That's what I was missing (and was entirely unclear in the documentation. I knew I had to have an entry in both files, but didn't realize that I needed a hostname definition in both places.<br><br>For purposes of completeness in documentation:
<br><br>127,.0.0.1 and localhost do not in fact work for <a href="http://myserver.mydomain.name">myserver.mydomain.name</a>, however, the host name (from /etc/hostname) does.<br><br>Now that I know that it's actually checking it, I just need to set the rules on it, which should be straightforward.
<br><br><br>Thanks!<br><br>Scott<br><br><div><span class="gmail_quote">On 11/1/07, <b class="gmail_sendername">Hubbard, Greg L</b> <<a href="mailto:greg.hubbard@eds.com">greg.hubbard@eds.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Here is something I use that works. This is a
"bookend" problem -- both parts have to be done correctly. Hobbit tends to
silently ignore errors in configuration
files.</font></span></div></font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">---------------------------------------------------</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">In client-local.cfg</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">[<a href="http://myserver.mydomain.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">myserver.mydomain.com</a>]<br>file:/opt2/log/syslog.log
<br>file:/opt2/log/security.log<br>file:/opt2/log/snmptrap.log<br></font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">---------------------------------------------------</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"> </font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">in hobbit-clients.cfg</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"> </font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">HOST=<a href="http://myserver.mydomain.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">myserver.mydomain.com</a><br>
FILE /opt2/log/syslog.log mtime<600 size<2G
TRACK<br> FILE /opt2/log/security.log
TRACK<br> FILE /opt2/log/snmptrap.log
mtime<600 size<2G TRACK<br></font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">----------------------------------------------------</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Some things to note</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">a) the host names match exactly, and they are not enclosed
in double quotes.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">b) the file names match exactly</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">c) this example is lifted from my running system, with the
host name changed to protect the guilty. I have some other examples that
use color in the "COLOR=color" format, which I believe is required, but I would
have to edit them more before I can post them.</font></span><span><font color="#0000ff" face="Arial" size="2"></font></span></div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>d) the
client-local.cfg file has some predefined sections in it. Don't use
them. Make new ones. Only one section can be applied to a host, so
cut and paste will</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span>be
your friend.</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div><br></div>
<blockquote style="margin-right: 0px;">
<div dir="ltr" align="left" lang="en-us">
<hr>
<font face="Tahoma" size="2"><span class="q"><b>From:</b> Scott Mohnkern
[mailto:<a href="mailto:mohnkern@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">mohnkern@gmail.com</a>] <br></span><b>Sent:</b> Thursday, November 01, 2007 4:00
PM</font><div><span class="e" id="q_115fd15f718c84d1_3"><font face="Tahoma" size="2"><br><b>To:</b> <a href="mailto:hobbit@hswn.dk" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">hobbit@hswn.dk</a>
<br><b>Subject:</b> Re: [hobbit] Re: New to
Hobbit --- file monitoring<br></font></span></div><br></div><div><span class="e" id="q_115fd15f718c84d1_5">
<div></div>Nope, no joy there either. the man page seems to think it
should be:<br><br>FILE <full path to file><color>
<condition><br><br>and that's pretty consistent with the other things
I've put into the same file, which come up. <br><br>I also tried:<br><br>FILE
"/etc/passwd" green noexist TRACK<br><br>and <br><br>FILE "/etc/passwd" green
noexist<br><br><br>Scott<br><br><br><br>
<div><span class="gmail_quote">On 11/1/07, <b class="gmail_sendername">Hubbard,
Greg L</b> <<a href="mailto:greg.hubbard@eds.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">greg.hubbard@eds.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Try
this</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">FILE
/etc/passwd noexist COLOR=green TRACK</font></span></div><br>
<blockquote style="margin-right: 0px;">
<div dir="ltr" align="left" lang="en-us">
<hr>
<font face="Tahoma" size="2"><span><b>From:</b> Scott Mohnkern
[mailto:<a href="mailto:mohnkern@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">mohnkern@gmail.com</a>]
<br></span><b>Sent:</b> Thursday, November 01, 2007 3:39 PM<br><b>To:</b>
<a href="mailto:hobbit@hswn.dk" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">hobbit@hswn.dk</a><br><b>Subject:</b> Re: [hobbit] Re: New
to Hobbit --- file monitoring<br></font><br></div>
<div><span>
<div></div>Well, at least its replicatable.<br><br><br>Scott<br><br><br>
<div><span class="gmail_quote">On 11/1/07, <b class="gmail_sendername">Scott
Mohnkern</b> <<a href="mailto:mohnkern@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> mohnkern@gmail.com</a>>
wrote: </span>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Thanks
for the help. I edited /etc/hobbit/hobbit-clients.cfg so the line
reads:<br><br>FILE /etc/passwd GREEN noexist<br><br>still no joy.
