[Xymon] Xymon Log Retrieval

Jeremy Laidman jlaidman at rebel-it.com.au
Mon Apr 22 06:54:25 CEST 2013


On 19 April 2013 22:00, Nick <Nick at pettefar.com> wrote:

> Is there a doco anywhere explaining the log file retrieval mechanism?
>

Log file retrieval configuration is documented in client-config.cfg.
 Analysis and reporting of log files is documented in analysis.cfg.

The log file contents are processed by the logfetch binary, and the man
page for that gives some information on how it does its thing.


> I want to use Xymon to fetch /etc/passwd files so that I can check for
> unwanted/unnoticed changes.
>

The problem with using the log retrieval mechanism is that it assumes that
the file is a logfile, and only reports on new entries past the last time
it checked.  If an entry is changed, but the file doesn't change size, it
won't report any change to the file.  If an entry is added in the middle,
rather than at the end, then logfetch will report the lines at the end and
so you'll see the wrong values.

You can trick logfetch into thinking that a file is a logfile that has been
rotated by reducing its size, and it starts from the beginning of the file.
 The next run, you append to the file, so that it reports only the new
stuff.  Then you get it to cycle between the two states (new entries,
rotated, new entries, rotated, etc).  But you wouldn't want to do that on
the actual passwd file!

What you could do is to create a virtual file using backticks and
manipulate its contents as you need, and to satisfy logfetch.  It's a bit
hackety but it only requires changes in a couple of config files on the
Xymon server.  For example, something like this in client-local.cfg:

log:`if [ -f /tmp/pw.rep ]; then if grep '^[0-9]' /tmp/pw.rep | tail -n +3
| grep ^ >/dev/null; then cp /dev/null /tmp/pw.rep; fi; diff /tmp/pw.old
/etc/passwd >> /tmp/pw.rep; else touch /tmp/pw.rep; fi; cp /etc/passwd
/tmp/pw.old; echo /tmp/pw.rep`:2048

All this does is to create a copy of the password file pw.old, and any
differences in the last time it was run are appended to a report file
pw.rep, which is what's actually monitored.  If the report file has 3 or
more diffs appended, it gets emptied before the next report is added, to
keep the file from growing too large.

My analysis.cfg file can contain something like this:

HOST=name.of.host
    LOG /tmp/pw.rep "%^>" COLOR="red" "TEXT=Account added to /etc/passwd"
    LOG /tmp/pw.rep "%^<" COLOR="yellow" "TEXT=Account removed from
/etc/passwd"

Note: untested.

J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130422/497ecebf/attachment.html>


More information about the Xymon mailing list