R: [hobbit] log file monitoring issues
Francesco Duranti
fduranti at q8.it
Fri Aug 11 15:33:18 CEST 2006
I don't know openbsd... If it work like some linux machine you have to check the script or program that is rotating the logs to make them world readable or group readable and create as the hobbit group.
If your system is using logrotate you can try to put the "create mode owner group" directive into the specific logrotate file or change the default one that should be in /etc/logrotate.conf
-----Messaggio originale-----
Da: Gary B. [mailto:gmbfly98 at gmail.com]
Inviato: venerdì 11 agosto 2006 15.21
A: hobbit at hswn.dk
Oggetto: Re: [hobbit] log file monitoring issues
...I'm still having issues with "Permission denied" errors from Hobbit in trying to access /var/log/maillog on all my OpenBSD boxes.
Apparently, the only way I've been able to get Hobbit to read them is if I set them 644. However, every time OpenBSD rotates the logs, it resets the permissions to 600. Is there any way to get this to work properly without having to run the Hobbit client as root?
> You need both.
> clients-local.cfg is to tell the client to report on these logs
> hobbit-clients.cfg is tell hobbitd to check/alert against log data
> reported from clients
>
>
> On 8/9/06, Gary B. <gmbfly98 at gmail.com> wrote:
> >
> Maybe I'm just missing something in the documentation, but I can't
> seem to get the log file monitoring to work properly. In the example
> below, I'm trying to look at the "messages" and "maillog" files on
> Linux.
>
> Particularly, I'm trying to EXCLUDE the following "messages" lines:
> Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9
> 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out Aug 9
> 21:19:45 www upsd[7860]: Connection from 127.0.0.1
>
> Aug 9 16:44:01 www crond(pam_unix)[5382]: session opened for user
> root by (uid=0) Aug 9 16:44:14 www crond(pam_unix)[5382]: session
> closed for user root Aug 9 16:45:01 www crond(pam_unix)[5484]:
> session opened for user mailman by (uid=0) Aug 9 16:45:01 www
> crond(pam_unix)[5484]: session closed for user mailman
>
> And EXCLUDE the following "maillog" lines:
> Aug 6 11:55:02 www sendmail[15076]: k76Ft1pU015076:
> from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1,
> msgid=<200608061555.k76Ft1A2015075 at HOSTNAME >, proto=ESMTP,
> daemon=MTA, relay=localhost.localdomain [127.0.0.1]
>
>
> Below is the respective lines from the "client-local.cfg" file:
> log:/var/log/messages:10240
> ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed
> for user mailman|root log:/var/log/maillog:10240 ignore
> relay=localhost.localdomain trigger denied
>
> And below the specific log entries I'm looking for from "
> hobbit-clients.cfg":
> LOG /var/log/maillog "relaying denied" color="yellow"
>
>
> Now, the problem I'm having...
> The "ignore" line for the /var/log/maillog file appears to be working
> correctly, as it does indeed ignore such entries as shown above. Also
> working is the "ignore session opened..." line for the
> /var/log/messages file.
>
> What is NOT working is the "ignore" line for the "upsd*" lines in
> /var/log/messages. For the life of me, I just can't figure out how to
> get that to work properly. That is, two of the three "ignore" lines
> are not working, as those lines still show up in the "full log"
> output. If anyone has any ideas, let me know.
>
> I'm also having problems with some logs not showing up on the messages
> page. Do you need both a "LOG" entries in the hobbit-clients.cfg AND
> client-local.cfg , or will an entry in only client-local.cfg be
> sufficient to have it show up on the messages page?
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
>
>
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
More information about the Xymon
mailing list