Not getting alerts for log entries on Solaris 10 Update 3 (SPARC)
I am having issues with getting Hobbit to report log entries from client log files. The server is getting the log data but, despite a valid string entry in the log file, no alerts are generated.
Here is an excerpt from my client-local.cfg file:
[hosta-z1] log:/var/adm/messages:10240
And a corresponding entry from the hobbit-clients.cfg file:
HOST=hosta-z1 LOG /var/adm/messages sshd COLOR=red
The status never changes for this host despite sshd entries existing in the /var/adm/messages file. I used "sshd" because I KNOW that there are current entries in /var/adm/messages since everytime hobbit runs an ssh check on the server an sshd message is generated. I have chosen this string just to troubleshoot this problem...
Clicking on "msgs" for this host, there is a message "No entries in /var/adm/messages". But if I click on the "/var/adm/messages" link it shows recent entries with the sshd string in the log file as the following shows:
[msgs:/var/adm/messages] Jul 25 16:59:34 hosta-z1 sshd[4164]: [ID 800047 auth.info] Connection closed by 10.0.0.68 Jul 25 17:04:37 hosta-z1 sshd[4507]: [ID 800047 auth.info] Connection closed by 10.0.0.68 Jul 25 17:09:39 hosta-z1 sshd[4857]: [ID 800047 auth.info] Connection closed by 10.0.0.68 Jul 25 17:14:41 hosta-z1 sshd[5192]: [ID 800047 auth.info] Connection closed by 10.0.0.68 Jul 25 17:19:41 hosta-z1 sshd[5534]: [ID 800047 auth.info] Connection closed by 10.0.0.68 Jul 25 17:24:40 hosta-z1 sshd[5884]: [ID 800047 auth.info] Connection closed by 10.0.0.68 Jul 25 17:29:45 hosta-z1 sshd[6222]: [ID 800047 auth.info] Connection closed by 10.0.0.68
Does anyone know what the problem may be? Is there possibly any known issues with Hobbit logging under Solaris 10 Update 3 for SPARC? I have tried almost everything I can think of to get this to work and I am getting no where.
Thanks in advance for any help.
-Ken
Ken,
I notice you have short host names in the config as well as in the log files. Do you have short host names in the bb-hosts file as well?
Steve Holmes
On 7/25/07, Kenneth Bourn <kbourn at adpt-tech.com> wrote:
I am having issues with getting Hobbit to report log entries from client log files. The server is getting the log data but, despite a valid string entry in the log file, no alerts are generated.
Here is an excerpt from my client-local.cfg file:
[hosta-z1] log:/var/adm/messages:10240
And a corresponding entry from the hobbit-clients.cfg file:
HOST=hosta-z1 LOG /var/adm/messages sshd COLOR=red
The status never changes for this host despite sshd entries existing in the /var/adm/messages file. I used "sshd" because I KNOW that there are current entries in /var/adm/messages since everytime hobbit runs an ssh check on the server an sshd message is generated. I have chosen this string just to troubleshoot this problem...
Clicking on "msgs" for this host, there is a message "No entries in /var/adm/messages". But if I click on the "/var/adm/messages" link it shows recent entries with the sshd string in the log file as the following shows:
[msgs:/var/adm/messages] Jul 25 16:59:34 hosta-z1 sshd[4164]: [ID 800047 auth.info] Connection closed by 10.0.0.68 Jul 25 17:04:37 hosta-z1 sshd[4507]: [ID 800047 auth.info] Connection closed by 10.0.0.68 Jul 25 17:09:39 hosta-z1 sshd[4857]: [ID 800047 auth.info] Connection closed by 10.0.0.68 Jul 25 17:14:41 hosta-z1 sshd[5192]: [ID 800047 auth.info] Connection closed by 10.0.0.68 Jul 25 17:19:41 hosta-z1 sshd[5534]: [ID 800047 auth.info] Connection closed by 10.0.0.68 Jul 25 17:24:40 hosta-z1 sshd[5884]: [ID 800047 auth.info] Connection closed by 10.0.0.68 Jul 25 17:29:45 hosta-z1 sshd[6222]: [ID 800047 auth.info] Connection closed by 10.0.0.68
Does anyone know what the problem may be? Is there possibly any known issues with Hobbit logging under Solaris 10 Update 3 for SPARC? I have tried almost everything I can think of to get this to work and I am getting no where.
Thanks in advance for any help.
-Ken
-- Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. -Martin Luther King, Jr., civil-rights leader (1929-1968) The great thing about getting older is that you don't lose all the other ages you've been. -Madeleine L'Engle, writer (1918- )
Hi Steve,
Yes, I am also using short hostnames in the bb-hosts file as well...
Steve Holmes wrote:
Ken,
I notice you have short host names in the config as well as in the log files. Do you have short host names in the bb-hosts file as well?
