[Xymon] Force logfetch to only process complete lines?
Larry Bonham
larry at fni-stl.com
Fri May 11 03:53:46 CEST 2018
Thanks Galen. I really appreciate the response.
I have looked at client-local.cfg and experimented with different settings. Do you know if there is a practical limit to the size setting? I know 10240 is the default but I would like it as large as possible.
Most of my problems are related to LOG settings in analysis.cfg. I could try moving all that to client-local.cfg. I am correct in saying that client-local.cfg does require duplication of global settings if you have settings for a specific host (e.g. settings based on class RHEL7 will need to be duplicated for specific hosts)? We have over 250 so I’d like as many lumped together as possible.
I’ll review all this and reply tomorrow. Thanks.
Larry
From: Galen Johnson [mailto:solitaryr at gmail.com]
Sent: Thursday, May 10, 2018 8:12 PM
To: Larry Bonham
Cc: xymon at xymon.com
Subject: Re: [Xymon] Force logfetch to only process complete lines?
To be a bit more explicit...this section from the manpage:
LOGFILE CONFIGURATION ENTRIES
A logfile configuration entry looks like this:
log:/var/log/messages:10240
ignore MARK
trigger Oops
The log:FILENAME:SIZE line defines the filename of the log, and the maximum amount of data (in bytes) to send to the Xymon server. FILENAME is usually an explicit full-path filename on the client. If it is enclosed in backticks, it is a command which the Xymon client runs and each line of output from this command is then used as a filename. This allows scripting which files to monitor, e.g. if you have logfiles that are named with some sort of timestamp. If FILENAME is enclosed in angle brackets it is treated as a glob and passed through the local glob(3) function first.
The ignore PATTERN line (optional) defines lines in the logfile which are ignored entirely, i.e. they are stripped from the logfile data before sending it to the Xymon server. It is used to remove completely unwanted "noise" entries from the logdata processed by Xymon. "PATTERN" is a regular expression.
The trigger PATTERN line (optional) is used only when there is more data in the log than the maximum size set in the "log:FILENAME:SIZE" line. The "trigger" pattern is then used to find particularly interesting lines in the logfile - these will always be sent to the Xymon server. After picking out the "trigger" lines, any remaining space up to the maximum size is filled in with the most recent entries from the logfile. "PATTERN" is a regular expression.
IIRC, you can even have multiple ignore entries. You should have messages in your xymon logs if the file is too big when it's fetched...also, I think you will also run up against the Xymon max data size in the server configs.
=G=
________________________________
CONFIDENTIALITY NOTICE:
This electronic mail message is intended exclusively for
recipient to which it is addressed. The contents of this message
and any attachments may contain confidential and privileged
information. Any unauthorized review, use, print, storage, copy,
disclosure or distribution is strictly prohibited. If you have
received this message in error, please advise the sender
immediately by replying to the message's sender and delete all
copies of this message and its attachments without disclosing
the contents to anyone, or using the contents for any purpose.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20180511/96c6ee2e/attachment.html>
More information about the Xymon
mailing list