[Xymon] monitoring contents of a logfile with a daily changing filename

Mike Burger mburger at bubbanfriends.org
Fri Aug 17 19:37:36 CEST 2018 

Thank you for correcting my understanding...I appreciate it.

On 2018-08-17 12:58, EDSchminke at Hormel.com wrote:
> Hang on.  Thats not entirely correct.  Xymon does not look at "the last
> SIZE bytes of the log file".  Through a coincidence, it might.. but 
> that's
> what it does.  The rules that govern what gets returned is a little 
> more
> complicated, but important to understand to avoid tearing out all your 
> hair
> while troubleshooting.
> 
> The SIZE component of the LOG entry only specifies the maximum amount 
> of
> data to send back to the server.  The logfetch program on the client 
> side
> will take the last 30 minutes (kinda) of the file into consideration 
> for
> what it sends back.  An IGNORE rule removes lines from consideration 
> (will
> not be sent, will not count against the max SIZE).  Then, TRIGGER rules
> will send all matched lines even if it exceeds max SIZE.  If what was 
> found
> by any TRIGGER rules is less than max SIZE, it will include the 
> difference
> from any remaining lines, up to the max SIZE.  Still, only the last 30
> minutes (kinda) are considered.
> 
> I say kinda, because the logfetch program works like this.  Every time 
> the
> logfetch program checks a log file, it takes note of the current size 
> of
> the log file.  It keeps track of this in the STATUSFILE.  (See logfetch
> manpage).  Each line of the STATUSFILE lists the log files it's 
> watching
> followed by a "queue" of numbers.  Those numbers represent the size of 
> the
> log file at the last 6 times it was checked.  Every time logfetch runs, 
> it
> unshifts the current size of the log file onto the front of the queue 
> and
> pops the last number off the end of the queue.  Then, logfetch opens 
> the
> log file, seeks to the byte number that it popped off the queue, and 
> reads
> to the end of file.  So, log fetch returns the last "6 * check 
> interval"
> minutes worth of entries in the log.  Check interval is USUALLY 5 
> minutes,
> hence the 30 minutes.
> 
> If it's not returning what you're expecting to get back from the logs, 
> it's
> most likely due to how logfetch only concerns itself with that "last 6
> checks" worth of the log.

-- 
Mike Burger
http://www.bubbanfriends.org

"It's always suicide-mission this, save-the-planet that. No one ever 
just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1

More information about the Xymon mailing list