[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Alerts - HOSTS matching regular expressions.



Hi guys,

I stand corrected by myself after having been woken up just a few minutes
ago. Seems that using those rules let an alert through. I just tested with
'bbcmd hobbitd-alert --test $HOST disk --color=yellow' and indeed it was not
OK. Changed 'STOP' to 'IGNORE' and it seems to work as expected.

--- cut here ---
HOST=junkyard-starbox-v_trash
  MAIL=cto (at) junkyard.tld
  IGNORE
--- and here ---

-- 
kN

On Thu, Jan 28, 2010 at 11:55 PM, Kii NODA <kii.noda (at) gmail.com> wrote:

> Hi everyone,
>
> After doing some testing I can say we've elegantly solved the problem
> caused by "HOST=%^asd$" matching both hosts named "asd" and "asdf" despite
> the "$" at the end. We've added a "STOP" rule at the end of the "special"
> rules that only alert CTO & CEO of Junkyard.
>
> The problem still remains, however.
>
> The new, most elegant ruleset thus far, follows:
>
> --- cut here ---
>
> HOST=junkyard-starbox-v_trash
>   MAIL=cto (at) junkyard.tld
>   STOP
>
>
> HOST=junkyard-starbox-x_dustbin
>   MAIL=ceo (at) junkyard.tld
>   STOP
>
> HOST=*
>   MAIL=stars (at) sysadmins.tld REPEAT=60 RECOVERED NOTICE COLOR=purple,yellow
>   MAIL=stars (at) sysadmins.tld REPEAT=10 RECOVERED NOTICE COLOR=red
>   MAIL=cto (at) sysadmins.tld DURATION>60 REPEAT=60 RECOVERED NOTICE
> COLOR=purple,yellow
>   MAIL=cto (at) sysadmins.tld DURATION>30 REPEAT=60 RECOVERED NOTICE COLOR=red
> --- and here ---
>
>
>
> On Thu, Jan 28, 2010 at 10:45 PM, Kii NODA <kii.noda (at) gmail.com> wrote:
>
>> Hi everyone,
>>
>> As you may have already been aware by now, we're here to stay. :)
>>
>> Here's one interesting problem (and maybe simple) for you: We've seen that
>> "HOST=%^asd$" matches both hosts named "asd" and "asdf", not respecting the
>> "$" at the end. Can you guys please confirm that regex matching for "HOST="
>> does not care about the "$" sign?
>>
>> For those that need some expanded case-study (all others can now stop),
>> here's the story behind: we are managing various servers of ours and our
>> customers. Due to the fact that we do not control DNS entries for all these
>> machines we have come up with a naming scheme like this:
>>
>> --- cut here ---
>> junkyard-starbox # clientID=junkyard, starbox=actual machine
>> junkyard-starbox-v_trash # v_trash=vserver named trash running on starbox
>> junkyard-starbox-v_trashcan # v_trashcan=vserver named trashcan running on
>> starbox
>> junkyard-starbox-x_dustbin # x_dustbin=xen server running on starbox
>> --- and here ---
>>
>> We need to send these "special" alerts:
>> * ONLY cto (at) junkyard.tld for events on junkyard-starbox-v_trash
>> * ONLY ceo (at) junkyard.tld for events on junkyard-starbox-x_dustbin
>>
>> Also, we need to send these alerts for all other hosts & events:
>> * stars (at) sysadmins.tld for purple, yellow & red w/ REPEAT=60
>> * cto (at) sysadmins.tld for red w/ DURATION>30 and REPEAT=60
>> * cto (at) sysadmins.tld for yellow&purple w/ DURATION>60 and REPEAT=60
>>
>> Exercising our brain muscles we came up with these:
>> --- cut here ---
>> #alert CTO for v_trash
>> HOST=junkyard-starbox-v_trash
>>   MAIL=cto (at) junkyard.tld
>>
>> #alert CEO for x_dustbin
>> HOST=junkyard-starbox-x_dustbin
>>   MAIL=ceo (at) junkyard.tld
>>
>> #stop alerting for the private boxes above
>> HOST=*
>>   IGNORE HOST=%^junkyard-starbox-(v_trash|x_dustbin)$
>>
>> HOST=* COLOR=purple,yellow
>>   MAIL=stars (at) sysadmins.tld REPEAT=60 RECOVERED NOTICE
>>   MAIL=cto (at) sysadmins.tld DURATION>60 REPEAT=60 RECOVERED NOTICE
>>
>> HOST=* COLOR=red
>>   MAIL=stars (at) sysadmins.tld REPEAT=10 RECOVERED NOTICE
>>   MAIL=cto (at) sysadmins.tld DURATION>30 REPEAT=60 RECOVERED NOTICE
>> --- and here ---
>>
>> However, even with the "$" at the end of our regex we are no longer
>> receiving any alerts for v_trashcan because the regex wrongly matches on the
>> "IGNORE HOST=" line. We could use 2 lines to match each host on its own line
>> but that's not the point of this exercise.
>>
>> So, can anyone confirm our finding?
>>
>