Steve Holmes
On 7/25/07, * Kenneth Bourn* <kbourn at adpt-tech.com <mailto:kbourn at adpt-tech.com>> wrote:
I am having issues with getting Hobbit to report log entries from client log files. The server is getting the log data but, despite a valid string entry in the log file, no alerts are generated. Here is an excerpt from my client-local.cfg file: [hosta-z1] log:/var/adm/messages:10240 And a corresponding entry from the hobbit-clients.cfg file: HOST=hosta-z1 LOG /var/adm/messages sshd COLOR=red The status never changes for this host despite sshd entries existing in the /var/adm/messages file. I used "sshd" because I KNOW that there are current entries in /var/adm/messages since everytime hobbit runs an ssh check on the server an sshd message is generated. I have chosen this string just to troubleshoot this problem... Clicking on "msgs" for this host, there is a message "No entries in /var/adm/messages". But if I click on the "/var/adm/messages" link it shows recent entries with the sshd string in the log file as the following shows: [msgs:/var/adm/messages] Jul 25 16:59:34 hosta-z1 sshd[4164]: [ID 800047 auth.info <http://auth.info>] Connection closed by 10.0.0.68 <http://10.0.0.68> Jul 25 17:04:37 hosta-z1 sshd[4507]: [ID 800047 auth.info <http://auth.info>] Connection closed by 10.0.0.68 <http://10.0.0.68> Jul 25 17:09:39 hosta-z1 sshd[4857]: [ID 800047 auth.info <http://auth.info>] Connection closed by 10.0.0.68 <http://10.0.0.68> Jul 25 17:14:41 hosta-z1 sshd[5192]: [ID 800047 auth.info <http://auth.info>] Connection closed by 10.0.0.68 <http://10.0.0.68> Jul 25 17:19:41 hosta-z1 sshd[5534]: [ID 800047 auth.info <http://auth.info>] Connection closed by 10.0.0.68 <http://10.0.0.68> Jul 25 17:24:40 hosta-z1 sshd[5884]: [ID 800047 auth.info <http://auth.info>] Connection closed by 10.0.0.68 <http://10.0.0.68> Jul 25 17:29:45 hosta-z1 sshd[6222]: [ID 800047 auth.info <http://auth.info>] Connection closed by 10.0.0.68 <http://10.0.0.68> Does anyone know what the problem may be? Is there possibly any known issues with Hobbit logging under Solaris 10 Update 3 for SPARC? I have tried almost everything I can think of to get this to work and I am getting no where. Thanks in advance for any help. -Ken-- Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. -Martin Luther King, Jr., civil-rights leader (1929-1968) The great thing about getting older is that you don't lose all the other ages you've been. -Madeleine L'Engle, writer (1918- )
-- Kenneth Bourn Adaption Technologies kbourn at adpt-tech.com 281-465-3328
Kenneth Bourn wrote:
I am having issues with getting Hobbit to report log entries from client log files. The server is getting the log data but, despite a valid string entry in the log file, no alerts are generated.
Here is an excerpt from my client-local.cfg file:
[hosta-z1] log:/var/adm/messages:10240
And a corresponding entry from the hobbit-clients.cfg file:
HOST=hosta-z1 LOG /var/adm/messages sshd COLOR=red
Have you tried this (turn off case insensitive matching):
LOG /var/adm/messages %(?-i)sshd COLOR=redDominique UNIL - University of Lausanne
Dominique,
I tried this and am now getting alerts! Is there a known issue where I can't just specify the string I want and expect it to be searched exactly as I have it entered in the hobbit-clients.cfg file? Turning off case insensitive matching works...
Thanks! -Ken
Dominique Frise wrote:
Kenneth Bourn wrote:
I am having issues with getting Hobbit to report log entries from client log files. The server is getting the log data but, despite a valid string entry in the log file, no alerts are generated.
Here is an excerpt from my client-local.cfg file:
[hosta-z1] log:/var/adm/messages:10240
And a corresponding entry from the hobbit-clients.cfg file:
HOST=hosta-z1 LOG /var/adm/messages sshd COLOR=red
Have you tried this (turn off case insensitive matching):
LOG /var/adm/messages %(?-i)sshd COLOR=redDominique UNIL - University of Lausanne
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
-- Kenneth Bourn Adaption Technologies kbourn at adpt-tech.com 281-465-3328
Kenneth Bourn wrote:
Dominique,
I tried this and am now getting alerts! Is there a known issue where I can't just specify the string I want and expect it to be searched exactly as I have it entered in the hobbit-clients.cfg file? Turning off case insensitive matching works...
Thanks! -Ken
Dominique Frise wrote:
Kenneth Bourn wrote:
I am having issues with getting Hobbit to report log entries from client log files. The server is getting the log data but, despite a valid string entry in the log file, no alerts are generated.
Here is an excerpt from my client-local.cfg file:
[hosta-z1] log:/var/adm/messages:10240
And a corresponding entry from the hobbit-clients.cfg file:
HOST=hosta-z1 LOG /var/adm/messages sshd COLOR=red
Have you tried this (turn off case insensitive matching):
LOG /var/adm/messages %(?-i)sshd COLOR=redDominique UNIL - University of Lausanne
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
Hobbit defaults to case insensitive pattern matching. See man hobbit-clients.cfg(5) for details.
Dominique UNIL - University of Lausanne
participants (3)
-
Dominique.Frise@unil.ch
-
kbourn@adpt-tech.com
-
sholmes42@mac.com