[Xymon] Newbie: some alerts not firing (regexps and wildcards)

David Baldwin david.baldwin at ausport.gov.au
Thu Mar 24 23:41:45 CET 2011


Elizabeth,
> Hm OK I updated the rules, now puzzled about why this one is alerting:
>
> 00020522 2011-03-24 12:53:44 send_alert fiona.e-dialog.com:vmio state Paging
> 00020522 2011-03-24 12:53:44 Matching host:service:page
> 'fiona.example.com:vmio:' against rule line 146
> 00020522 2011-03-24 12:53:44 *** Match with 'HOST=%db* EXHOST=%*dl2*
> SERVICE=vmio' ***
> 00020522 2011-03-24 12:53:44 Matching host:service:page
> 'fiona.e-dialog.com:vmio:' against rule line 147
> 00020522 2011-03-24 12:53:44 *** Match with 'MAIL xymail REPEAT=1d
> RECOVERED' ***
>
> Fiona alerted for vmio and is paging. Fiona does not have the string
> "db" anywhere in its name. (I replaced my company with example but the
> company name doesn't have a db in it either)
>
In regular expressions, '*' is not a wildcard - it means "match the
preceding pattern 0 or more times, so 'db*' matches 'd' followed by any
number of 'b' characters. %db* is not anchored (it can match anywhere),
so at a minimum if there is a single 'd' anywhere in the host name
(including the domain) it will match - in effect the '%db*' is
equivalent to '%d'

The equivalent of a wildcard is '.*' - '.' matches any character, '*'
matches 0 or more times. When the regular expression is not anchored
(i.e. tied to matching at a particular position), '.*' and the start or
end is redundant. If you want to make a pattern fully anchored, use
something like: HOST=%^db.*$
'^' means match from the beginning of the string. '$' matches the end of
the string.
> later on I get
> 00020753 2011-03-24 12:58:09 Matching host:service:page
> 'fiona.example.com:vmio:' against rule line 181
> 00020753 2011-03-24 12:58:09 Failed 'HOST=%*db*' (hostname not in include list)
>
> The regexp is different in that there's a second asterisk, but the
> machines I want to catch do all start with db...
HOST=%*db* isn't a valid regular expression, so it won't match anything.
The first '*' has no preceding pattern. Possibly it might be interpreted
as match a '*' character, which will won't match. If you want to match
any host containing 'db' use HOST=%db (or HOST=%^.*db.*$ as anchored
version). Strictly speaking, if you want to match 'db' in only the host
and not the domain, you could do HOST=%[^.]*db - match from the start of
the string any number of characters that aren't '.' followed by 'db'

Regular expressions are far more powerful than simple wildcards, but the
syntax for simple matches is different.

A rundown on regular expressions is here:
http://en.wikipedia.org/wiki/PCRE
http://perldoc.perl.org/perlre.html

David.

-- 
David Baldwin - IT Unit
Australian Sports Commission          www.ausport.gov.au
Tel 02 62147830 Fax 02 62141830       PO Box 176 Belconnen ACT 2616
david.baldwin at ausport.gov.au          Leverrier Street Bruce ACT 2617


-------------------------------------------------------------------------------------
Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au

This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
-------------------------------------------------------------------------------------



More information about the Xymon mailing list