I'm having an issue on my Solaris clients running an older Xymon 4.3.12. (I have a test build of 4.3.21 waiting in the wings.)
We constantly get scanned by our IT Security people, resulting in "/var/adm/messages" entries like
Aug 24 09:23:39 myorgsun6 nrpe[15035]: [ID 808958 daemon.warning] refused
connect from itsecurity-scanner.my.do.main (access denied)
I put an IGNORE entry into "analysis.cfg" to ignore any lines with "itsecurity-scanner.my.do.main" but I keep getting them - they often look like this:
-- red Mon Aug 24 09:55:37 PDT 2015 - Log files NOT ok
&red Critical entries in <a href="/xymon-cgi/svcstatus.sh?CLIENT=myorgsun6&SECTION=msgs:/var/adm/messages">/var/adm/messages</a> &red ess denied)
As you can see the "messages" entry has been clipped off leading to the raw "denied" string which triggered the alert. It's random - sometimes it's clipped down to "do.main access denied", for example.
I'm using a bog-standard
[sunos] log:/var/adm/messages:10240
entry in client-local.cfg.
My theory is that by sending 10240 bytes of the "messages" file across, it leaves things open to the possibility of sending "clipped" lines - leading to partial lines that avoid my IGNORE string as a result.
Am I correct?
Is there anything in the newer releases that addresses this?
- Greg