[Xymon] analysis.cfg log message issue
Jeremy Laidman
jlaidman at rebel-it.com.au
Mon Aug 26 09:12:22 CEST 2013
I think this is expected behaviour. Each LOG line that matches will
generate the error, not the first line that matches. Can you do something
like this:
LOG %.* %Cmdlet.failed..Cmdlet COLOR=yellow****
LOG %.* %^error COLOR=red IGNORE=^Cmdlet.failed..Cmdlet
On 26 August 2013 14:17, Phil Crooker <Phil.Crooker at orix.com.au> wrote:
> I’m running xymon 4.3.10 and have a problem with a log event not being
> handled correctly. It is unclear whether this is a bbwin client issue or in
> xymond (perhaps both). The event:****
>
> ** **
>
> In the windows eventlog:****
>
> Cmdlet failed. Cmdlet GetUserPhoto, parameters {Identity=username at domain}.
> ****
>
> ** **
>
> As sent to xymond by the bbwin client:****
>
> error - 2013/08/26 11:19:57 - MSExchange CmdletLogs (6) - Cmdlet failed.
> Cmdlet %1, parameters %2.****
>
> ** **
>
> I’ve setup the following rule to ‘downgrade’ this basically meaningless
> windows event, with the catchall rule under it for the (remaining) errors
> that I do want to monitor:****
>
> ** **
>
> LOG %.* %Cmdlet.failed..Cmdlet COLOR=yellow****
>
> LOG %.* %^error COLOR=red****
>
> ** **
>
> This entry still comes in as a red error:****
>
> ** **
>
> red Critical entries in eventlog_msexchange management****
>
> yellow error - 2013/08/26 11:19:57 - MSExchange CmdletLogs (6) - Cmdlet
> failed. Cmdlet %1, parameters %2.****
>
> yellow error - 2013/08/26 11:17:26 - MSExchange CmdletLogs (6) - Cmdlet
> failed. Cmdlet %1, parameters %2.****
>
> red error - 2013/08/26 11:19:57 - MSExchange CmdletLogs (6) - Cmdlet
> failed. Cmdlet %1, parameters %2.****
>
> red error - 2013/08/26 11:17:26 - MSExchange CmdletLogs (6) - Cmdlet
> failed. Cmdlet %1, parameters %2.****
>
> ** **
>
> Looking at the windows event viewer, there is only one event for each of
> these times, so it is somehow being duplicated. Capturing the traffic shows
> it is not duplicated ‘on the wire’. Using the xymon xymondlog command
> shows it is duplicated. If I remove the Cmdlet rule from analysis.cfg, it
> is not duplicated. ****
>
> ** **
>
> This doesn’t happen to all messages but to some, I haven’t worked out what
> the commonality is -- perhaps the message string itself is affecting the
> parsing…. The only way I’ve been able to stop this is to IGNORE the entry
> which I don’t really want to entirely.****
>
> ** **
>
> Can anyone help, please?****
>
> ** **
>
> Thanks, Phil****
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130826/05358e36/attachment.html>
More information about the Xymon
mailing list