BBWin central mode - cannot get log filtering to work

Shawn Heisey hobbit at elyograg.org
Tue Jun 22 01:26:04 CEST 2010 

I sent this message to the BBWin mailing list several days ago and have
not gotten a response there.  I hope to find an audience here.

I've got a bunch of machines reporting to my Xymon 4.3 server, of which
a large percentage are Windows, running BBWin 0.12 in local mode.  I
want to convert everything to central mode, but I cannot seem to get the
log filtering to work.  I'm starting with my Exchange 2003 server, on
32-bit Windows 2003 SP2.

Here's what I've got in my client-local.cfg:

=-=-=-=-=-=-=-=-=
[win32]
eventlog:System
ignore TermServDevices
ignore Printer Driver
ignore Big Brother Hobbit Client
eventlog:Application
ignore information
ignore TermServDevices
ignore BigBrotherHobbitClient
ignore Failed to create a new named
ignore Error 0x7da
=-=-=-=-=-=-=-=-=

Here's what's in hobbit-clients.cfg:

=-=-=-=-=-=-=-=-=
HOST=exchange.slc
          SVC IMAP4Svc startup=automatic status=started
          SVC MSExchangeIS startup=automatic status=started
          SVC MSExchangeSA startup=automatic status=started
          SVC RESvc startup=automatic status=started
          SVC SMTPSVC startup=automatic status=started
          SVC W3SVC startup=automatic status=started

CLASS=%win32
          LOAD 50 75
          PORT STATE=LISTENING MIN=0 TRACK=Listen TEXT=Listen
          LOG %.* %^error.* COLOR=red
          LOG %.* %^warning.* COLOR=yellow
=-=-=-=-=-=-=-=-=

Nothing is being filtered by the ignore entries in client-local.cfg.
They show up in the log on the website and are tagged as red alarms.
The config is being transferred to the BBWin tmp folder.  If I turn on
debugging, the BBWin log shows all of the ignore lines, but it still
doesn't work.

I took a look through the trunk source code for msgs.dll, but found my
meager C++ skills quickly overwhelmed and I was not able to follow it.

Does anyone have a working BBWin/Xymon 4.3 central mode config with log
filtering that they can share?  I'd like the logs filtered before they
get to Xymon, and from what I understand, if I use the IGNORE syntax in
hobbit-clients.cfg, it has to transfer all log entries to the server.
Windows is notorious for spamming the event log with useless
informational messages when there's a problem, so it might exceed the
buffer size and cause me to miss events if they are not filtered first.

Thanks,
Shawn

More information about the Xymon mailing list