So I'm creating a log file that will only get updated about every 3 months. But I want to watch that and make sure that it does get updated every three months.
That part is easy. But, the file is only for our Linux machines, not our Solaris machines. Is there a way to tell analysis that I want to look for this file, but if it doesn't exist, that's ok? Or is there something like CLASS but for machine type?
Oh, and I'm also monitoring a handful of linux machines for others outside my group, that won't have this file. And if I just put in the FILE line, it's going to tag those machines with file doesn't exist, if I put it in HOST=*. And I don't really want to put it in, individually, for the 90+ machines I do have, and the ones I'm adding weekly.
The vast majority of my machines do have a 3 character start, so I guess I could use those...
Any better ideas?
While, I'm at it, is mtime> only in seconds or can I put a 'd' modifier for days on the end of it?
On 12 April 2013 01:20, Root, Paul T <Paul.Root at centurylink.com> wrote:
**
Is there a way to tell analysis that I want to look for this file, but if it doesn’t exist, that’s ok?
I don't think so. But you can work around this in client-local.cfg, like so:
file:[ -f /path/to/file ] && echo /path/to/file || echo /dev/null
This will simply send through a different filename in the client data, and the server-side will act as if you haven't configured it at all, which I think means it won't report anything.
Also, there seems to be an undocumented modifier "optional" for both FILE and LOG clauses. I haven't used this, but it seems you would just append it to the end of the FILE line in analysis.cfg, like so:
FILE:/path/to/file red mtime<7776000 optional
While, I’m at it, is mtime> only in seconds or can I put a ‘d’ modifier for days on the end of it?
Nope, the string after "mtime>" is fed straight into aton() before being stored in the rule structure, so it can only be digits.
Cheers Jeremy
participants (2)
-
jlaidman@rebel-it.com.au
-
Paul.Root@CenturyLink.com