gary Baluha <gumby3203 at gmail.com> wrote:

> I must be missing something stupid as I've been staring at this and can't
> figure out what's wrong.  I have the following alert rules set up:
>
> HOST=%(.*-stag-.*) EXHOST=%^(marketing-stag-.*) EXHOST=%^(infra-stag-.*)
> TIME=*:0800:2100 RECOVERED DURATION>11m
>         SCRIPT $SMSPLUS $WLI_STAGMAN_EMAIL REPEAT=1h
>
> HOST=%^(marketing-stag-.*) TIME=*:0800:2100 RECOVERED
>         SCRIPT $SMSPLUS $WLI_MKT_STAG_EMAIL REPEAT=1h
>
> HOST=%^(infra-stag-.*) TIME=*:0800:2100 RECOVERED
>         SCRIPT $SMSPLUS $WLI_INFRA_STAG_EMAIL REPEAT=1h
>
> The problem is that the EXHOST doesn't appear to be working the way I
> expect it to.  When I do a  hobbitd_alert --test on "marketing-stag-1", it
> shows the first HOST line (the one with the EXHOSTs) as matching and
> alerting.
>
> $> bbcmd hobbitd_alert --test marketing-stag-1 Managed-Server
> --duration=800
> . . .
> 12:50:51 Matching host:service:page
> 'marketing-stag-1:Managed-Server:wblx-staging' against rule line 388
> 12:50:51 *** Match with 'HOST=$WLI_MANAGED_STAG EXHOST=$WLI_MKTING_STAG
> EXHOST=$WLI_INFRA_STAG TIME=*:0800:2100 RECOVERED DURATION>11m' ***
> 12:50:51 Matching host:service:page
> 'marketing-stag-1:Managed-Server:wblx-staging' against rule line 388
> 12:50:51 *** Match with 'HOST=$WLI_MANAGED_STAG EXHOST=$WLI_MKTING_STAG
> EXHOST=$WLI_INFRA_STAG TIME=*:0800:2100 RECOVERED DURATION>11m' ***
> 12:50:51 Script alert with command '/var/hobbit/server/ext/smsplus' and
> recipient abc at mydomain.com
> 12:50:51 Matching host:service:page
> 'marketing-stag-1:Managed-Server:wblx-staging' against rule line 390
> 12:50:51 *** Match with 'HOST=$WLI_MKTING_STAG TIME=*:0800:2100 RECOVERED'
> ***
> 12:50:51 Matching host:service:page
> 'marketing-stag-1:Managed-Server:wblx-staging' against rule line 390
> 12:50:51 *** Match with 'HOST=$WLI_MKTING_STAG TIME=*:0800:2100 RECOVERED'
> ***
> 12:50:51 Script alert with command '/var/hobbit/server/ext/smsplus' and
> recipient def at mydomain.com
> 12:50:51 Matching host:service:page
> 'marketing-stag-1:Managed-Server:wblx-staging' against rule line 392
> 12:50:51 Failed 'HOST=$WLI_INFRA_STAG TIME=*:0800:2100 RECOVERED'
> (hostname not in include list)
> . . .
>
> I've tried the regex with and without the "^", and it doesn't seem to have
> an effect.  Any ideas what I'm missing?  Without the "--duration=800", the
> first HOST line doesn't match (as expected).
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20080327/030ce77d/attachment.html>

More information about the Xymon mailing list