<div dir="ltr"><div>You can do this with a "log" configuration entry (in client-local.cfg) using backticks that counts the lines, calculates a delta, and returns a suitable message. Something like this:</div>
<div><br></div><div style>[name-of-server]</div><div>log:`exec 2>/dev/null; Z=$(printf "\x3a"); F=/var/log/messages; Y=1; R=6; T=/tmp/badlogins; C=$(egrep -c "PAM${Z} (Authentication failure|User not known)" $F); L=$(cat $T.last); D=$(expr $C - $L); ( [ "$D" = "" ] || { [ $D -gt $R ] && echo "red${Z} $D login failures exceeded red threshold of $R" || { [ $D -gt $Y ] && echo "yellow${Z} $D login failures exceeded yellow threshold of $Y" || echo "green${Z} $D login failures is OK"; }; } ) > $T.status; echo "$C" > $T.last; echo $T.status`:1024<br>
</div><div><br></div><div style>Adjust filename and thresholds ($F, $Y and $R) to your liking. The sample window size is whatever frequency Xymon client is run, typically 5 minutes, so Y and R thresholds would be a count per 5 minutes. Note that colons and backticks are not permitted in the command string, so I'm fudging them in other ways.</div>
<div style><br></div><div style>Then alert on the message with a couple of LOG entries in analysis.cfg like so:<br></div><div style><br></div><div style>HOST=name-of-server</div><div style><div> LOG /tmp/badlogins.status %red COLOR=red</div>
<div> LOG /tmp/badlogins.status %yellow COLOR=yellow</div><div><br></div><div style>Cheers</div><div style>Jeremy</div></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On 11 January 2013 00:19, Mike Burger <span dir="ltr"><<a href="mailto:mburger@bubbanfriends.org" target="_blank">mburger@bubbanfriends.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">That's what I figured, after having looked at the analysis.cfg man page<br>
multiple times.<br>
<br>
If I want to do this, then, I'm going to have to script something to<br>
analyze X amount of time and do something if it sees occurrences>=Y and<br>
then feed that to Xymon somehow.<br>
<div class="im HOEnZb"><br>
Thanks.<br>
--<br>
Mike Burger<br>
<a href="http://www.bubbanfriends.org" target="_blank">http://www.bubbanfriends.org</a><br>
<br>
"It's always suicide-mission this, save-the-planet that. No one ever just<br>
stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1<br>
<br>
<br>
</div><div class="HOEnZb"><div class="h5">> You will need tell client-local.cfg which log to gather data from.<br>
> While you can't specify in the last Y amount of time, you can specify Y<br>
> amount of data. So if you know your log file writes about 1000 bytes<br>
> per hour... and you want to look back 4 hours, you would specify in<br>
> client-local.cfg "log:/var/log/mylogfile:4000" This will return the<br>
> most recent 4000 bytes worth of data to Xymon.<br>
><br>
> Your next step is to configure analysis.cfg to tell xymon how to report<br>
> on that data. If you want xymon to alert if it sees the word "ERROR",<br>
> your analysis.cfg would have a line in it "LOG /var/log/mylogfile %ERROR"<br>
><br>
> Look at the analysis.cfg and client-local.cfg man pages for information<br>
> on the LOG check.<br>
><br>
> Michael Beatty<br>
> Sherwin-Williams<br>
> IT Analyst/Developer<br>
> <a href="mailto:michael.beatty@sherwin.com">michael.beatty@sherwin.com</a><br>
> 216-515-7374<br>
><br>
> On 01/09/2013 03:50 PM, Mike Burger wrote:<br>
>> I've got a situation at work where we're being tasked with monitoring<br>
>> failed logins. We've got logging and audit file creation in place...what<br>
>> I'm looking for is whether or not there's a way to have Xymon monitor<br>
>> those logs/files to look for X entries/occurrences within Y amount of<br>
>> time.<br>
>><br>
>> The requirement is to try to do as much as this programatically as<br>
>> possible without having to resort to scripting or other measures that<br>
>> may<br>
>> be easily countered by a system admin.<br>
>><br>
>> Thanks.<br>
><br>
><br>
> _______________________________________________<br>
> Xymon mailing list<br>
> <a href="mailto:Xymon@xymon.com">Xymon@xymon.com</a><br>
> <a href="http://lists.xymon.com/mailman/listinfo/xymon" target="_blank">http://lists.xymon.com/mailman/listinfo/xymon</a><br>
><br>
<br>
_______________________________________________<br>
Xymon mailing list<br>
<a href="mailto:Xymon@xymon.com">Xymon@xymon.com</a><br>
<a href="http://lists.xymon.com/mailman/listinfo/xymon" target="_blank">http://lists.xymon.com/mailman/listinfo/xymon</a><br>
</div></div></blockquote></div><br></div>