[hobbit] how to search for exact word patterns

Camelia Anghel canghel at cjh.org
Wed Sep 23 13:52:20 CEST 2009


Sorry I was off yesterday...
Here it goes, I tested first for string "session opened for user root"
and here is how the log entry looks like in the hobbit-clients.cfg for
one of client servers
 
LOG /var/log/messages
%failure*|failed*|error*|Warning*|session\s+opened\s+for\s+user\s+root*|
Out\s+of\s+Memory* COLOR=red GROUP=admin
 
Thanks,
Camelia 
 
-----Original Message-----
From: Josh Luthman [mailto:josh at imaginenetworksllc.com] 
Sent: Monday, September 21, 2009 4:08 PM
To: hobbit at hswn.dk
Subject: Re: [hobbit] how to search for exact word patterns
 
Could you post your working config, please?

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

"When you have eliminated the impossible, that which remains, however
improbable, must be the truth."
--- Sir Arthur Conan Doyle


On Mon, Sep 21, 2009 at 3:00 PM, Camelia Anghel <canghel at cjh.org> wrote:
Greg,
That worked!!!
Thanks a lot!
Camelia 
 
-----Original Message-----
From: Greg Hubbard [mailto:glh.forums at gmail.com] 
Sent: Friday, September 18, 2009 3:09 PM
To: hobbit at hswn.dk
Subject: Re: [hobbit] how to search for exact word patterns
 
Yes -- you only need one % at the beginning of your string to tell Xymon
you are going to use a regular expression.  You do not need the other %
unless they are expected to appear in the log.
 
When using a regular expression, the | character means "or".  So if your
example will "fire" if any message contains and of those words.  Also
you seem to be using * by itself, which means "match the preceding 0 or
more times".  Normally we use "dot star" ".*" to mean "match anything no
matter how long."
 
Regular expressions are a bit of a mystery, but are very powerful.
Xymon uses Perl-compatible regular expressons (PCRE) so you might be
able to Google some examples.
 
If you are searching for "Out of memory" in a log file, you can use
"%Out of memory" as your regex string.  I do not remember how you deal
with spaces in the string and the Xymon help is not helpful.  One way to
do it would be to change your spaces into \s+ so it would be
%Out\s+of\s+memory  which removes the embedded spaces (so the Xymon
parser does not think part of your regex is some other token on the
commend) and also means that you will match of the is at least one
whitespace character between each word -- slightly more robust than
using a single space.
 
I know the above is a jumble, but if you will post the exact string you
want to match we can help you create the matching expression to help you
get the hang of it.
 
GLH
 
On 9/18/09, Camelia Anghel <canghel at cjh.org> wrote: 
Right now looks like this:
 
LOG /var/log/messages %failure*|%failed*|%error*|%Warning*|%memory*
Color=Red
 
But if I type 
LOG /var/log/messages %failure*|%failed*|%error*|%Warning*|%out of
memory* Color=Red
 
I'm getting all the messages that have one of these words: out or of or
memory somewhere in their string.
 
Camelia 
-----Original Message-----
From: Greg Hubbard [mailto:glh.forums at gmail.com] 
Sent: Friday, September 18, 2009 1:25 PM
To: hobbit at hswn.dk
Subject: Re: [hobbit] how to search for exact word patterns
 
Try making it a regex (with % prefix) instead of "simple" expression.
On 9/18/09, Camelia Anghel <canghel at cjh.org> wrote: 
Did that but it look for all messages that have one of the 3 words
Thanks anyway
Camelia 
 
-----Original Message-----
From: Josh Luthman [mailto:josh at imaginenetworksllc.com] 
Sent: Friday, September 18, 2009 11:22 AM
To: hobbit at hswn.dk
Subject: Re: [hobbit] how to search for exact word patterns
 
I think it's:

HOST=my.host.com <http://my.host.com/> 
    LOG /var/log/messages "out of memory" COLOR=red

Not tested.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

"When you have eliminated the impossible, that which remains, however
improbable, must be the truth."
--- Sir Arthur Conan Doyle
On Fri, Sep 18, 2009 at 9:26 AM, Camelia Anghel <canghel at cjh.org> wrote:

Hello all,
I am trying to set up an alert to search for exact word patterns in
/var/log/messages.  For example: "Out of Memory"

Any help would be appreciated.

Thanks,
Camelia

To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk
 



-- 
Disclaimer:  1) all opinions are my own, 2) I may be completely wrong,
3) my advice is worth at least as much as what you are paying for it, or
your money cheerfully refunded. 



-- 
Disclaimer:  1) all opinions are my own, 2) I may be completely wrong,
3) my advice is worth at least as much as what you are paying for it, or
your money cheerfully refunded. 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20090923/07eec314/attachment.html>


More information about the Xymon mailing list