[Xymon] "msgs" alerts, sending 10240 bytes and line-buffering
Greg Earle
earle at isolar.DynDNS.ORG
Tue Aug 25 00:11:35 CEST 2015
I'm having an issue on my Solaris clients running an older Xymon 4.3.12.
(I have a test build of 4.3.21 waiting in the wings.)
We constantly get scanned by our IT Security people, resulting in
"/var/adm/messages" entries like
Aug 24 09:23:39 myorgsun6 nrpe[15035]: [ID 808958 daemon.warning] refused \
connect from itsecurity-scanner.my.do.main (access denied)
I put an IGNORE entry into "analysis.cfg" to ignore any lines with
"itsecurity-scanner.my.do.main" but I keep getting them - they often look
like this:
--
red Mon Aug 24 09:55:37 PDT 2015 - Log files NOT ok
&red Critical entries in <a href="/xymon-cgi/svcstatus.sh?CLIENT=myorgsun6&SECTION=msgs:/var/adm/messages">/var/adm/messages</a>
&red ess denied)
--
As you can see the "messages" entry has been clipped off leading to the
raw "denied" string which triggered the alert. It's random - sometimes
it's clipped down to "do.main access denied", for example.
I'm using a bog-standard
[sunos]
log:/var/adm/messages:10240
entry in client-local.cfg.
My theory is that by sending 10240 bytes of the "messages" file across,
it leaves things open to the possibility of sending "clipped" lines -
leading to partial lines that avoid my IGNORE string as a result.
Am I correct?
Is there anything in the newer releases that addresses this?
- Greg
More information about the Xymon
mailing list