[Xymon] monitoring contents of a logfile with a daily changing filename

EDSchminke at Hormel.com EDSchminke at Hormel.com
Fri Aug 17 18:58:40 CEST 2018

Hang on.  Thats not entirely correct.  Xymon does not look at "the last
SIZE bytes of the log file".  Through a coincidence, it might.. but that's
what it does.  The rules that govern what gets returned is a little more
complicated, but important to understand to avoid tearing out all your hair
while troubleshooting.

The SIZE component of the LOG entry only specifies the maximum amount of
data to send back to the server.  The logfetch program on the client side
will take the last 30 minutes (kinda) of the file into consideration for
what it sends back.  An IGNORE rule removes lines from consideration (will
not be sent, will not count against the max SIZE).  Then, TRIGGER rules
will send all matched lines even if it exceeds max SIZE.  If what was found
by any TRIGGER rules is less than max SIZE, it will include the difference
from any remaining lines, up to the max SIZE.  Still, only the last 30
minutes (kinda) are considered.

I say kinda, because the logfetch program works like this.  Every time the
logfetch program checks a log file, it takes note of the current size of
the log file.  It keeps track of this in the STATUSFILE.  (See logfetch
manpage).  Each line of the STATUSFILE lists the log files it's watching
followed by a "queue" of numbers.  Those numbers represent the size of the
log file at the last 6 times it was checked.  Every time logfetch runs, it
unshifts the current size of the log file onto the front of the queue and
pops the last number off the end of the queue.  Then, logfetch opens the
log file, seeks to the byte number that it popped off the queue, and reads
to the end of file.  So, log fetch returns the last "6 * check interval"
minutes worth of entries in the log.  Check interval is USUALLY 5 minutes,
hence the 30 minutes.

If it's not returning what you're expecting to get back from the logs, it's
most likely due to how logfetch only concerns itself with that "last 6
checks" worth of the log.

Erik D. Schminke | Associate Systems Programmer
Hormel Foods Corporation | One Hormel Place | Austin, MN 55912
Phone: (507) 434-6817
edschminke at hormel.com | www.hormelfoods.com

More information about the Xymon mailing list