[hobbit] Limited amount of log data
Hubbard, Greg L
greg.hubbard at eds.com
Fri Mar 6 17:31:44 CET 2009
Ken,
My *guess* is that "no entries in <log file>" means that no entries were
matched using your rules. If you have no rules (no LOG definitions)
then nothing will match. Just below you should see a link to the full
log file, and it should contain about 30 minutes of data in it.
This is a bit tricky to set up since you cannot set it up in one place.
If I remember it correctly, you have to do this:
1) on each server that you want to enable the msg function, do whatever
it takes to enable the Hobbit client to read each log file that you want
to watch.
2) on the Hobbit server, you need to enable the client to monitor each
log file. You do this in the client-local.cfg file. This file can be
tricky because it is set up to let you assign actions to "classes", but
I find it easier to configure each host one by one, even if it means
some copy-paste.
3) on the Hobbit server, you need to define alerts for log file
messages. You do this in the hobbit-clients.cfg file, using the LOG
directive. Once again, I create a group for each host. What you are
doing is telling Xymon that host--logfile--stringmatch = color.
4) on the Hobbit server, you need to define alert notification rules (if
you want them) for the host, or the test (msg), or the color. Note that
ANY match in a 30 minute slice of a log file will trigger a color
change, and that the overall color will match the most severe match
(e.g. one red trumps 20 yellows, etc.).
It takes a couple of poll cycles before the Hobbit client will pick up
any changes that you make in the client-local.cfg file.
Setting up the LOG alerts requires some fiddling -- it is good to study
the man page for the file, and to pick a single host that you can use
for experimentation.
You might search the archive -- particulary for any messages from Henrik
about this feature, since he has had to set us all straight a few times.
Many people have had trouble creating PCRE expressions that would do
what they wanted.
Good luck!
GLH
-----Original Message-----
From: ken.schweiker at faa.gov [mailto:ken.schweiker at faa.gov]
Sent: Friday, March 06, 2009 9:46 AM
To: hobbit at hswn.dk
Subject: RE: [hobbit] Limited amount of log data
Thanks for the reply. I did read it. Took me all over trying to find
that little gem. Is there a Hobbit for Dummies book yet? But, without
going through all that again where can I find the settings to change
this? Also, about the screen shot below about no log entries in
var/log/messages. Is that normal? Will that go away if I filter log
messages? Thanks again.
"Hubbard, Greg L"
<greg.hubbard at eds
.com>
To
<hobbit at hswn.dk>
03/05/2009 05:36
cc
PM
Subject
RE: [hobbit] Limited amount of
log
Please respond to data
hobbit at hswn.dk
The design of the log watching system is to scan a subset of a log for
"bad" things and update the status dot. If it did not have a rolling
"time window" then the status dot would never change after something
ugly got put in the log file. And then the process of reading the log
file (and pumping it to the server) would get slower and slower as the
log file grows. This feature is not designed for log management, but
for helping you watch for things that might appear in the logs on each
host that might require your attention.
You might want to read the documentation -- you have to configure the
rules that define what "bad" means.
GLH
-----Original Message-----
From: ken.schweiker at faa.gov [mailto:ken.schweiker at faa.gov]
Sent: Thursday, March 05, 2009 4:07 PM
To: hobbit at hswn.dk
Subject: [hobbit] Limited amount of log data
Hi,
Trying to set up xymon to capture log data. Once I changed the
permission on the var/log/message file, I got -some- data. I am taking
the defaults with xymon 4.2.3. I might appear that I only get to see the
last 30 minutes of log data. Can this be increased?
Second, why does it say No entries in /var/log/messages.
Thanks.
System logs at Thu Mar 5 17:03:20 EST 2009
No entries in /var/log/messages
Full log /var/log/messages
Mar 5 16:56:00 tcdcpega syslog-ng[1494]: STATS: dropped 0
To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk
To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk
To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk
More information about the Xymon
mailing list