From earle@isolar.DynDNS.ORG Wed Jun 24 08:23:16 2026
From: earle@isolar.DynDNS.ORG
To: xymon@xymon.com
Subject: [Xymon] "msgs" alerts, sending 10240 bytes and line-buffering
Date: Mon, 24 Aug 2015 15:11:35 -0700
Message-ID: <9F706DBD-7EA1-47CE-891E-BF09560FFAA3@isolar.DynDNS.ORG>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4492043298472681727=="

--===============4492043298472681727==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

I'm having an issue on my Solaris clients running an older Xymon 4.3.12.
(I have a test build of 4.3.21 waiting in the wings.)

We constantly get scanned by our IT Security people, resulting in
"/var/adm/messages" entries like

Aug 24 09:23:39 myorgsun6 nrpe[15035]: [ID 808958 daemon.warning] refused \
connect from itsecurity-scanner.my.do.main (access denied)

I put an IGNORE entry into "analysis.cfg" to ignore any lines with
"itsecurity-scanner.my.do.main" but I keep getting them - they often look
like this:

--
red Mon Aug 24 09:55:37 PDT 2015 - Log files NOT ok

&red Critical entries in <a href=3D"/xymon-cgi/svcstatus.sh?CLIENT=3Dmyorgsun=
6&amp;SECTION=3Dmsgs:/var/adm/messages">/var/adm/messages</a>
&red ess denied)
--

As you can see the "messages" entry has been clipped off leading to the
raw "denied" string which triggered the alert.  It's random - sometimes
it's clipped down to "do.main access denied", for example.

I'm using a bog-standard

[sunos]
log:/var/adm/messages:10240

entry in client-local.cfg.

My theory is that by sending 10240 bytes of the "messages" file across,
it leaves things open to the possibility of sending "clipped" lines -
leading to partial lines that avoid my IGNORE string as a result.

Am I correct?

Is there anything in the newer releases that addresses this?

	- Greg



--===============4492043298472681727==--


From jlaidman@rebel-it.com.au Wed Jun 24 08:23:16 2026
From: jlaidman@rebel-it.com.au
To: xymon@xymon.com
Subject: [Xymon] "msgs" alerts, sending 10240 bytes and line-buffering
Date: Tue, 25 Aug 2015 13:13:28 +1000
Message-ID:
 <CAAnki7CNeHsSWXT2id2UVaywUbqj3D7mpraLYCOBNE8CAx81NQ@mail.gmail.com>
In-Reply-To: <9F706DBD-7EA1-47CE-891E-BF09560FFAA3@isolar.DynDNS.ORG>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6895734887238239082=="

--===============6895734887238239082==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Greg

You might be right that the message is being clipped.  If so, you should
see Xymon log messages to that effect.

Perhaps add the IGNORE clause to the client-local.cfg message instead.
This will cause the messages to be dropped at the client side.  Not only
can you forget about these messages on the Xymon server, but also you're
less likely to have a clipped message.  Like so:

[sunos]
log:/var/adm/messages:10240
ignore refused connect from itsecurity-scanner.my.do.main

You could also increase the maximum from 10240.

Cheers
Jeremy


On 25 August 2015 at 08:11, Greg Earle <earle at isolar.dyndns.org> wrote:

> I'm having an issue on my Solaris clients running an older Xymon 4.3.12.
> (I have a test build of 4.3.21 waiting in the wings.)
>
> We constantly get scanned by our IT Security people, resulting in
> "/var/adm/messages" entries like
>
> Aug 24 09:23:39 myorgsun6 nrpe[15035]: [ID 808958 daemon.warning] refused \
> connect from itsecurity-scanner.my.do.main (access denied)
>
> I put an IGNORE entry into "analysis.cfg" to ignore any lines with
> "itsecurity-scanner.my.do.main" but I keep getting them - they often look
> like this:
>
> --
> red Mon Aug 24 09:55:37 PDT 2015 - Log files NOT ok
>
> &red Critical entries in <a
> href=3D"/xymon-cgi/svcstatus.sh?CLIENT=3Dmyorgsun6&amp;SECTION=3Dmsgs:/var/=
adm/messages">/var/adm/messages</a>
> &red ess denied)
> --
>
> As you can see the "messages" entry has been clipped off leading to the
> raw "denied" string which triggered the alert.  It's random - sometimes
> it's clipped down to "do.main access denied", for example.
>
> I'm using a bog-standard
>
> [sunos]
> log:/var/adm/messages:10240
>
> entry in client-local.cfg.
>
> My theory is that by sending 10240 bytes of the "messages" file across,
> it leaves things open to the possibility of sending "clipped" lines -
> leading to partial lines that avoid my IGNORE string as a result.
>
> Am I correct?
>
> Is there anything in the newer releases that addresses this?
>
>         - Greg
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>

--===============6895734887238239082==--