[Xymon] Who Column Test
Henrik Størner
henrik at hswn.dk
Tue Nov 13 17:22:34 CET 2012
On 13-11-2012 16:05, Ray Reuter wrote:
> I need to be able to alert off of the "who" column. An example would be
> if there was less than 5 connections I would like to be alerted. I know
> way back in Big Brother days there was a perl script to do just that but
> I am having zero luck of finding it now.
First step is to make the "who" status red - if you do that, then you
can use the normal alert-rules to send out alerts.
Current Xymon versions allow you to modify the color of an existing
status, by sending a "modify" command to xymond. So what I would do was
to run a script on the Xymon server which regularly fetches all of the
"who" statuses, counts how many users are logged in on each host, and
the sends a "modify" status if the maximum is exceeded.
To get all of the "who" statuses, you can use
xymon 127.0.0.1 "xymondboard test=who fields=hostname,msg"
The output from this command is one line per status, with the hostname,
then a '|' delimiter, and then the status-message with new-line changed
into '\n'. I'm sure someone with Perl / Python / whatever scripting
knowledge could easily turn this into something where you could count
the number of lines (one for each user, minus a couple of header-lines),
but here's a C program that will do it:
--- cut here ---
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char **argv)
{
char buf[4096];
char *hostname, *msg, *l_start, *l_end;
while (fgets(buf, sizeof(buf), stdin)) {
int loggedin = 0;
hostname = strtok(buf, "|");
msg = strtok(NULL, "\n");
if (!msg) continue;
l_start = msg;
do {
l_end = strstr(l_start, "\\n");
if ( (strncmp(l_start, "SESSIONNAME", 11) == 0) ||
(strncmp(l_start, ">", 1) == 0) ||
(strncmp(l_start, "rdp-tcp", 7) == 0) ||
(strncmp(l_start, "console", 7) == 0) ) {
/* Ignore the line */
}
else {
loggedin++;
}
l_start = l_end ? (l_end + 2) : NULL;
} while (l_start);
fprintf(stdout, "%s %d\n", hostname, loggedin);
}
return 0;
}
--- cut here ---
Just save this to "whocount.c" and run "gcc -o whocount whocount.c" to
compile it. It ignores lines beginning with the texts "SESSIONNAME",
">", "rdp-tcp" or "console" - I think those lines always appear in the
"who" status regardless of who is logged in.
When you feed the input from the xymondboard command into this, it
should output one line for each host with the hostname and the number of
users logged in.
So putting it all together, this script will change the "who" status to
red for all hosts where 5 or more users are logged in:
--- cut here ---
#!/bin/sh
LIMIT=5
xymon 127.0.0.1 "xymondboard test=who fields=hostname,msg" | whocount |
while read L
do
set $L
HOSTNAME=$1
LOGINCOUNT=$2
if test $LOGINCOUNT -gt $LIMIT
then
echo 127.0.0.1 "modify $HOSTNAME.who red whomon $LOGINCOUNT
users logged in (max is $LIMIT)"
fi
done
exit 0
--- cut here ---
(assumes the "whocount" utility is in your PATH).
You'd run this as an extra task from tasks.cfg - e.g. every 5 minutes.
Now you have the "who" status going red when too many users are logged
in, so alerting is easy - just add
TEST=who COLOR=red
MAIL security at example.com
to alerts.cfg .
Regards,
Henrik
More information about the Xymon
mailing list