[Xymon] Force logfetch to only process complete lines?
Larry Bonham
larry at fni-stl.com
Thu May 10 23:32:34 CEST 2018
Third request. I just can't believe that I'm the only one having this problem. It is a fairly frequent occurrence for me. Mainly with higher volume log files.
I simply want to drop any partial lines before they are compared with LOG alert definitions.
Based on the comments in logfetch.c (v4.3.28), the section between 509 and 562 would appear to handle this. But for whatever reason it is not consistently working for me. Maybe I'm overloading the MAXCHECK value and it is just truncating the output? Or I'm misunderstanding what the section is actually doing?
Once again, any help would be appreciated.
Larry B.
From: Larry Bonham
Sent: Monday, March 5, 2018 10:05 AM
To: xymon at xymon.com
Subject: RE: Force logfetch to only process complete lines?
Second request. No one else having this particular problem? Any help would be appreciated. Modifying logfetch.c is pretty much beyond my limited C skills.
Thanks.
Larry B.
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Larry Bonham
Sent: Monday, February 26, 2018 5:28 PM
To: xymon at xymon.com<mailto:xymon at xymon.com>
Subject: [Xymon] Force logfetch to only process complete lines?
RHEL 6.9 and RHEL 7.4
Xymon v4.3.28
This may be documented somewhere and I'm just not able to find it. But is there a way to force logfetch to only scan complete lines and discard any partials it might retrieve based on the MAXCHECK setting?
I've been getting quite a few alerts on highly active systems where the offending line would normally be excluded due to the first part of a search that is missing.
A simple example, I want to ignore the alert triggers for /var/log/messages where the system name is test-system and :\sheader\ssubject: is also in the line. Since test-system comes right after the date/time stamp, that causes the ignore check to not work if test-system is not retrieved by logfetch.
analysis.cfg
# Red alert on CRITICAL or ERROR or SERIOUS (with exceptions)
LOG %.* %(?-i)CRITICAL|ERROR|SERIOUS COLOR=red IGNORE=%(?-i)test-system.*:\sheader\ssubject:
I've tried adjusting the MAXCHECK setting but it didn't make a difference one way or the other.
client-local.cfg
log:/var/log/messages:10240 # 10KB default
log:/var/log/messages:1024000 # 1MB
Thanks.
=========================================================
Larry D. Bonham
Financial Network Inc.
10401-F Baur
Olivette, MO 63132
(314) 400-9412 voice
(314) 997-5647 fax
=========================================================
________________________________
CONFIDENTIALITY NOTICE:
This electronic mail message is intended exclusively for
recipient to which it is addressed. The contents of this message
and any attachments may contain confidential and privileged
information. Any unauthorized review, use, print, storage, copy,
disclosure or distribution is strictly prohibited. If you have
received this message in error, please advise the sender
immediately by replying to the message's sender and delete all
copies of this message and its attachments without disclosing
the contents to anyone, or using the contents for any purpose.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20180510/a0c1d00e/attachment.html>
More information about the Xymon
mailing list