On 10/31/2014 04:39 PM, deepak deore wrote:

Hi,

I want to trigger alert if there is non 200 status in below tomcat access logs. I have enabled logs monitoring in client-local.cfg, eg. below log has non-200 status in 3rd field from last.

10.10.10.10 - - [31/Oct/2013:15:45:56 +0000] GET /some/long/url HTTP/1.0 404 2531 161

How can i define that pattern in analysis.cfg, i can define for 404 as below but would like to alert for all non 200.

LOG %/path/to/log_file/access\.[0-9]*-[0-9]*-[0-9]*\.log " 404 " COLOR=red

Thanks, Deepak

Hi Deepak

If you want the test to turn red on any non 200 status, you can omit the COLOR=red because that is the default. You can also leave it for clarity though. :)

I think the following will work. Replace your " 404 " with:

"%HTTP/1\.(1|0)[[:space:]][345][[:digit:]]{2}[[:space:]][[:digit:]]"

That should catch all HTTP/1.0 or HTTP/1.1 requests, followed by a literal space, followed by a 3, or 4, or 5 followed by two more digits (to cover all 300, 400 and 500 series http response codes), followed by a literal space, followed by a digit.

If you don't look for the HTTP/1.(0|1) at the front, you will catch all other 300, 400, 500 numbers that are surrounded by spaces in your logs. For example, the size of the request (if it is three digits) which follows the response code in your example.

In my Apache log entries, the GET or POST requests are double-quoted like so:

.... "GET /wtf HTTP/1.1" 404 270 "-" "Mozilla/5.0 ....."

so I could use:

"%[[:punct:]][[:space:]][345][[:digit:]]{2}[[:space:]][[:digit:]]"

Which ignores the HTTP/1.(1|0) and just catches the closing double-quote after the HTTP/1.0 or HTTP/1.1, the literal space, and then the non-200 response code, followed by a space.

Also, you may not want to catch the 300 series response codes because they mainly consist of non-warning or non-critical things like redirects.

Hope this helps.

-- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/ -- Not responsible for anything below this line --