[hobbit] PORTs help?
Charles Jones
jonescr at cisco.com
Tue Jul 11 23:49:26 CEST 2006
Brodie, Kent wrote:
>Hi-- I'm wrestling with the PORTS option of a host, trying to watch
>for a specific issue.
>
>While I have successfully matched rule(s) for simple things like SSH
>port(s) listening, I cannot seem to get a rule to match the following:
>
>We have a stupid java server thing that keeps leaving ports in a
>close_wait state. See example below.
>
>What rule would I use for watching for these? I'm trying something
>along the lines of:
>
>HOST=starr.brc.mcw.edu
> PORT "REMOTE=%*.8085" STATE=CLOSE_WAIT max=20 color=red
>TRACK=hung TEXT=hung
>
>But it never matches. I've tried lots of variations.
>
>Any help appreciated!! (goal: If I see more than "N" number of these
>ports, I want to flag red)
>
>
I believe your regular expression is wrong. Try:
PORT "REMOTE=%.*\.8085" STATE=CLOSE_WAIT max=20 color=red TRACK=hung
TEXT=hung
Alternatively, you can instead of using a regular expression, use a
wildcard instead:
PORT "REMOTE=*.8085" STATE=CLOSE_WAIT max=20 color=red TRACK=hung TEXT=hung
-Charles
More information about the Xymon
mailing list