Wherever you go, there you are.

On Oct 4, 2010, at 8:15 PM, Colin Coe <colin.coe at gmail.com> wrote:

Anyone have ideas on this?

CC

On Mon, Oct 4, 2010 at 12:43 PM, Colin Coe <colin.coe at gmail.com> wrote:

...

Hi all

I have the following in my hobbit-clients.cfg on the Xymon server

CLASS=win32 LOAD 80 90 # Load threholds are in % PORT "LOCAL=%([.:]20000)$" TEXT=RemotelyAnywhere LOG %.* %error -.* COLOR=yellow LOG eventlog:Security %failure.* COLOR=yellow LOG eventlog:Application %warning.* COLOR=yellow IGNORE="%(Warning: IIS log failed to write entry|Many client computers have not reported back|Unsuccessful logon attempt from IP address .* Secure (SSL) Connection).*" LOG eventlog:System %error.* COLOR=yellow

I'm finding that I'm still getting warnings coming up from the WSUS server regarding the clients that have not checked.

Could someone advise what I'm doing wrong here?

Thanks

CC

-- RHCE#805007969328369

-- RHCE#805007969328369

To unsubscribe from the xymon list, send an e-mail to xymon-unsubscribe at xymon.com

Try removing the double quotes and replacing each space with a \s (backslash-s). That is what seems to work best for me. Steve

On Tue, Oct 5, 2010 at 8:48 AM, Steve Holmes <sholmes42 at gmail.com> wrote:

Wherever you go, there you are.

On Oct 4, 2010, at 8:15 PM, Colin Coe <colin.coe at gmail.com> wrote:

...

Anyone have ideas on this?

CC

On Mon, Oct 4, 2010 at 12:43 PM, Colin Coe <colin.coe at gmail.com> wrote:

...

Hi all

I have the following in my hobbit-clients.cfg on the Xymon server

CLASS=win32 LOAD 80 90 # Load threholds are in % PORT "LOCAL=%([.:]20000)$" TEXT=RemotelyAnywhere LOG %.*  %error -.* COLOR=yellow LOG eventlog:Security  %failure.* COLOR=yellow LOG eventlog:Application  %warning.* COLOR=yellow IGNORE="%(Warning: IIS log failed to write entry|Many client computers have not reported back|Unsuccessful logon attempt from IP address .* Secure (SSL) Connection).*" LOG eventlog:System %error.* COLOR=yellow

I'm finding that I'm still getting warnings coming up from the WSUS server regarding the clients that have not checked.

Could someone advise what I'm doing wrong here?

Thanks

CC

To unsubscribe from the xymon list, send an e-mail to xymon-unsubscribe at xymon.com

Oh, and you don't need the .* on the end of the string. Steve

Hi Steve

Thanks for the tips but unfortunately, these strings are still not being ignored. I'm wondering if the problem is in 'client-local.cfg'. At the top of 'hobbit-clients.cfg' it says that both files need to be configured but I don't see an example for Windows event logs. How do you have client-local.cfg configured for Windows logs?

Thanks

CC

-- RHCE#805007969328369

Hi Josh

After setting BBWin to be in central mode on a few test machines, hobbitd_client crashes and does not restart.

CC

On Tue, Oct 5, 2010 at 11:00 AM, Josh Luthman <josh at imaginenetworksllc.com> wrote:

Are you sure your Windows clients are set for centralized configuration? They may be sending green/red instead of the data for the server to decide.

Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373

On Mon, Oct 4, 2010 at 10:52 PM, Colin Coe <colin.coe at gmail.com> wrote:

...

On Tue, Oct 5, 2010 at 8:48 AM, Steve Holmes <sholmes42 at gmail.com> wrote:

...

Wherever you go, there you are.

On Oct 4, 2010, at 8:15 PM, Colin Coe <colin.coe at gmail.com> wrote:

...

Anyone have ideas on this?

CC

On Mon, Oct 4, 2010 at 12:43 PM, Colin Coe <colin.coe at gmail.com> wrote:

...

Hi all

I have the following in my hobbit-clients.cfg on the Xymon server

CLASS=win32 LOAD 80 90 # Load threholds are in % PORT "LOCAL=%([.:]20000)$" TEXT=RemotelyAnywhere LOG %.*  %error -.* COLOR=yellow LOG eventlog:Security  %failure.* COLOR=yellow LOG eventlog:Application  %warning.* COLOR=yellow IGNORE="%(Warning: IIS log failed to write entry|Many client computers have not reported back|Unsuccessful logon attempt from IP address .* Secure (SSL) Connection).*" LOG eventlog:System %error.* COLOR=yellow

I'm finding that I'm still getting warnings coming up from the WSUS server regarding the clients that have not checked.

