Henrik, can you address pcre issues?

Charles Jones jonescr at cisco.com
Tue Jan 30 19:23:37 CET 2007


Henrik,

I understand you are a busy fellow as of late, but could you acknowledge 
the pcre issues that me and others are having? Mine are specifically 
with macro usage, but I have seen a few other posts by Hobbit users who 
are having similar issues in other areas. In all cases the regex works 
fine when tested with the "pcretest" binary, but they fail when used 
with Hobbit.

Since you are busy I don't expect this issue to take priority, but it 
would be nice to know that you are at least aware of it and plan to take 
a look at the problem when time permits.

Thank You
-Charles Jones


Charles Jones wrote:
> Dominique,
>
> Thank you for confirming this. Hopefully Henrik will notice and 
> address this issue.
>
> -Charles
>
> Dominique Frise wrote:
>> Charles Jones wrote:
>>> I am again being bitten by regex problems.  I am able to reproduce 
>>> it with the following entries in hobbit-alerts.cfg:
>>>
>>> $IGNORE_HOSTS=%prod-web-(1|2|3|4|9|10|11)$
>>> HOST=$IGNORE_HOSTS service=*
>>> IGNORE
>>>
>>> If I then check the "info" column of a host that is *not* supposed 
>>> to be ignored, such as prod-web-12. It shows that it is indeed 
>>> ignored. This is a serious problem as I have already missed alerts 
>>> for some production hosts because of this problem.
>>>
>>> According to pcretest (Henriks recommended method of testing a 
>>> Hobbit regex), there is nothing wrong with the regular expression 
>>> that I am using:
>>> $ pcretest
>>> PCRE version 6.6 06-Feb-2006
>>> re> /prod-web-(1|2|3|4|9|10|11)$/
>>> data> prod-web-12    (*correctly not matching*)
>>> No match
>>> data> prod-web-19  (*correctly not matching*)
>>> No match
>>> data> prod-web-10 (*correctly matching*)
>>>  0: prod-web-10
>>>  1: 10
>>>
>>>  From the above tests you can see that prod-web-12 does not match 
>>> the regex when using pcretest, yet Hobbit is matching it for some 
>>> reason. A possible work-around could be to not use a regex at all, 
>>> such as $IGNORE_HOSTS=prod-web-1,prod-web-2,prod-web-3... but that 
>>> is not really a solution if you have hundreds of hosts, and my main 
>>> point is that regular expressions are not working as they are 
>>> documented.
>>>
>>> I've also tried other undocumented ways of using the regex, including:
>>>
>>> No hosts matched at all
>>> $IGNORE_HOSTS=%prod-web-(1|2|3|4|9|10|11)$
>>> HOST="IGNORE_HOSTS"
>>>
>>> No hosts matched at all
>>> $IGNORE_HOSTS="%prod-web-(1|2|3|4|9|10|11)$"
>>> HOST=$IGNORE_HOSTS
>>>
>>> All hosts match (both web-12 and web-11)
>>> $IGNORE_HOSTS=prod-web-(1|2|3|4|9|10|11)$
>>> HOST=%$IGNORE_HOSTS
>>>
>>> If anyone else can verify or reproduce this, it would be helpful in 
>>> at least convincing Henrik to add it to the list of things to fix in 
>>> the next version. I honestly hope that it's not a problem with 
>>> Hobbit and instead something I am doing wrong - if so please 
>>> enlighten me.
>>>
>>> -Charles
>>>
>>
>> I tried your config. and, yes, I have same strange behaviour.
>> We are running Hobbit 4.2.0 patched on Solaris 9.
>>
>> $ pcretest
>> PCRE version 4.5 01-December-2003
>>
>>   re> /prod-web-(1|2|3|4|9|10|11)$/
>> data> prod-web-12
>> No match
>> data> prod-web-19
>> No match
>> data> prod-web-10
>>  0: prod-web-10
>>  1: 10
>>
>> The column info and the rule tests below show that both prod-web-10 
>> and prod-web-12 are ignored but not prod-web-8.
>>
>> $ ./hobbitd_alert --test "prod-web-10" conn
>> 00015495 2007-01-12 07:52:45 send_alert prod-web-10:conn state Paging
>> 00015495 2007-01-12 07:52:45 Matching host:service:page 
>> 'prod-web-10:conn:acadSys' against rule line 200
>> 00015495 2007-01-12 07:52:45 *** Match with 'HOST=$IGNORE_HOSTS 
>> service=*' ***
>> 00015495 2007-01-12 07:52:45 Matching host:service:page 
>> 'prod-web-10:conn:acadSys' against rule line 200
>> 00015495 2007-01-12 07:52:45 *** Match with 'HOST=$IGNORE_HOSTS 
>> service=*' ***
>> 00015495 2007-01-12 07:52:45 IGNORE rule found
>>
>>
>> $ ./hobbitd_alert --test "prod-web-12" conn
>> 00016778 2007-01-12 07:58:50 send_alert prod-web-12:conn state Paging
>> 00016778 2007-01-12 07:58:50 Matching host:service:page 
>> 'prod-web-12:conn:acadSys' against rule line 200
>> 00016778 2007-01-12 07:58:50 *** Match with 'HOST=$IGNORE_HOSTS 
>> service=*' ***
>> 00016778 2007-01-12 07:58:50 Matching host:service:page 
>> 'prod-web-12:conn:acadSys' against rule line 200
>> 00016778 2007-01-12 07:58:50 *** Match with 'HOST=$IGNORE_HOSTS 
>> service=*' ***
>> 00016778 2007-01-12 07:58:50 IGNORE rule found
>>
>>
>> $ ./hobbitd_alert --test "prod-web-8" conn
>> 00016921 2007-01-12 07:59:50 send_alert prod-web-8:conn state Paging
>> 00016921 2007-01-12 07:59:50 Matching host:service:page 
>> 'prod-web-8:conn:acadSys' against rule line 200
>> 00016921 2007-01-12 07:59:50 Failed 'HOST=$IGNORE_HOSTS service=*' 
>> (hostname not in include list)
>> ...
>> ...
>>
>>
>> Dominique
>> UNIL - University of Lausanne_
>>
>> To unsubscribe from the hobbit list, send an e-mail to
>> hobbit-unsubscribe at hswn.dk
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk



More information about the Xymon mailing list