[Xymon] analysis.cfg regular expression
Neil Simmonds
Neil.Simmonds at studio.co.uk
Wed Jan 17 11:50:42 CET 2024
I thought I'd add an update in case this helps anyone else.
The file name matching was the main issue and actually should have been obvious as the line above in the analysis.cfg file for this server was also a LOG line and user double slashes in the path
This is what I ended up with and it works perfectly so it was the log selection not the search string that was the issue (I did fix the unprintable character issue as well of course).
LOG "%D:\\Weblogs\\W3SVC\d{1,5}\\u_ex\d+\_x.log" "%(?:\S+\s+){11}403\b" COLOR=yellow
From: Jeremy Laidman <jeremy at laidman.org>
Sent: Wednesday, January 17, 2024 7:58 AM
To: Neil Simmonds <Neil.Simmonds at studio.co.uk>
Cc: xymon at xymon.com
Subject: Re: [Xymon] analysis.cfg regular expression
[CAUTION] This is an external email. Do not click links or open any attachments unless you are sure they are safe.
Hi Neil
This is probably not the cause, but the closing double quotes on your second LOG line is an unprintable character representing a fancy (non-ASCII) quote symbol.
Apart from that, I can't see anything wrong with your match strings. Testing them with pcre2grep shows that they match the log lines just fine.
However, I wonder if your filename matching regular expressions is the problem. Each backslash in the match string are likely to be interpreted by the PCRE engine as the start of a special sequence, such as "\W" meaning "non-word character", and "\*" meaning a literal asterisk rather than a wildcard. For a test, try changing the filename string to be a non-regular expression (without the %) and name a single file rather than trying to use a wildcard.
Cheers
Jeremy
On Wed, 17 Jan 2024 at 02:28, Neil Simmonds <Neil.Simmonds at studio.co.uk<mailto:Neil.Simmonds at studio.co.uk>> wrote:
Hi folks,
I'm having trouble with a regular expression in a LOG entry in analysis.cfg which is monitoring a Windows log.
I've included some sample lines below (IP addresses changed for obvious reasons) and I need to alert when the 12th string (space separated) is 403 (actually 500 but for testing, 403)
I've tried this,
LOG "%D:\Weblogs\*\u_ex*.log" "%2.{1,75} .{1,75} .{1,75} .{1,75} .{1,75} .{1,75} .{1,75} .{1,75} .{1,75} .{1,75}- 403 .{1,75} .{1,75} .{1,75}" COLOR=yellow
And
LOG "%D:\Weblogs\*\u_ex*.log" "%(?:\S+\s+){11}403\b" COLOR=yellow
2024-01-16 14:41:01 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 93
2024-01-16 14:42:03 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 83
2024-01-16 14:43:04 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 78
2024-01-16 14:44:08 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 110
2024-01-16 14:45:13 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 89
2024-01-16 14:46:16 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 62
2024-01-16 14:47:20 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 78
Neither of these work. Can anyone help?
Kind Regards,
Neil.
).
Studio is a trading name of Studio Retail Trading Limited (Company no. 03994833), which is an introducer of credit not a lender. Studio Pay is provided by Frasers Group Financial Services Limited (Registered Company no. 00718151), which is authorised and regulated by the Financial Conduct Authority (FRN 311908) for consumer credit and general insurance and a member of the Finance and Leasing Association. Both companies are registered in England and their registered office is: Church Bridge House Henry Street Accrington BB5 4EE.
NOTE: This email and any information contained within or attached in a separate file is confidential and intended solely for the Individual to whom it is addressed. The information or data included is solely for the purpose indicated or previously agreed. Any information or data included with this e-mail remains the property of Studio Retail Trading Ltd or Frasers Group Financial Services Ltd. The recipient will refrain from utilising the information for any purpose other than that indicated and upon request will destroy the information and remove it from their records. Any views or opinions presented are solely those of the author and do not necessarily represent those of Studio Retail Trading Ltd or Frasers Group Financial Services Ltd. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. No warranties or assurances are made in relation to the safety and content of this e-mail and any attachments. No liability is accepted for any consequences arising from it. Studio Retail Trading Ltd and Frasers Group Financial Services Ltd reserve the right to monitor all e-mail communications through their internal and external networks. If you have received this email in error please let us know. You can find our available contact details by going to help.studio.co.uk<http://help.studio.co.uk/> and clicking 'Contact Us'.
_______________________________________________
Xymon mailing list
Xymon at xymon.com<mailto:Xymon at xymon.com>
http://lists.xymon.com/mailman/listinfo/xymon
Studio is a trading name of Studio Retail Trading Limited (Company no. 03994833), which is an introducer of credit not a lender. Studio Pay is provided by Frasers Group Financial Services Limited (Registered Company no. 00718151), which is authorised and regulated by the Financial Conduct Authority (FRN 311908) for consumer credit and general insurance and a member of the Finance and Leasing Association. Both companies are registered in England and their registered office is: Church Bridge House Henry Street Accrington BB5 4EE.
NOTE: This email and any information contained within or attached in a separate file is confidential and intended solely for the Individual to whom it is addressed. The information or data included is solely for the purpose indicated or previously agreed. Any information or data included with this e-mail remains the property of Studio Retail Trading Ltd or Frasers Group Financial Services Ltd. The recipient will refrain from utilising the information for any purpose other than that indicated and upon request will destroy the information and remove it from their records. Any views or opinions presented are solely those of the author and do not necessarily represent those of Studio Retail Trading Ltd or Frasers Group Financial Services Ltd. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. No warranties or assurances are made in relation to the safety and content of this e-mail and any attachments. No liability is accepted for any consequences arising from it. Studio Retail Trading Ltd and Frasers Group Financial Services Ltd reserve the right to monitor all e-mail communications through their internal and external networks. If you have received this email in error please let us know. You can find our available contact details by going to help.studio.co.uk and clicking 'Contact Us'.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20240117/606cc6d7/attachment.htm>
More information about the Xymon
mailing list