<div dir="ltr">On 19 April 2013 22:00, Nick <span dir="ltr"><<a href="mailto:Nick@pettefar.com" target="_blank">Nick@pettefar.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Is there a doco anywhere explaining the log file retrieval mechanism?<br></blockquote><div><br></div><div style>Log file retrieval configuration is documented in client-config.cfg. Analysis and reporting of log files is documented in analysis.cfg.</div>
<div style><br></div><div style>The log file contents are processed by the logfetch binary, and the man page for that gives some information on how it does its thing.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I want to use Xymon to fetch /etc/passwd files so that I can check for unwanted/unnoticed changes.<br></blockquote><div><br></div><div style>The problem with using the log retrieval mechanism is that it assumes that the file is a logfile, and only reports on new entries past the last time it checked. If an entry is changed, but the file doesn't change size, it won't report any change to the file. If an entry is added in the middle, rather than at the end, then logfetch will report the lines at the end and so you'll see the wrong values.</div>
<div style><br></div><div style>You can trick logfetch into thinking that a file is a logfile that has been rotated by reducing its size, and it starts from the beginning of the file. The next run, you append to the file, so that it reports only the new stuff. Then you get it to cycle between the two states (new entries, rotated, new entries, rotated, etc). But you wouldn't want to do that on the actual passwd file!</div>
<div style><br></div><div style>What you could do is to create a virtual file using backticks and manipulate its contents as you need, and to satisfy logfetch. It's a bit hackety but it only requires changes in a couple of config files on the Xymon server. For example, something like this in client-local.cfg:</div>
<div style><br></div><div style>log:`if [ -f /tmp/pw.rep ]; then if grep '^[0-9]' /tmp/pw.rep | tail -n +3 | grep ^ >/dev/null; then cp /dev/null /tmp/pw.rep; fi; diff /tmp/pw.old /etc/passwd >> /tmp/pw.rep; else touch /tmp/pw.rep; fi; cp /etc/passwd /tmp/pw.old; echo /tmp/pw.rep`:2048</div>
<div style><br></div><div style>All this does is to create a copy of the password file pw.old, and any differences in the last time it was run are appended to a report file pw.rep, which is what's actually monitored. If the report file has 3 or more diffs appended, it gets emptied before the next report is added, to keep the file from growing too large.</div>
<div style><br></div><div style>My analysis.cfg file can contain something like this:</div><div style><br></div><div style>HOST=name.of.host</div><div style> LOG /tmp/pw.rep "%^>" COLOR="red" "TEXT=Account added to /etc/passwd"</div>
<div style><div> LOG /tmp/pw.rep "%^<" COLOR="yellow" "TEXT=Account removed from /etc/passwd"</div><div><br></div><div style>Note: untested.</div><div style><br></div><div style>J</div>
<div style><br></div></div></div></div></div>