Thank you for the quick turnaround, I will give it a shot and let you know how it works out, we need it for Citrix and want to make sure no fewer than 5 are logged in to any one machine.
On Tue, Nov 13, 2012 at 11:22 AM, Henrik Størner <henrik at hswn.dk> wrote:
On 13-11-2012 16:05, Ray Reuter wrote:
I need to be able to alert off of the "who" column. An example would be if there was less than 5 connections I would like to be alerted. I know way back in Big Brother days there was a perl script to do just that but I am having zero luck of finding it now.
First step is to make the "who" status red - if you do that, then you can use the normal alert-rules to send out alerts.
Current Xymon versions allow you to modify the color of an existing status, by sending a "modify" command to xymond. So what I would do was to run a script on the Xymon server which regularly fetches all of the "who" statuses, counts how many users are logged in on each host, and the sends a "modify" status if the maximum is exceeded.
To get all of the "who" statuses, you can use xymon 127.0.0.1 "xymondboard test=who fields=hostname,msg" The output from this command is one line per status, with the hostname, then a '|' delimiter, and then the status-message with new-line changed into '\n'. I'm sure someone with Perl / Python / whatever scripting knowledge could easily turn this into something where you could count the number of lines (one for each user, minus a couple of header-lines), but here's a C program that will do it:
--- cut here --- #include <stdio.h> #include <string.h> #include <stdlib.h>
int main(int argc, char **argv) { char buf[4096]; char *hostname, *msg, *l_start, *l_end;
while (fgets(buf, sizeof(buf), stdin)) { int loggedin = 0; hostname = strtok(buf, "|"); msg = strtok(NULL, "\n"); if (!msg) continue; l_start = msg; do { l_end = strstr(l_start, "\\n"); if ( (strncmp(l_start, "SESSIONNAME", 11) == 0) || (strncmp(l_start, ">", 1) == 0) || (strncmp(l_start, "rdp-tcp", 7) == 0) || (strncmp(l_start, "console", 7) == 0) ) { /* Ignore the line */ } else { loggedin++; } l_start = l_end ? (l_end + 2) : NULL; } while (l_start); fprintf(stdout, "%s %d\n", hostname, loggedin); } return 0;} --- cut here ---
Just save this to "whocount.c" and run "gcc -o whocount whocount.c" to compile it. It ignores lines beginning with the texts "SESSIONNAME", ">", "rdp-tcp" or "console" - I think those lines always appear in the "who" status regardless of who is logged in.
When you feed the input from the xymondboard command into this, it should output one line for each host with the hostname and the number of users logged in.
So putting it all together, this script will change the "who" status to red for all hosts where 5 or more users are logged in:
--- cut here --- #!/bin/sh
LIMIT=5
xymon 127.0.0.1 "xymondboard test=who fields=hostname,msg" | whocount | while read L do set $L HOSTNAME=$1 LOGINCOUNT=$2
if test $LOGINCOUNT -gt $LIMIT then echo 127.0.0.1 "modify $HOSTNAME.who red whomon $LOGINCOUNT userslogged in (max is $LIMIT)" fi done
exit 0 --- cut here ---
(assumes the "whocount" utility is in your PATH).
You'd run this as an extra task from tasks.cfg - e.g. every 5 minutes.
Now you have the "who" status going red when too many users are logged in, so alerting is easy - just add
TEST=who COLOR=red MAIL security at example.com
to alerts.cfg .
Regards, Henrik