Could someone advise what I'm doing wrong here?

Thanks

CC

To unsubscribe from the xymon list, send an e-mail to xymon-unsubscribe at xymon.com

Oh, and you don't need the .* on the end of the string. Steve

Hi Steve

Thanks for the tips but unfortunately, these strings are still not being ignored.  I'm wondering if the problem is in 'client-local.cfg'. At the top of 'hobbit-clients.cfg' it says that both files need to be configured but I don't see an example for Windows event logs.  How do you have client-local.cfg configured for Windows logs?

Thanks

CC

-- RHCE#805007969328369

To unsubscribe from the xymon list, send an e-mail to xymon-unsubscribe at xymon.com

-- RHCE#805007969328369

I've fixed there errors in /etc/xymon/server/hobbit-clients.cfg, in fact I've commented out all the Windows related lines in the file. I'm no longer getting core dumps but the hobbitd_client status in the webUI is still purple. I've restarted Xymon server 45 minutes ago and still purple.

I've set the Windows machines to all be in central mode.

Any pointers on resolving the purple status of hobbitd_client would be great.

Thanks

CC

On Tue, Oct 5, 2010 at 2:00 PM, Henrik Størner <henrik at hswn.dk> wrote:

Hi Colin,

On Tue, 05 Oct 2010 11:33:04 +0800 Colin Coe wrote:

...

On Tue, Oct 5, 2010 at 11:00 AM, Josh Luthman <josh at imaginenetworksllc.com> wrote:

...

Are you sure your Windows clients are set for centralized configuration? They may be sending green/red instead of the data for the server to decide.

After setting BBWin to be in central mode on a few test machines, hobbitd_client crashes and does not restart.

as Josh pointed out, the Windows client (BBWin) must be running in centralized configuration if you want to be able to do the configuration on the Xymon server. So an alternative solution could be to configure this on the client side, in BBWin.cfg, if you continue to run the BBWin client in local mode.

I haven't tried playing with the centralized version of BBWin, so I had a look at the client to see how it works. It seems that the eventlog-configuration on the server uses "eventlog_LOGNAME" as the 'filename' in LOG configurations. So your config with

 LOG eventlog:Security  %failure.* COLOR=yellow LOG eventlog:Application  %warning.* COLOR=yellow LOG eventlog:System %error.* COLOR=yellow

should be

 LOG eventlog_Security %failure COLOR=yellow LOG eventlog_Application %warning COLOR=yellow LOG eventlog_System %error COLOR=yellow

(a '.*' at the end of a pattern is superfluous).

However, this entry looks suspicious, and might be the one that causes hobbitd_client to crash:

 LOG %.*  %error -.* COLOR=yellow

That "-.*" looks out of place. Is there a space in front of it that shouldn't be there ?

Try these changes for a start to see if the log entries get matched and trigger a yellow status for "msgs". Then you can add the IGNORE setting afterwards and see what needs to be done for that to work.

Regards, Henrik

To unsubscribe from the xymon list, send an e-mail to xymon-unsubscribe at xymon.com

-- RHCE#805007969328369

lol

OK, that makes sense.

On Wed, Oct 6, 2010 at 1:27 PM, Henrik Størner <henrik at hswn.dk> wrote:

In <AANLkTi=x_eGffc24Mr2LYirmDfQxVqz1U-etFLxcKY-B at mail.gmail.com> Colin Coe <colin.coe at gmail.com> writes:

...

Any pointers on resolving the purple status of hobbitd_client would be great.

hobbitd_client is a status that only shows up if hobbitd_client has had some sort of fatal problem - like crashing. That's why it doesn't get updated, and hence go purple after 30 minutes. It's just there as a way of alerting you to the fact that it did crash.

And it seems to work :-)

To get rid of it, just "drop" it: On your Xymon server, run

  bb 127.0.0.1 "drop HOBBITSERVERNAME hobbitd_client"

Regards, Henrik

To unsubscribe from the xymon list, send an e-mail to xymon-unsubscribe at xymon.com

-- RHCE#805007969328369