On Fri, 2024-03-22 at 10:10 +1100, Jeremy Laidman wrote:
This seems to be an artefact of the "xymon" command, perhaps sanitising input.
I would agree.
So I think the issue is triggered for you when the ps output has "sed ... security.cron:<space>".
I suspect if you clean up the output of the "ps" line in xymonclient-linux.sh to remove trailing whitespace, then it might fix your problem. Something like this:
ps -Aww f -o pid,ppid,user,start,state,pri,pcpu,time:12,pmem,rsz:10,vsz:10,cmd | sed 's/ *$//'
Unfortunately that doesn't work.
I am more wondering if xymon is somehow seeing or at least treating the 'sed' command as if it had an escaped newline at the end (perhaps after stripping spaces). So it appends the following line to it.
If I modify the current 'sed' command to make it all on one line (no escape characters), then it all works fine.
Ironically I have found that in our local analysis.cfg file the clamd/freshclam processes were configured as:
PROC "%^/usr/sbin/clamd -c" TEXT=clamd PROC "%^/usr/bin/freshclam -d" TEXT=freshclam
So the commands must be at the beginning of the command line. Looking at 'hostdata' for other servers I could see that other commands we monitor were corrupted by the run-parts sed command. However, these did not cause the procs test to go red. The reason was, using 'dnsmasq' as an example, because they were defined differently in the analysis.cfg file:
PROC /usr/sbin/dnsmasq TEXT=dnsmasq
In this case what is looked for ('/usr/sbin/dnsmasq') is still found regardless of whether it appears at the start of the command-line or not. So reconfiguring the clamd and freshclam entries allows them to work as well (i.e the procs test remains green).
John.
-- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
[https://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.