- I don't use HOST= in my working PORT tracking. I agree with Greg on doing it via the RegExp itself.
- minor thing: not so sure TRACK= can take all numeric or not.
- I believe your RegExp needs (). Mine goes like below. I have PORT column show and alerts generated, plus RRD graph for counting of TIME_WAIT connections to
PORT LOCAL=%([.:]3306)$ STATE=TIME_WAIT MIN=0 MAX=10000 COL=yellow TRACK=db_TimeWait TEXT=db_TimeWait
On 8/31/06, Hubbard, Greg L <greg.hubbard at eds.com> wrote:
We will have to see what Henrik says -- you may be a little more efficient than the syntax permits.
-----Original Message----- From: Gary B. [mailto:gmbfly98 at gmail.com] Sent: Thursday, August 31, 2006 10:07 AM To: hobbit at hswn.dk Subject: Re: [hobbit] "ports" RRD graph not showing up
I don't think there is a "HOST=" tag for the PORT command. Maybe you meant "TEXT="?
If you are trying to restrict the count to certain hosts, then you have to add their IP to the LOCAL=<regex> (or REMOTE=<regex> portion of the PORT command.
GLH
The section those tests are under is for a regex of multiple hosts. The "HOST=" tag in the copy/paste I provided is to test for those ports on only one host.
-----Original Message----- From: Gary B. [mailto:gmbfly98 at gmail.com] Sent: Thursday, August 31, 2006 9:44 AM To: hobbit at hswn.dk Subject: [hobbit] "ports" RRD graph not showing up
I'm running Hobbit 4.2.0 and just added a PORTS section for one of my hosts. It looks like the server is checking the ports correctly, but the RRD graph isn't showing up, even with the TRACK statement.
PORT LOCAL=%[.:]4001$ STATE=LISTEN HOST=<hostname> PORT LOCAL=%[.:]5001$ STATE=LISTEN HOST=<hostname> PORT LOCAL=%[.:]5002$ STATE=LISTEN HOST=<hostname> PORT LOCAL=%[.:]4001$ STATE=ESTABLISHED TRACK=4001HOST=<hostname> PORT LOCAL=%[.:]5001$ STATE=ESTABLISHED TRACK=5001 HOST=<hostname> PORT LOCAL=%[.:]5002$ STATE=ESTABLISHED TRACK=5002 HOST=<hostname>
I don't see anything of interest in the client or server logs. Any ideas?
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk