[hobbit] hobbit-alerts problem

Dominique Frise Dominique.Frise at unil.ch
Fri Jan 12 08:16:13 CET 2007 

Charles Jones wrote:
> I am again being bitten by regex problems.  I am able to reproduce it 
> with the following entries in hobbit-alerts.cfg:
> 
> $IGNORE_HOSTS=%prod-web-(1|2|3|4|9|10|11)$
> HOST=$IGNORE_HOSTS service=*
> IGNORE
> 
> If I then check the "info" column of a host that is *not* supposed to be 
> ignored, such as prod-web-12. It shows that it is indeed ignored. This 
> is a serious problem as I have already missed alerts for some production 
> hosts because of this problem.
> 
> According to pcretest (Henriks recommended method of testing a Hobbit 
> regex), there is nothing wrong with the regular expression that I am using:
> $ pcretest
> PCRE version 6.6 06-Feb-2006
> re> /prod-web-(1|2|3|4|9|10|11)$/
> data> prod-web-12    (*correctly not matching*)
> No match
> data> prod-web-19  (*correctly not matching*)
> No match
> data> prod-web-10 (*correctly matching*)
>  0: prod-web-10
>  1: 10
> 
>  From the above tests you can see that prod-web-12 does not match the 
> regex when using pcretest, yet Hobbit is matching it for some reason. A 
> possible work-around could be to not use a regex at all, such as 
> $IGNORE_HOSTS=prod-web-1,prod-web-2,prod-web-3... but that is not really 
> a solution if you have hundreds of hosts, and my main point is that 
> regular expressions are not working as they are documented.
> 
> I've also tried other undocumented ways of using the regex, including:
> 
> No hosts matched at all
> $IGNORE_HOSTS=%prod-web-(1|2|3|4|9|10|11)$
> HOST="IGNORE_HOSTS"
> 
> No hosts matched at all
> $IGNORE_HOSTS="%prod-web-(1|2|3|4|9|10|11)$"
> HOST=$IGNORE_HOSTS
> 
> All hosts match (both web-12 and web-11)
> $IGNORE_HOSTS=prod-web-(1|2|3|4|9|10|11)$
> HOST=%$IGNORE_HOSTS
> 
> If anyone else can verify or reproduce this, it would be helpful in at 
> least convincing Henrik to add it to the list of things to fix in the 
> next version. I honestly hope that it's not a problem with Hobbit and 
> instead something I am doing wrong - if so please enlighten me.
> 
> -Charles
> 

I tried your config. and, yes, I have same strange behaviour.
We are running Hobbit 4.2.0 patched on Solaris 9.

$ pcretest
PCRE version 4.5 01-December-2003

   re> /prod-web-(1|2|3|4|9|10|11)$/
data> prod-web-12
No match
data> prod-web-19
No match
data> prod-web-10
  0: prod-web-10
  1: 10

The column info and the rule tests below show that both prod-web-10 and 
prod-web-12 are ignored but not prod-web-8.

$ ./hobbitd_alert --test "prod-web-10" conn
00015495 2007-01-12 07:52:45 send_alert prod-web-10:conn state Paging
00015495 2007-01-12 07:52:45 Matching host:service:page 
'prod-web-10:conn:acadSys' against rule line 200
00015495 2007-01-12 07:52:45 *** Match with 'HOST=$IGNORE_HOSTS service=*' ***
00015495 2007-01-12 07:52:45 Matching host:service:page 
'prod-web-10:conn:acadSys' against rule line 200
00015495 2007-01-12 07:52:45 *** Match with 'HOST=$IGNORE_HOSTS service=*' ***
00015495 2007-01-12 07:52:45 IGNORE rule found


$ ./hobbitd_alert --test "prod-web-12" conn
00016778 2007-01-12 07:58:50 send_alert prod-web-12:conn state Paging
00016778 2007-01-12 07:58:50 Matching host:service:page 
'prod-web-12:conn:acadSys' against rule line 200
00016778 2007-01-12 07:58:50 *** Match with 'HOST=$IGNORE_HOSTS service=*' ***
00016778 2007-01-12 07:58:50 Matching host:service:page 
'prod-web-12:conn:acadSys' against rule line 200
00016778 2007-01-12 07:58:50 *** Match with 'HOST=$IGNORE_HOSTS service=*' ***
00016778 2007-01-12 07:58:50 IGNORE rule found


$ ./hobbitd_alert --test "prod-web-8" conn
00016921 2007-01-12 07:59:50 send_alert prod-web-8:conn state Paging
00016921 2007-01-12 07:59:50 Matching host:service:page 
'prod-web-8:conn:acadSys' against rule line 200
00016921 2007-01-12 07:59:50 Failed 'HOST=$IGNORE_HOSTS service=*' (hostname 
not in include list)
...
...


Dominique
UNIL - University of Lausanne_

More information about the Xymon mailing list