Please can someone help me regarding the precedence of rules in analysis.cfg?
analysis.cfg example to illustrate my questions:
#-----------------------------------------------------------
HOST=Win32Server DISK C 85 90
DEFAULT DISK * 90 95
CLASS=win32 DISK C 80 90 LOG %.* %error COLOR=yellow LOG eventlog:Application %warning COLOR=yellow IGNORE="%warning .* Symantec AntiVirus .* Could not scan .* files inside .* due to extraction errors encountered by the Decomposer Engines\.Application has encountered an error"
#-----------------------------------------------------------
Assumption: Host 'Win32Server' is a CLASS=win32 server running in central mode
DISK questions:
Does Win32Server's C disk go yellow at 85, 90 or 95% ?
Is this because of the ORDER of the applying rules (first HOST, then DEFAULT, then CLASS) or is it because HOST is more specific then CLASS and CLASS is more specific then DEFAULT?
Does Xymon at all try to find further possibly matching DISK rules after the first matching rule - underneath HOST in this example - has been encountered?
LOG questions:
If an eventlog message happens to match the 1st of the above listed LOG rules (because it contains 'error'), will the second rule be evaluated at all?
And if the 2nd rule should get evaluated, which of the 2 rules would take precedence? (Assuming both rules logically match, but have conflicting effects because of the IGNORE
- i.e. a line that matches the IGNORE and hence has also the word 'error' in it. Will it be ignored, because the 2nd rule applies? Or will it show yellow, because the 1st rule applies? And why is this so?
The answers to the 2 prior questions will probably already have answered this one: Should specific LOG rules appear before or after the more general ones to give to give the first match precedence?
Many thanks Jürgen