[Xymon] "msgs" alerts, sending 10240 bytes and line-buffering
jlaidman at rebel-it.com.au
Tue Aug 25 05:13:28 CEST 2015
You might be right that the message is being clipped. If so, you should
see Xymon log messages to that effect.
Perhaps add the IGNORE clause to the client-local.cfg message instead.
This will cause the messages to be dropped at the client side. Not only
can you forget about these messages on the Xymon server, but also you're
less likely to have a clipped message. Like so:
ignore refused connect from itsecurity-scanner.my.do.main
You could also increase the maximum from 10240.
On 25 August 2015 at 08:11, Greg Earle <earle at isolar.dyndns.org> wrote:
> I'm having an issue on my Solaris clients running an older Xymon 4.3.12.
> (I have a test build of 4.3.21 waiting in the wings.)
> We constantly get scanned by our IT Security people, resulting in
> "/var/adm/messages" entries like
> Aug 24 09:23:39 myorgsun6 nrpe: [ID 808958 daemon.warning] refused \
> connect from itsecurity-scanner.my.do.main (access denied)
> I put an IGNORE entry into "analysis.cfg" to ignore any lines with
> "itsecurity-scanner.my.do.main" but I keep getting them - they often look
> like this:
> red Mon Aug 24 09:55:37 PDT 2015 - Log files NOT ok
> &red Critical entries in <a
> &red ess denied)
> As you can see the "messages" entry has been clipped off leading to the
> raw "denied" string which triggered the alert. It's random - sometimes
> it's clipped down to "do.main access denied", for example.
> I'm using a bog-standard
> entry in client-local.cfg.
> My theory is that by sending 10240 bytes of the "messages" file across,
> it leaves things open to the possibility of sending "clipped" lines -
> leading to partial lines that avoid my IGNORE string as a result.
> Am I correct?
> Is there anything in the newer releases that addresses this?
> - Greg
> Xymon mailing list
> Xymon at xymon.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Xymon