[hobbit] log file monitoring issues
Dominique Frise
Dominique.Frise at unil.ch
Fri Aug 11 15:42:13 CEST 2006
Gary B. wrote:
> ...I'm still having issues with "Permission denied" errors from Hobbit
> in trying to access /var/log/maillog on all my OpenBSD boxes.
> Apparently, the only way I've been able to get Hobbit to read them is
> if I set them 644. However, every time OpenBSD rotates the logs, it
> resets the permissions to 600. Is there any way to get this to work
> properly without having to run the Hobbit client as root?
>
>
>> You need both.
>> clients-local.cfg is to tell the client to report on these logs
>> hobbit-clients.cfg is tell hobbitd to check/alert against log data
>> reported
>> from clients
>>
>>
>> On 8/9/06, Gary B. <gmbfly98 at gmail.com> wrote:
>> >
>> Maybe I'm just missing something in the documentation, but I can't
>> seem to get the log file monitoring to work properly. In the example
>> below, I'm trying to look at the "messages" and "maillog" files on
>> Linux.
>>
>> Particularly, I'm trying to EXCLUDE the following "messages" lines:
>> Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1
>> Aug 9 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out
>> Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1
>>
>> Aug 9 16:44:01 www crond(pam_unix)[5382]: session opened for user
>> root by (uid=0)
>> Aug 9 16:44:14 www crond(pam_unix)[5382]: session closed for user root
>> Aug 9 16:45:01 www crond(pam_unix)[5484]: session opened for user
>> mailman by (uid=0)
>> Aug 9 16:45:01 www crond(pam_unix)[5484]: session closed for user
>> mailman
>>
>> And EXCLUDE the following "maillog" lines:
>> Aug 6 11:55:02 www sendmail[15076]: k76Ft1pU015076:
>> from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1,
>> msgid=<200608061555.k76Ft1A2015075 at HOSTNAME >, proto=ESMTP,
>> daemon=MTA,
>> relay=localhost.localdomain [127.0.0.1]
>>
>>
>> Below is the respective lines from the "client-local.cfg" file:
>> log:/var/log/messages:10240
>> ignore upsd* Client|Connection 127.0.0.1
>> ignore session opened|closed for user mailman|root
>> log:/var/log/maillog:10240
>> ignore relay=localhost.localdomain
>> trigger denied
>>
>> And below the specific log entries I'm looking for from "
>> hobbit-clients.cfg":
>> LOG /var/log/maillog "relaying denied" color="yellow"
>>
>>
>> Now, the problem I'm having...
>> The "ignore" line for the /var/log/maillog file appears to be working
>> correctly, as it does indeed ignore such entries as shown above. Also
>> working is the "ignore session opened..." line for the
>> /var/log/messages file.
>>
>> What is NOT working is the "ignore" line for the "upsd*" lines in
>> /var/log/messages. For the life of me, I just can't figure out how to
>> get that to work properly. That is, two of the three "ignore" lines
>> are not working, as those lines still show up in the "full log"
>> output. If anyone has any ideas, let me know.
>>
>> I'm also having problems with some logs not showing up on the messages
>> page. Do you need both a "LOG" entries in the hobbit-clients.cfg AND
>> client-local.cfg , or will an entry in only client-local.cfg be
>> sufficient to have it show up on the messages page?
>>
>> To unsubscribe from the hobbit list, send an e-mail to
>> hobbit-unsubscribe at hswn.dk
>>
>>
>>
>>
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
This is what we do under:
Linux RH
--------
# chgrp <hobbit-group> /var/log/messages*
# chmod g+r /var/log/messages*
Debian
------
# addgroup <hobbit-user> adm
The files rotation preserve these settings.
Dominique
UNIL - University of Lausanne
More information about the Xymon
mailing list