[Xymon] "msgs" alerts, sending 10240 bytes and line-buffering

Greg Earle earle at isolar.DynDNS.ORG
Tue Aug 25 00:11:35 CEST 2015


I'm having an issue on my Solaris clients running an older Xymon 4.3.12.
(I have a test build of 4.3.21 waiting in the wings.)

We constantly get scanned by our IT Security people, resulting in
"/var/adm/messages" entries like

Aug 24 09:23:39 myorgsun6 nrpe[15035]: [ID 808958 daemon.warning] refused \
connect from itsecurity-scanner.my.do.main (access denied)

I put an IGNORE entry into "analysis.cfg" to ignore any lines with
"itsecurity-scanner.my.do.main" but I keep getting them - they often look
like this:

--
red Mon Aug 24 09:55:37 PDT 2015 - Log files NOT ok

&red Critical entries in <a href="/xymon-cgi/svcstatus.sh?CLIENT=myorgsun6&SECTION=msgs:/var/adm/messages">/var/adm/messages</a>
&red ess denied)
--

As you can see the "messages" entry has been clipped off leading to the
raw "denied" string which triggered the alert.  It's random - sometimes
it's clipped down to "do.main access denied", for example.

I'm using a bog-standard

[sunos]
log:/var/adm/messages:10240

entry in client-local.cfg.

My theory is that by sending 10240 bytes of the "messages" file across,
it leaves things open to the possibility of sending "clipped" lines -
leading to partial lines that avoid my IGNORE string as a result.

Am I correct?

Is there anything in the newer releases that addresses this?

	- Greg




More information about the Xymon mailing list