[Xymon] Bug, Error or my mistake in Xymon 4.3.11, analysis.cfg, LOG Statement???

Becker Christian christian.becker at rhein-zeitung.net
Thu Dec 18 10:12:41 CET 2014 

Hello all,

this seems like a big text, but it might be a short reading and understanding.....



I'm wondering if the following is either a bug, a config  error or my missunderstanding.

We are running Xymon 4.3.11. We have a couple of Linux servers running several distributions of Linux OS, but all containing Xymon 4.3.11 and above; installed as client.
On our Xymon server, we have the following DEFAULT section in analysis.cfg:

DEFAULT
# These are the built-in defaults.
        UP      3
        CLOCK   60
        LOAD    5.0 10.0
        DISK    * 90 95
        MEMPHYS 100 101
        MEMSWAP 80 90
        MEMACT  90 97
        FILE    /var/log/ntp SIZE>0
        FILE    %/var/(adm|log)/messages
        LOG     %/var/(adm|log)/messages WARNING IGNORE=%(smbd|STORVSC:*.WARNING\!|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=yellow
        LOG     %/var/(adm|log)/messages %(I/O|read).error IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt) COLOR=red
        LOG     %/var/(adm|log)/messages ERROR IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red
        LOG     %/var/(adm|log)/messages FAIL IGNORE=%(smbd|Connection.reset.by.peer|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport|NT_STATUS_LOGON_FAILURE|LOGIN) COLOR=red
        LOG     %/var/(adm|log)/messages CRITICAL IGNORE=%(smbd|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red


(I don't want to dicuss about the sense or the absurdity of the configured IGNORE statements here; let's simply say they are OK for us.... Shouldn't matter for my question here.....)

As one can read in the man page of analysis.cfg (which is available at https://www.xymon.com/help/manpages/man5/analysis.cfg.5.html ) i've read the following:
Note that Xymon defaults to case-insensitive pattern matching; if that is not what you want, put "(?-i)" between the "%" and the regular expression to turn this off. E.g. "%(?-i)WARNING" will match the word WARNING only when it is upper-case.

We don't have (?-i) in front of our keywords; that should match our keywords regardless of their upper and lower case. So far, so good.

That was my meaning.....

A colleague called me saying that one of our servers had a problem with a openvpn connection. I logged in to the server and inspected /var/log/messages, and I found these lines (I've changed IP's and ports to #):
Dec  1 12:06:18 open-vpn ovpn-server[39555]: ##.##.##.##:##### TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec  1 12:06:18 open-vpn ovpn-server[39555]: ##.##.##.##:##### TLS Error: TLS handshake failed
Dec  1 12:06:18 open-vpn ovpn-server[39555]: ##.##.##.##:##### Fatal TLS error (check_tls_errors_co), restarting
Dec  1 12:06:18 open-vpn ovpn-server[39555]: ##.##.##.##:##### SIGUSR1[soft,tls-error] received, client-instance restarting
Dec  1 12:06:23 open-vpn ovpn-server[39555]: TCP connection established with [AF_INET]##.##.##.##:#####
Dec  1 12:06:24 open-vpn ovpn-server[39555]: ##.##.##.##:##### TLS: Initial packet from [AF_INET]##.##.##.##:#####, sid=######## ########
Dec  1 12:07:06 open-vpn ovpn-server[39555]: ##.##.##.##:##### TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec  1 12:07:06 open-vpn ovpn-server[39555]: ##.##.##.##:##### TLS Error: TLS handshake failed
Dec  1 12:07:06 open-vpn ovpn-server[39555]: ##.##.##.##:##### Fatal TLS error (check_tls_errors_co), restarting
Dec  1 12:07:06 open-vpn ovpn-server[39555]: ##.##.##.##:##### SIGUSR1[soft,tls-error] received, client-instance restarting

As you can see, there are the keywords "Error", "error" and "failed" in these lines. At this time the msgs test of that server was at state green.
This made me think that the statement of the man page of analysis.cfg regarding case-insensitive might be wrong.

I've tested this and inserted this line in the DEFAULT section of analysis.cfg:
        LOG     %/var/(adm|log)/messages Error IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red

After a couple of minutes, the msgs test for that server changed to red.


Did i understand something wrong or miss something? Or is this really a bug?
Do i need to configure my keywords in a different way?


Best regards
Christian


Christian Becker
IT-Services

Christian.Becker at rhein-zeitung.net<mailto:Christian.Becker at rhein-zeitung.net>
_________________________________
Mittelrhein-Verlag GmbH
August-Horch-Straße 28
D-56070 Koblenz
Verleger und Geschäftsführer: Walterpeter Twer
Reg.-Gericht Koblenz HRB 121
Finanzamt Koblenz Str.Nr. 22 65 10 285 2
www.rhein-zeitung.de<http://www.rhein-zeitung.de/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20141218/91ec65a7/attachment.html>

More information about the Xymon mailing list