[Xymon] monitoring multiple log files on a single syslog server

Jeremy Laidman jlaidman at rebel-it.com.au
Fri Feb 6 03:56:32 CET 2015


There's always a way (it's open source after all) but nothing simple comes
to mind.

If it were me, I would create my own log monitoring subsystem and have it
report into Xymon after working out $MACHINE from the logfile (or some
configuration).  You might be able to do this sort of thing using swatch,
sawmill or splunk.

Another option might be to create a job that runs your own instance of
logtetch after setting MACHINE the way you want it.  Something like this:

#!/bin/sh
[ "$XYMON" ] || { echo "Plese run using xymoncmd"; exit 1; }
MACHINEDOTS="Server09"
LOGFILE="/opt/syslogs/$MACHINE/apache2.error.log"
LOGFETCHCFG=/tmp/logfetch.$MACHINE.cfg
LOGFETCHSTATUS=/tmp/logfetch.$MACHINE.status
{
  echo "client/apachelog" $MACHINEDOTS.$OSTYPE"
  echo "[msgs:$LOGFILE]"
  $XYMONHOME/bin/logfetch $LOGFETCHCFG $LOGFETCHSTATUS > $TEMPFILE
} | $XYMON $XYMSRV @

Note that the logfetch config file (/tmp/logfetch.$MACHINE.cfg) is
something you'd need to fill out yourself, probably with the relevant entry
from your client-local.cfg file.

Alternatively, you could create this file dynamically from queries to the
server.  You can get the "log:" entries for Server09 by issuing the
following command (from any Xymon client, not just Server09):

$XYMON $XYMSRV "client/bogus Server09.bogos"

But first you'd have to have the "log:" entry in client-local.cfg moved
from [syslogserver] to a new [Server09] section if it doesn't already exist.

>From this, you could (optionally) grep out the "apache2.error.log" entries,
drop them directly into $LOGFETCHCFG for the server, and then the logfetch
command can go to work.

If the Server09 server already has its own entry in client-local.cfg, then
you don't want Server09 trying to do the log processing that syslogserver
is already doing.  So you could create a special entry for
[syslogserver-Server09] and adjust the script accordingly.

I hope that all makes sense.

J


On 30 December 2014 at 05:32, usa ims via Xymon <xymon at xymon.com> wrote:

> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
>
> ---------- Forwarded message ----------
> From: usa ims <usaims at yahoo.com>
> To: xymon at xymon.com
> Cc:
> Date: Mon, 29 Dec 2014 10:29:42 -0800
> Subject: monitoring multiple log files on a single syslog server
> Greetings,
>
> I'm monitoring multiple log files on a single syslog server.
>
> I have a syslog server that stores the apache error logs in a server named
> ‘syslogserver’ looking for the word ‘CurlTransfer’.
> When xymon finds the word ‘CurlTransfer’ it sends an alert but it alerts
> that it is coming from ‘syslogserver’ and the guys are complaining that
> ‘nongreen.html’ is reporting the servername rather than the actual name of
> the server where the error originated from.
>
> Is there a way  if xymon finds the word ‘CurlTransfer’ in
> ‘/opt/syslogs/Server09/apache2.error.log’, to get it to report in the
> ‘msgs’ column that it came from ‘Server09’?
>
>
> Here is my current config for this.
>
> [syslogserver]
> log:/opt/syslogs/Server09/apache2.error.log:4096
> log:/opt/syslogs/Server10/apache2.error.log:4096
> log:/opt/syslogs/Server11/apache2.error.log:4096
> log:/opt/syslogs/Server12/apache2.error.log:4096
> log:/opt/syslogs/Server13/apache2.error.log:4096
>
> I have configured my analysis.cfg with:
>
> HOST= syslogserver
>         LOG /opt/syslogs/Server09/apache2.error.log CurlTransfer  COLOR=red
>         LOG /opt/syslogs/Server10/apache2.error.log CurlTransfer COLOR=red
>         LOG /opt/syslogs/Server11/apache2.error.log CurlTransfer COLOR=red
>         LOG /opt/syslogs/Server12/apache2.error.log CurlTransfer COLOR=red
>         LOG /opt/syslogs/Server13/apache2.error.log CurlTransfer COLOR=red
>
>
> Thanks in advance.
>
> usaims
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20150206/7e954366/attachment.html>


More information about the Xymon mailing list