[Xymon] Log/file monitoring based on occurrence?

Jeremy Laidman jlaidman at rebel-it.com.au
Tue Jan 15 06:04:13 CET 2013


You can do this with a "log" configuration entry (in client-local.cfg)
using backticks that counts the lines, calculates a delta, and returns a
suitable message.  Something like this:

[name-of-server]
log:`exec 2>/dev/null; Z=$(printf "\x3a"); F=/var/log/messages; Y=1; R=6;
T=/tmp/badlogins; C=$(egrep -c "PAM${Z} (Authentication failure|User not
known)" $F); L=$(cat $T.last); D=$(expr $C - $L); ( [ "$D" = "" ] || { [ $D
-gt $R ] && echo "red${Z} $D login failures exceeded red threshold of $R"
|| { [ $D -gt $Y ] && echo "yellow${Z} $D login failures exceeded yellow
threshold of $Y" || echo "green${Z} $D login failures is OK"; }; } ) >
$T.status; echo "$C" > $T.last; echo $T.status`:1024

Adjust filename and thresholds ($F, $Y and $R) to your liking.  The sample
window size is whatever frequency Xymon client is run, typically 5 minutes,
so Y and R thresholds would be a count per 5 minutes.  Note that colons and
backticks are not permitted in the command string, so I'm fudging them in
other ways.

Then alert on the message with a couple of LOG entries in analysis.cfg like
so:

HOST=name-of-server
        LOG /tmp/badlogins.status %red COLOR=red
        LOG /tmp/badlogins.status %yellow COLOR=yellow

Cheers
Jeremy


On 11 January 2013 00:19, Mike Burger <mburger at bubbanfriends.org> wrote:

> That's what I figured, after having looked at the analysis.cfg man page
> multiple times.
>
> If I want to do this, then, I'm going to have to script something to
> analyze X amount of time and do something if it sees occurrences>=Y and
> then feed that to Xymon somehow.
>
> Thanks.
> --
> Mike Burger
> http://www.bubbanfriends.org
>
> "It's always suicide-mission this, save-the-planet that. No one ever just
> stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1
>
>
> > You will need tell client-local.cfg which log to gather data from.
> > While you can't specify in the last Y amount of time, you can specify Y
> > amount of data.  So if you know your log file writes about 1000 bytes
> > per hour... and you want to look back 4 hours, you would specify in
> > client-local.cfg "log:/var/log/mylogfile:4000"  This will return the
> > most recent 4000 bytes worth of data to Xymon.
> >
> > Your next step is to configure analysis.cfg to tell xymon how to report
> > on that data. If you want xymon to alert if it sees the word "ERROR",
> > your analysis.cfg would have a line in it "LOG /var/log/mylogfile %ERROR"
> >
> > Look at the analysis.cfg and client-local.cfg man pages for information
> > on the LOG check.
> >
> > Michael Beatty
> > Sherwin-Williams
> > IT Analyst/Developer
> > michael.beatty at sherwin.com
> > 216-515-7374
> >
> > On 01/09/2013 03:50 PM, Mike Burger wrote:
> >> I've got a situation at work where we're being tasked with monitoring
> >> failed logins. We've got logging and audit file creation in place...what
> >> I'm looking for is whether or not there's a way to have Xymon monitor
> >> those logs/files to look for X entries/occurrences within Y amount of
> >> time.
> >>
> >> The requirement is to try to do as much as this programatically as
> >> possible without having to resort to scripting or other measures that
> >> may
> >> be easily countered by a system admin.
> >>
> >> Thanks.
> >
> >
> > _______________________________________________
> > Xymon mailing list
> > Xymon at xymon.com
> > http://lists.xymon.com/mailman/listinfo/xymon
> >
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130115/8f9810b8/attachment.html>


More information about the Xymon mailing list