I think "PROC" only matches on the "CMD" column, which would be why you can't add in the username.

Recently I needed to check that a given process was only running on *one* out of a set systems. I wrote that up as an external script on the Xymon server itself. As the xymon user, try this:

 xymon localhost "xymondlog server.domain.com.procs"

to get the process list reported by that server. You could then do whatever pattern match you require and send a status message based on that.

Ralph Mitchell

On Mon, Jun 25, 2012 at 10:25 AM, Ward, Martin <Martin.Ward at colt.net> wrote:

Hi all,****

---

I have been trying to persuade Xymon to search for a process and alert on its non-existence, a simple task using the analysis.cfg file like so:****

---

HOST=host1****

PROC “amd64/java” 1 1 red****

---

Whilst this has worked previously the developers have now introduced a dependency that the process should only be run by a specific user (i.e. not root). I thought I could get away with:****

---

PROC “%javauser.*amd64/java” 1 1 red****

---

in the expectation that Xymon is testing against the whole of the output from ps(1) and in this case would only match Java processes run by the javauser user, but sadly this is not the case, I cannot persuade Xymon to match against the process name AND the user who is running it.****

---

Am I missing something/doing something wrong or is this the way Xymon works?****

---

|\/|****

--****

---

[image: Description: Colt @ 20 email sig] <http://youtu.be/jmmcILTf88I>*** *

Martin Ward****

*Manager, Technical Services*

Service Operations ****

---

DDI:+44 (0) 20 7863 5218 / Fax: +44 (0)20 7863 9999 / www.colt.net****

Colt Technology Services, Unit 12, Powergate Business Park, Volt Avenue, Park Royal, London, NW10 6PW, UK.****

---

Help reduce your carbon footprint | Think before you print. Registered in England and Wales, registered number 02452736, VAT number GB 645 4205 50** **

---

[Colt Disclaimer] This email is from an entity of the Colt group of companies. Colt Group S.A., K2 Building, Forte 1, 2a rue Albert Borschette, L-1246 Luxembourg, R.C.S. B115679. Corporate and contact information for our entities can be found at http://colt.net/uk/en/Colt-Group-of-Companies/index.htm. Internet communications are not secure and Colt does not accept responsibility for the accurate transmission of this message. Content of this email or its attachments is not legally or contractually binding unless expressly previously agreed in writing by Colt

---

Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon

As Ralph said, Xymon parses the "ps" output and you don't get anything before the command.

I've done this kind of thing server-side, by making a pseudo-logfile out of command output. For example, to ensure that the "named" user is running exactly one copy of the "named" process:

client-local.cfg: [servername] log:rm -f $XYMONTMP/ps-check && /bin/ps -u named | grep -c " named$" > $XYMONTMP/named-count && echo $XYMONTMP/named-count:1024

This makes the client list a count of the specified user's processes in the [msgs:/path/to/ps-check] section of the client data, ready for analysis. It should also be visible in the "messages" test page for the device. Note that the command line removes the tempfile first of all to create a new file, because otherwise (I believe) logwatch will think that the file hasn't changed and won't send updates for it.

So then:

analysis.cfg: LOG /path/to/named-count 0 color=RED LOG /path/to/named-count "%^[2-9]" color=RED

This flags a "msgs" alert if more or fewer than 1 processes reported.

This has the advantage of not having to create a script. But the down-side is that the error appears in the "msgs" status page.

If you want it reported in another status page (other than "msgs") then you probably have to make a script to do the reporting, and it might as well do the detection also (so forget about the client-local.cfg hack above), perhaps running on the Xymon server and getting the process list from the device's client data using the xymon "clientlog <devname> section=top" command. Like so:

#!/bin/sh TEST=named-check USER=named xymongrep $TEST | while read LINE; do set - ""$LINE; IP="$1"; HN="$2" [ "$HN" ] || continue HNCOMMAS=echo "$HN" | sed 's/\./,/g' PSLIST=xymon $XYMSRV "clientlog $HN section=top" | grep " $USER .* named *$" PSCOUNT=printf "$PSLIST" | grep -c ^ case $PSCOUNT in 0) MSG="no named processes"; COL=red;; 1) MSG="one named process"; COL=green;; *) MSG="multiple named processes"; COL=red;; esac echo $XYMON $XYMSRV "status $HNCOMMAS.$TEST $COL date $MSG $PSLIST" done

This script will run the test against every server with the "named-check" tag in hosts.cfg, then create a "named-check" status page showing the status.

J

On Tue, Jun 26, 2012 at 12:25 AM, Ward, Martin <Martin.Ward at colt.net> wrote:

Hi all,****

---

I have been trying to persuade Xymon to search for a process and alert on its non-existence, a simple task using the analysis.cfg file like so:****

---

HOST=host1****

PROC “amd64/java” 1 1 red****

---

Whilst this has worked previously the developers have now introduced a dependency that the process should only be run by a specific user (i.e. not root). I thought I could get away with:****

---

PROC “%javauser.*amd64/java” 1 1 red****

---

in the expectation that Xymon is testing against the whole of the output from ps(1) and in this case would only match Java processes run by the javauser user, but sadly this is not the case, I cannot persuade Xymon to match against the process name AND the user who is running it.****

---

Am I missing something/doing something wrong or is this the way Xymon works?****

---

|\/|****

--****

---

[image: Description: Colt @ 20 email sig] <http://youtu.be/jmmcILTf88I>*** *

Martin Ward****

*Manager, Technical Services*

Service Operations ****

---

DDI:+44 (0) 20 7863 5218 / Fax: +44 (0)20 7863 9999 / www.colt.net****

Colt Technology Services, Unit 12, Powergate Business Park, Volt Avenue, Park Royal, London, NW10 6PW, UK.****

---

Help reduce your carbon footprint | Think before you print. Registered in England and Wales, registered number 02452736, VAT number GB 645 4205 50** **

---

[Colt Disclaimer] This email is from an entity of the Colt group of companies. Colt Group S.A., K2 Building, Forte 1, 2a rue Albert Borschette, L-1246 Luxembourg, R.C.S. B115679. Corporate and contact information for our entities can be found at http://colt.net/uk/en/Colt-Group-of-Companies/index.htm. Internet communications are not secure and Colt does not accept responsibility for the accurate transmission of this message. Content of this email or its attachments is not legally or contractually binding unless expressly previously agreed in writing by Colt

---

Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon