[Xymon] Migrating from BBWin to Xymon PS Client

Brandon Dale BDale at kitchengroup.com.au
Thu Apr 2 03:18:56 CEST 2015 

It looks like you can also ignore against eventids in the analysis.cfg

Not very good at regex but something like this might work and then you can match on the anything:

LOG     eventlog_Application  %^warning.* COLOR=yellow "IGNORE=%(\[1111\])|(\[2222\])|(\[1\] - test)"

I could be wrong but I think the analysis.cfg is the best place to do this if you want to be able to match on some combo of the provider / eventid / message etc if you do it in alerts.cfg you will still be changing the colour of the msgs test which you might not want.


Powershell skills aren't great either... but I think in the powershell client this is where the ignore rules are evaluated in the XymonMsgs Function


1522                                    if ($entry.ProviderName -match $filter -or $entry.Message -match $filter)


You might be able to change it to something like:

$fullevent=[string]$level + " - " + [string]$entry.TimeCreated + " - " + "[$($entry.Id)] - " + [string]$entry.ProviderName + " - " + [string]$entry.Message
  if ($fullevent -match $filter)

so you then you are matching against the entire message you see in the msgs column using client-local.cfg, syntax is probably wrong and I don't know what else it would break but you get the idea.


Regards,


Brandon

From: zak.beck at accenture.com [mailto:zak.beck at accenture.com]
Sent: Monday, 30 March 2015 6:51 PM
To: Brandon Dale; Timothy_Persoon at axi.be; xymon at xymon.com
Subject: RE: [Xymon] Migrating from BBWin to Xymon PS Client

Hi

The fields in the event log message from the PS client are as follows:

<level> - <date / time> - [<eventid>] - <provider> - <message>

Warning - 03/30/2015 14:11:25 - [1] - test - This is a test message.

In the example given, 'test' is the provider.

Ignore rules should match against provider or message. You cannot currently ignore against event ids - I believe you could use them in alert.cfg though.

If you want to only receive warning or error 'level' messages, you can limit using the eventlogswanted:

eventlogswanted:LIST_OF_EVENT_LOGS:MAX_SIZE:REQUIRED_LEVELS

REQUIRED_LEVELS is an optional list of the levels you want to report, e.g.:

eventlogswanted:*:250000:error,warning

Zak

From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Brandon Dale
Sent: 30 March 2015 04:37
To: Timothy Persoon; xymon at xymon.com<mailto:xymon at xymon.com>
Subject: Re: [Xymon] Migrating from BBWin to Xymon PS Client

I think this will work:

                                LOG     eventlog_System  %^error.* COLOR=red
                                LOG     eventlog_System  %^warning.* COLOR=yellow
                                LOG     eventlog_Application  %^error.* COLOR=red
                                LOG     eventlog_Application  %^warning.* COLOR=yellow
                                LOG     eventlog_Security  %^failure.* COLOR=red


The Ignore rules for the eventid's I'm not sure about, in the past with bbwin I have always had to ignore based on the message detail. If someone knows how to do this I would also like to know.

In the latest powershell client this is the type of data that you get for events, the eventid is 1 in the below example.

Warning - 03/30/2015 14:11:25 - [1] - test - This is a test message.

However I haven't had any success using an ignore rule to match anything other than the "This is a test message" part of the message.

Regards,


Brandon


From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Timothy Persoon
Sent: Tuesday, 24 March 2015 7:55 PM
To: xymon at xymon.com<mailto:xymon at xymon.com>
Subject: [Xymon] Migrating from BBWin to Xymon PS Client

Hi,

I'm migrating from BBWin to the newest Xymon PS Client. However, there are some settings in the BBWin.cfg file that I can't seem to migrate to the analysis.cfg file.

In BBWin there are several message checks:
<msgs>
        <setting name="alwaysgreen" value="false" />
        <ignore logfile="Application" eventid="1000" />
        <ignore logfile="Application" eventid="16385" />
        <ignore logfile="Application" eventid="8198" />
        <ignore logfile="Application" eventid="489" />
        <ignore logfile="System" eventid="6038" />
        <setting name="delay" value="1h" />
        <match logfile="System" type="error" alarmcolor="red" />
        <match logfile="System" type="warning" alarmcolor="yellow" />
        <match logfile="Application" type="error" alarmcolor="red" />
        <match logfile="Application" type="warning" alarmcolor="yellow" />
        <match logfile="Security" type="fail" />
</msgs>

but how do I migrate those to analysis.cfg? There seem to be two options:
1) LOG eventlog_application        %^warning        COLOR=red
2) LOG eventlog:Application        %warning        COLOR=red

Is there a difference between these two notations and is it even possible to migrate the settings of BBWin.cfg to the analysis.cfg?

Kind regards,

Timothy
________________________________


[cid:image001.gif at 01D06D33.F738D140]











-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20150402/0aff56ae/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 4508 bytes
Desc: image001.gif
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20150402/0aff56ae/attachment.gif>

More information about the Xymon mailing list