On Wed, April 6, 2016 10:26 am, Scot Kreienkamp wrote:
On Tue, April 5, 2016 8:08 pm, Scot Kreienkamp wrote:
I ran the dump and grep'd for the server name. Here are the
matching
lines:
PORT local=%([.:]80)$ min=1 color=red TRACK=WWW HOST=innocent2.in.hq,innocent.in.hq TEXT=80-WWW (line: 468) PORT local=%([.:]55000)$ min=0 color=red TRACK=RPC_Clients HOST=innocent2.in.hq,innocent.in.hq TEXT=55000-RPC Client Access Sessions (line: 469) SVC MSExchangeADTopology status=started color=red HOST=innocent2.in.hq,innocent.in.hq (line: 470) SVC MSExchangeIS status=started color=red HOST=innocent2.in.hq,innocent.in.hq (line: 471) SVC MSExchangeMailboxAssistants status=started color=red HOST=innocent2.in.hq,innocent.in.hq (line: 472) SVC MSExchangeRPC status=started color=red HOST=innocent2.in.hq,innocent.in.hq (line: 473) SVC MSExchangeSA status=started color=red HOST=innocent2.in.hq,innocent.in.hq (line: 474) DISK * 15728640U 10485760U 0 -1 red HOST=innocent2.in.hq,innocent.in.hq (line: 475) DISK %^(1|2|3|4|5|6|7|8|9|0).* IGNORE HOST=innocent2.in.hq,innocent.in.hq (line: 482)
It appears to be understanding the config correctly, but it's still alerting on the percentage: M (96% used) has reached the PANIC level (95%) Filesystem 1K-blocks Used Avail Capacity Mounted Label Summary(Total\Avail GB) M 2115137532 2032580452 82557080 96% /FIXED/M:
Ret_Mail 2017.15\78.73It still might be part of the DEFAULT entry, though. Is the "host" entry listed literally as:
HOST=innocent2.in.hq,innocent.in.hq
...in the config? IIRC, that needs to be a regex. Comma-separated is only used when specifying colors (which aren't evaluated textually).
HTH, -jc
If it's not parsing comma separated HOST= lines then the man pages are wrong. I'll separate it out and see if it makes any difference.
Yikes. That might be a documentation bug. Pretty sure COLOR is all that will be eval'd like that.
Here's the section from the analysis.cfg man page: HOST=targetstring Rule matching a host by the hostname. "targetstring" is either a comma-separated list of hostnames (from the hosts.cfg file), "*" to indicate "all hosts", or a Perl-compatible regular expression. E.g. "HOST=dns.foo.com,www.foo.com" identifies two specific hosts; "HOST=%www.*.foo.com EXHOST=www-test.foo.com" matches all hosts with a name beginning with "www", except the "www-test" host.
It's separated out with only that hostname on a HOST= line by itself. No change in behavior. I waited 4 hours between when I made the change and when I checked the results as I was out all morning, so it has definitely taken affect by now.
PORT local=%([.:]80)$ min=1 color=red TRACK=WWW HOST=innocent.in.hq TEXT=80-WWW (line: 468) PORT local=%([.:]55000)$ min=0 color=red TRACK=RPC_Clients HOST=innocent.in.hq TEXT=55000-RPC Client Access Sessions (line: 469) SVC MSExchangeADTopology status=started color=red HOST=innocent.in.hq (line: 470) SVC MSExchangeIS status=started color=red HOST=innocent.in.hq (line: 471) SVC MSExchangeMailboxAssistants status=started color=red HOST=innocent.in.hq (line: 472) SVC MSExchangeRPC status=started color=red HOST=innocent.in.hq (line: 473) SVC MSExchangeSA status=started color=red HOST=innocent.in.hq (line: 474) DISK * 15728640U 10485760U 0 -1 red HOST=innocent.in.hq (line: 475) DISK %^(1|2|3|4|5|6|7|8|9|0).* IGNORE HOST=innocent.in.hq (line: 482)
Any ideas?
Can you grep for DISK on this instead of the host? The config shown *looks* correct to me, which makes me think that it's a different rule being applied still.
When you run with --debug enabled on xymond_client, is there any output on the 'df' evaluation for this host?
-jc