[hobbit] Re: Alerts - HOSTS matching regular expressions.

Matthew Moldvan mmoldvan at csc.com
Sun Feb 7 01:42:34 CET 2010


A few very useful ways I recently found to test the regular expressions 
with xymon are the pcretest and hobbitd_client command.

-bash-3.2$ pcretest
PCRE version 6.6 06-Feb-2006

  re> /^asd$/
data> asdf
No match
data> asd
 0: asd

[root at zenls01h ~]# su - xymon
-bash-3.2$ ./server/bin/bbcmd hobbitd_client --test
2010-02-06 19:39:42 Using default environment file 
/usr/lib64/xymon/server/etc/hobbitserver.cfg
Hostname (.=end, ?=dump, !=reload) []:

>From there you can try out the host name that's not matching up as well as 
the test.

Hope that helps in your troubleshooting; helped me remove some entries in 
the hobbit-clients and hobbit-alerts that were causing issues.

Good luck,
Matt.

Unix System Administrator
Computer Science Corporation
General Dynamics Land Systems
38500 Mound Rd.
Sterling Heights, MI.  48310
Desk: (586) 825-8294
Oracle IM: moldvanm

This is a PRIVATE message. If you are not the intended recipient, please 
delete without copying and kindly advise us by e-mail of the mistake in 
delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to 
any order or other contract unless pursuant to explicit written agreement 
or government initiative expressly permitting the use of e-mail for such 
purpose.



From:
Kii NODA <kii.noda at gmail.com>
To:
hobbit at hswn.dk
Date:
01/28/2010 04:58 PM
Subject:
[hobbit] Re: Alerts - HOSTS matching regular expressions.



Hi everyone,

After doing some testing I can say we've elegantly solved the problem 
caused by "HOST=%^asd$" matching both hosts named "asd" and "asdf" despite 
the "$" at the end. We've added a "STOP" rule at the end of the "special" 
rules that only alert CTO & CEO of Junkyard.

The problem still remains, however.

The new, most elegant ruleset thus far, follows:

--- cut here ---
HOST=junkyard-starbox-v_trash
  MAIL=cto at junkyard.tld
  STOP

HOST=junkyard-starbox-x_dustbin
  MAIL=ceo at junkyard.tld
  STOP

HOST=*
  MAIL=stars at sysadmins.tld REPEAT=60 RECOVERED NOTICE COLOR=purple,yellow
  MAIL=stars at sysadmins.tld REPEAT=10 RECOVERED NOTICE COLOR=red
  MAIL=cto at sysadmins.tld DURATION>60 REPEAT=60 RECOVERED NOTICE 
COLOR=purple,yellow
  MAIL=cto at sysadmins.tld DURATION>30 REPEAT=60 RECOVERED NOTICE COLOR=red
--- and here ---


On Thu, Jan 28, 2010 at 10:45 PM, Kii NODA <kii.noda at gmail.com> wrote:
Hi everyone,

As you may have already been aware by now, we're here to stay. :)

Here's one interesting problem (and maybe simple) for you: We've seen that 
"HOST=%^asd$" matches both hosts named "asd" and "asdf", not respecting 
the "$" at the end. Can you guys please confirm that regex matching for 
"HOST=" does not care about the "$" sign?

For those that need some expanded case-study (all others can now stop), 
here's the story behind: we are managing various servers of ours and our 
customers. Due to the fact that we do not control DNS entries for all 
these machines we have come up with a naming scheme like this:

--- cut here ---
junkyard-starbox # clientID=junkyard, starbox=actual machine
junkyard-starbox-v_trash # v_trash=vserver named trash running on starbox
junkyard-starbox-v_trashcan # v_trashcan=vserver named trashcan running on 
starbox
junkyard-starbox-x_dustbin # x_dustbin=xen server running on starbox
--- and here ---

We need to send these "special" alerts:
* ONLY cto at junkyard.tld for events on junkyard-starbox-v_trash
* ONLY ceo at junkyard.tld for events on junkyard-starbox-x_dustbin

Also, we need to send these alerts for all other hosts & events:
* stars at sysadmins.tld for purple, yellow & red w/ REPEAT=60
* cto at sysadmins.tld for red w/ DURATION>30 and REPEAT=60
* cto at sysadmins.tld for yellow&purple w/ DURATION>60 and REPEAT=60

Exercising our brain muscles we came up with these:
--- cut here ---
#alert CTO for v_trash
HOST=junkyard-starbox-v_trash
  MAIL=cto at junkyard.tld

#alert CEO for x_dustbin
HOST=junkyard-starbox-x_dustbin
  MAIL=ceo at junkyard.tld

#stop alerting for the private boxes above
HOST=*
  IGNORE HOST=%^junkyard-starbox-(v_trash|x_dustbin)$

HOST=* COLOR=purple,yellow
  MAIL=stars at sysadmins.tld REPEAT=60 RECOVERED NOTICE
  MAIL=cto at sysadmins.tld DURATION>60 REPEAT=60 RECOVERED NOTICE

HOST=* COLOR=red
  MAIL=stars at sysadmins.tld REPEAT=10 RECOVERED NOTICE
  MAIL=cto at sysadmins.tld DURATION>30 REPEAT=60 RECOVERED NOTICE
--- and here ---

However, even with the "$" at the end of our regex we are no longer 
receiving any alerts for v_trashcan because the regex wrongly matches on 
the "IGNORE HOST=" line. We could use 2 lines to match each host on its 
own line but that's not the point of this exercise.

So, can anyone confirm our finding?
-- 
kN



-- 
kN

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20100206/01720654/attachment.html>


More information about the Xymon mailing list