[Xymon] off-by-one bug in analysis.cfg "FILE ... SIZE>x" checks

Axel Beckert abe at deuxchevaux.org
Fri Nov 8 12:22:24 CET 2019 

Hi,

it just took me an hour or two to realize why I had false negatives
(i.e. missing alerts) on empty files:

From the example in the big comment-based documentation at the
beginning of analysis.cfg (emphasis with "^^^" is mine):

#             Example: Check that the /var/log/messages file is not empty and was updated
                                                             ^^^^^^^^^^^^
#                      within the past 10 minutes, and go yellow if either fails:
#                 FILE /var/log/messages SIZE>0 MTIME<600 yellow
                                         ^^^^^^

So I had this in my analysis.cfg:

FILE /var/backups/mysql.0 SIZE>0 MTIME<86400 yellow

I then did the following on the monitored machine:

# mv -i /var/backups/mysql.0 /var/backups/mysql.0.BACKUP
# touch /var/backups/mysql.0
# service xymon-client restart

The check still stayed green despite /var/backups/mysql.0 clearly was
an empty file.

At some point I read the non-example documentation further up and
there is written:

#             - "SIZE<max.size" and "SIZE>min.size" triggers a warning it the file
#               size is greater than "max.size" or less than "min.size", respectively.

Note that there is written "SIZE>min.size" and "less than" and not
"less or equal than" despite the negation of ">" is "≤" and not "<".

So I changed "SIZE>0" to "SIZE>1" and I got the expected alert.

From my point of view, this is a bug in the implementation as "SIZE>0"
should trigger an alert if the size is greater than zero and not only
if the size is greater than one.

It though also could be viewed as the latter cited documentation is
correct (compared to the implementation) and the example is wrong. But
that means that the implemented and documented syntax is so utterly
inituitive that even the official examples get it wrong.

So please fix this properly by correcting the unintuitive
implementation. If that may take a while, please update for the next
4.x.y release at least the example and add a note that despite ">" is
written, "≥" (or ">=") is meant and that this issue will be fixed in a
later release.

P.S.: I ran into this issue with the (security-patched) Xymon 4.3.28
version in Debian 10 Buster (current stable), but was also able to
reproduce this on a test machine with Debian Unstable and Xymon 4.3.30
(as packaged by Debian), so the issue still seems to be present.

		Kind regards, Axel
-- 
PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe at deuxchevaux.org  \ /  Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe at noone.org  X
https://axel.beckert.ch/   / \  I love long mails: https://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20191108/d488c701/attachment.sig>

More information about the Xymon mailing list