[Xymon] Force logfetch to only process complete lines?

Larry Bonham larry at fni-stl.com
Tue Feb 27 00:28:04 CET 2018


RHEL 6.9 and RHEL 7.4
Xymon v4.3.28

This may be documented somewhere and I'm just not able to find it.  But is there a way to force logfetch to only scan complete lines and discard any partials it might retrieve based on the MAXCHECK setting?

I've been getting quite a few alerts on highly active systems where the offending line would normally be excluded due to the first part of a search that is missing.

A simple example, I want to ignore the alert triggers for /var/log/messages where the system name is test-system and :\sheader\ssubject: is also in the line.  Since test-system comes right after the date/time stamp, that causes the ignore check to not work if test-system is not retrieved by logfetch.

analysis.cfg

# Red alert on CRITICAL or ERROR or SERIOUS (with exceptions)
LOG %.*  %(?-i)CRITICAL|ERROR|SERIOUS COLOR=red IGNORE=%(?-i)test-system.*:\sheader\ssubject:

I've tried adjusting the MAXCHECK setting but it didn't make a difference one way or the other.

client-local.cfg

log:/var/log/messages:10240             # 10KB default
log:/var/log/messages:1024000         # 1MB

Thanks.
=========================================================

Larry D. Bonham

Financial Network Inc.
10401-F Baur
Olivette, MO 63132

(314) 400-9412 voice
(314) 997-5647 fax
=========================================================


________________________________

CONFIDENTIALITY NOTICE:
This electronic mail message is intended exclusively for
recipient to which it is addressed. The contents of this message
and any attachments may contain confidential and privileged
information. Any unauthorized review, use, print, storage, copy,
disclosure or distribution is strictly prohibited. If you have
received this message in error, please advise the sender
immediately by replying to the message's sender and delete all
copies of this message and its attachments without disclosing
the contents to anyone, or using the contents for any purpose.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20180226/81988721/attachment.html>


More information about the Xymon mailing list