how to define a catch-all in hobbit-alerts.cfg
I have rules defined for many of my 300+ hosts ( a mix of windows and unix servers scattered throughout, and interleaved across, multiple pages. I want to define a default rule for hosts so that, for example, every conn alert goes to my unix administrators. I have experimented with several solutions which do not yield the desired result. e.g.:
HOST=* EXHOST=<> # I can't explicitly list all hosts (too many) and tried macros consisting of wildcard host names MAIL ...
HOST=* EXHOST=<> MAIL ... UNMATCHED
if I use only HOST=* then I end up with multiple (sometimes redundant) recipients for some hosts and no recipients for hosts not previously explicitly defined.
Help?
thanks
Hi Bill,
On Tue, Oct 20, 2009 at 10:50:08PM +0200, Bill Wagner wrote:
I have rules defined for many of my 300+ hosts ( a mix of windows and unix servers scattered throughout, and interleaved across, multiple pages. I want to define a default rule for hosts so that, for example, every conn alert goes to my unix administrators. I have experimented with several solutions which do not yield the desired result. e.g.:
HOST=* EXHOST=<> # I can't explicitly list all hosts (too many) and tried macros consisting of wildcard host names MAIL ...
HOST=* EXHOST=<> MAIL ... UNMATCHED
if I use only HOST=* then I end up with multiple (sometimes redundant) recipients for some hosts and no recipients for hosts not previously explicitly defined.
simply group the servers on different pages and match using PAGE=...
Best regards Thomas
Thomas Kähn Technik, Network Engineering & Design; Content Delivery Platform & IP
NETCOLOGNE Gesellschaft für Telekommunikation mbH Am Coloneum 9 | 50829 Köln Tel: 0221 2222-8718 | Fax: 0221 2222-78718 www.netcologne.de
Geschäftsführer: Werner Hanf Dipl.-Ing. Karl-Heinz Zankel
HRB 25580, AG Köln
Diese Nachricht (inklusive aller Anhänge) ist vertraulich. Sollten Sie diese Nachricht versehentlich erhalten haben, bitten wir, den Absender (durch Antwort-E-Mail) hiervon unverzüglich zu informieren und die Nachricht zu löschen. Die E-Mail darf in diesem Fall weder vervielfältigt noch in anderer Weise verwendet werden.
I agree that would simplify things. However we are using (inherited from Big Brother) fairly heterogeneous PAGEs. Bill
-------- Original Message -------- Subject: Re: [hobbit] how to define a catch-all in hobbit-alerts.cfg From: Thomas Kähn <tkaehn at netcologne.de> To: hobbit at hswn.dk <hobbit at hswn.dk> Date: 10/21/2009 1:29 AM
Hi Bill,
On Tue, Oct 20, 2009 at 10:50:08PM +0200, Bill Wagner wrote:
I have rules defined for many of my 300+ hosts ( a mix of windows and unix servers scattered throughout, and interleaved across, multiple pages. I want to define a default rule for hosts so that, for example, every conn alert goes to my unix administrators. I have experimented with several solutions which do not yield the desired result. e.g.:
HOST=* EXHOST=<> # I can't explicitly list all hosts (too many) and tried macros consisting of wildcard host names MAIL ...
HOST=* EXHOST=<> MAIL ... UNMATCHED
if I use only HOST=* then I end up with multiple (sometimes redundant) recipients for some hosts and no recipients for hosts not previously explicitly defined.
simply group the servers on different pages and match using PAGE=...
Best regards Thomas
I will be able to define subpages and create rules matching against them.
thanks
-------- Original Message -------- Subject: Re: [hobbit] how to define a catch-all in hobbit-alerts.cfg From: Bill Wagner <william.wagner at ipacc.com> To: hobbit at hswn.dk Date: 10/22/2009 8:22 AM
I agree that would simplify things. However we are using (inherited from Big Brother) fairly heterogeneous PAGEs. Bill
-------- Original Message -------- Subject: Re: [hobbit] how to define a catch-all in hobbit-alerts.cfg From: Thomas Kähn <tkaehn at netcologne.de> To: hobbit at hswn.dk <hobbit at hswn.dk> Date: 10/21/2009 1:29 AM
Hi Bill,
On Tue, Oct 20, 2009 at 10:50:08PM +0200, Bill Wagner wrote:
I have rules defined for many of my 300+ hosts ( a mix of windows and unix servers scattered throughout, and interleaved across, multiple pages. I want to define a default rule for hosts so that, for example, every conn alert goes to my unix administrators. I have experimented with several solutions which do not yield the desired result. e.g.:
HOST=* EXHOST=<> # I can't explicitly list all hosts (too many) and tried macros consisting of wildcard host names MAIL ...
HOST=* EXHOST=<> MAIL ... UNMATCHED
if I use only HOST=* then I end up with multiple (sometimes redundant) recipients for some hosts and no recipients for hosts not previously explicitly defined.
simply group the servers on different pages and match using PAGE=...
Best regards Thomas
In <4ADE2280.2020302 at ipacc.com> Bill Wagner <william.wagner at ipacc.com> writes:
I have rules defined for many of my 300+ hosts ( a mix of windows and unix servers scattered throughout, and interleaved across, multiple pages. I want to define a default rule for hosts so that, for example, every conn alert goes to my unix administrators. I have experimented with several solutions which do not yield the desired result. e.g.:
HOST=* EXHOST=<> # I can't explicitly list all hosts (too many) and tried macros consisting of wildcard host names MAIL ...
HOST=* EXHOST=<> MAIL ... UNMATCHED
if I use only HOST=* then I end up with multiple (sometimes redundant) recipients for some hosts and no recipients for hosts not previously explicitly defined.
Not sure if I understand you correctly, but I *think* you want a default rule that triggers only if there are no other rules that apply. Correct ?
In that case, the following should do it:
HOST=* SERVICE=conn
MAIL unixadmin at foo.com UNMATCHEDThe UNMATCHED keyword means that this alert only triggers if no other rules applied.
Regards, Henrik
Hi all.
I am running bb-roracle.ksh skript on several servers. The problem is that on some servers it uses way too much cpu. It is on the top of table "prstat -s cpu". Has any one had the same problem, or now that is the problem?
P.S. server is SunOS 5.10
Thanks in advance. Ricardas
Hi,
one question .. is possible to use msg to monitor logs not available in the Windows Event Viewer ?
thanks for help
Marco
participants (5)
-
henrik@hswn.dk
-
marco.avvisano@regione.toscana.it
-
Ricardas.Vaitkus@seb.lt
-
tkaehn@netcologne.de
-
william.wagner@ipacc.com