[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [hobbit] hobbit-alerts problem

Charles Jones wrote:
I am again being bitten by regex problems. I am able to reproduce it with the following entries in hobbit-alerts.cfg:

$IGNORE_HOSTS=%prod-web-(1|2|3|4|9|10|11)$
HOST=$IGNORE_HOSTS service=*
IGNORE

If I then check the "info" column of a host that is *not* supposed to be ignored, such as prod-web-12. It shows that it is indeed ignored. This is a serious problem as I have already missed alerts for some production hosts because of this problem.

According to pcretest (Henriks recommended method of testing a Hobbit regex), there is nothing wrong with the regular expression that I am using:
$ pcretest
PCRE version 6.6 06-Feb-2006
re> /prod-web-(1|2|3|4|9|10|11)$/
data> prod-web-12 (*correctly not matching*)
No match
data> prod-web-19 (*correctly not matching*)
No match
data> prod-web-10 (*correctly matching*)
0: prod-web-10
1: 10

From the above tests you can see that prod-web-12 does not match the regex when using pcretest, yet Hobbit is matching it for some reason. A possible work-around could be to not use a regex at all, such as $IGNORE_HOSTS=prod-web-1,prod-web-2,prod-web-3... but that is not really a solution if you have hundreds of hosts, and my main point is that regular expressions are not working as they are documented.

I've also tried other undocumented ways of using the regex, including:

No hosts matched at all
$IGNORE_HOSTS=%prod-web-(1|2|3|4|9|10|11)$
HOST="IGNORE_HOSTS"

No hosts matched at all
$IGNORE_HOSTS="%prod-web-(1|2|3|4|9|10|11)$"
HOST=$IGNORE_HOSTS

All hosts match (both web-12 and web-11)
$IGNORE_HOSTS=prod-web-(1|2|3|4|9|10|11)$
HOST=%$IGNORE_HOSTS

If anyone else can verify or reproduce this, it would be helpful in at least convincing Henrik to add it to the list of things to fix in the next version. I honestly hope that it's not a problem with Hobbit and instead something I am doing wrong - if so please enlighten me.

-Charles


I tried your config. and, yes, I have same strange behaviour.
We are running Hobbit 4.2.0 patched on Solaris 9.

$ pcretest
PCRE version 4.5 01-December-2003

  re> /prod-web-(1|2|3|4|9|10|11)$/
data> prod-web-12
No match
data> prod-web-19
No match
data> prod-web-10
 0: prod-web-10
 1: 10

The column info and the rule tests below show that both prod-web-10 and prod-web-12 are ignored but not prod-web-8.

$ ./hobbitd_alert --test "prod-web-10" conn
00015495 2007-01-12 07:52:45 send_alert prod-web-10:conn state Paging
00015495 2007-01-12 07:52:45 Matching host:service:page 'prod-web-10:conn:acadSys' against rule line 200
00015495 2007-01-12 07:52:45 *** Match with 'HOST=$IGNORE_HOSTS service=*' ***
00015495 2007-01-12 07:52:45 Matching host:service:page 'prod-web-10:conn:acadSys' against rule line 200
00015495 2007-01-12 07:52:45 *** Match with 'HOST=$IGNORE_HOSTS service=*' ***
00015495 2007-01-12 07:52:45 IGNORE rule found


$ ./hobbitd_alert --test "prod-web-12" conn
00016778 2007-01-12 07:58:50 send_alert prod-web-12:conn state Paging
00016778 2007-01-12 07:58:50 Matching host:service:page 'prod-web-12:conn:acadSys' against rule line 200
00016778 2007-01-12 07:58:50 *** Match with 'HOST=$IGNORE_HOSTS service=*' ***
00016778 2007-01-12 07:58:50 Matching host:service:page 'prod-web-12:conn:acadSys' against rule line 200
00016778 2007-01-12 07:58:50 *** Match with 'HOST=$IGNORE_HOSTS service=*' ***
00016778 2007-01-12 07:58:50 IGNORE rule found


$ ./hobbitd_alert --test "prod-web-8" conn
00016921 2007-01-12 07:59:50 send_alert prod-web-8:conn state Paging
00016921 2007-01-12 07:59:50 Matching host:service:page 'prod-web-8:conn:acadSys' against rule line 200
00016921 2007-01-12 07:59:50 Failed 'HOST=$IGNORE_HOSTS service=*' (hostname not in include list)
...
...


Dominique
UNIL - University of Lausanne_