<br><br>Is there anyone on the list that has an example of a FILE line
in their hobbit-clients.cfg file?<br><br>
<div><span><span class="gmail_quote">On 11/1/07, <b class="gmail_sendername">Hubbard, Greg L</b> <<a href="mailto:greg.hubbard@eds.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
greg.hubbard@eds.com</a>> wrote:</span></span>
<div><span>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div><span></span><font face="Arial"><font color="#0000ff"><font size="2">Try removing the TRACK keyword, and then change NOEXIST to lower case. I think Henrik has reported that there are a few bugs in this code,
</font>
</font></font></div>
<div><span></span><font face="Arial"><font color="#0000ff"><font size="2">a<span>nd it is not always clear when case matters and when it
doesn't, or when the order of the arguments
matters.</span></font></font></font></div>
<div><font face="Arial"><font color="#0000ff"><font size="2"><span></span></font></font></font> </div>
<div><font face="Arial"><font color="#0000ff"><font size="2"><span></span></font></font></font><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div>
<hr>
</div>
<div><font face="Tahoma" size="2"><span><b>From:</b> Scott Mohnkern
[mailto:<a href="mailto:mohnkern@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">mohnkern@gmail.com</a>]
<br></span><b>Sent:</b> Thursday, November 01, 2007 3:10
PM<br><b>To:</b> <a href="mailto:hobbit@hswn.dk" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">hobbit@hswn.dk</a><br><b>Subject:</b> [hobbit] Re: New
to Hobbit --- file monitoring<br></font><br></div>
<div><span>
<blockquote style="margin-right: 0px;">
<div></div>When all else fails, nuke it and start over. I did
an apt-get remove hobbit, and then a dpkg -- purge. Then I
removed any files I could find. Then I downloaded the Ubuntu
deb file and installed it. It put the configuration files in
/etc/hobbit and it started fine <br><br>I edited
/etc/hobbit/hobbit-clients.cfg and added the following
line:<br><br>PROC ntpd 1 99 green "TEXT=NTPD is
up"<br><br><br>Restarted hobbit, and in a few minutes, it started
reporting as expected.<br><br>Then I added:<br><br>PORT
"LOCAL=%(:8888)" TEXT="Gnump is up"<br><br>To the same file,
(/etc/hobbit/hobbit-clients.cfg) and restared hobbit.<br><br>A few
minutes later, the ports section started reporting, as expected.
<br><br>(Though I realize that its a bit off, which I need to
fix)<br><br><br>Then I added:<br><br>FILE /etc/passwd GREEN NOEXIST
track<br><br>Reading the documentation inside hobbit-clients.cfg I
edited /etc/hobbit/client- local.cfg and added the following
line:<br>file:/etc/passwd<br><br>restarted hobbit, waited 5
minutes. No luck.<br><br><br>I'm pretty convinced that
either:<br><br>1. the format of the line in
/etc/hobbit/client-local.cfg or /etc/hobbit/hobbit-clients.cfg is
incorrect, or<br>2. There's something else I need to
edit.<br><br></blockquote></span></div></div></blockquote></span></div></div><br></blockquote></div><br></span></div></blockquote></div></blockquote></div><br></span></div></blockquote></div>
</blockquote></div><br>