My xymon system has been running well for years and it just started showing a red alarm on one of my host's processes list. It claims that there are 0 (zero) instances of every process it is checking for, but I can still ssh over to that host and see the processes in a ps command.
I'm honestly at a loss. I'm not sure how to troubleshoot this. Any advice?
Jaime Kikpole
Director of Technology & Innovations Cairo-Durham Central School District (518) 622-8543, x59500 cairodurham.org <http://www.cairodurham.org>
Technical Support: help at cairodurham.org go.cairodurham.org/techtips
<https://www.credential.net/d24m9rrp>
-- This electronic message and any attachment(s) may contain confidential or legally privileged information protected by law from further disclosure and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agency responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachment(s). Please notify the sender immediately by return email or telephone and permanently delete this message and attachment(s) from your system.
Look in your xymond test on your server. I?d bet that you are getting oversized messages coming in from that host, and so processes is getting truncated.
Or look at processes for that host. And you will see that the process table isn?t complete.
Ultimately, you?ll need to increase messages in your configuration file.
From: Jaime Kikpole <jkikpole at cairodurham.org> Sent: Wednesday, May 06, 2020 2:52 PM To: xymon at xymon.com Subject: False alarm on proc
My xymon system has been running well for years and it just started showing a red alarm on one of my host's processes list. It claims that there are 0 (zero) instances of every process it is checking for, but I can still ssh over to that host and see the processes in a ps command.
I'm honestly at a loss. I'm not sure how to troubleshoot this. Any advice?
[https://s3.amazonaws.com/htmlsig-assets/spacer.gif]
Jaime Kikpole
Director of Technology & Innovations Cairo-Durham Central School District (518) 622-8543, x59500 cairodurham.org<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.cairodurham.org&umid=33760788-A500-3905-8BC8-4967B16CB618&auth=19120be9529b25014b618505cb01789c5433dae7-0cd119db5bbfc7260beb80640b84368f5878c1f1>
Technical Support: help at cairodurham.org<mailto:help at cairodurham.org> go.cairodurham.org/techtips<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fgo.cairodurham.org%2ftechtips&umid=33760788-A500-3905-8BC8-4967B16CB618&auth=19120be9529b25014b618505cb01789c5433dae7-3f1cdf5014891be60a8d9cfac22252e12e3f30eb>
This electronic message and any attachment(s) may contain confidential or legally privileged information protected by law from further disclosure and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agency responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachment(s). Please notify the sender immediately by return email or telephone and permanently delete this message and attachment(s) from your system. This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
You're not going to believe this, but the FreeBSD system running Xymon is listing Windows processes in the proc test. Which is why it can't see httpd, sshd, etc. processes.
I just set up a new Windows Server 2019 VM yesterday and added the PowerShell version of the Xymon client. I accidentally put the server's name in the configuration file where the host's name is supposed to go. The server must have accepted it at its word, pulled in the process list after it read its own process list, and overwritten the process list. Thus the alert is logical, but the sysadmin isn't. :)
Thanks for pointing out the process list and making me realize this.
Jaime Kikpole
Director of Technology & Innovations Cairo-Durham Central School District (518) 622-8543, x59500 cairodurham.org <http://www.cairodurham.org>
Technical Support: help at cairodurham.org go.cairodurham.org/techtips
<https://www.credential.net/d24m9rrp>
On Wed, May 6, 2020 at 4:16 PM Root, Paul T <Paul.Root at centurylink.com> wrote:
Look in your xymond test on your server. I?d bet that you are getting oversized messages coming in from that host, and so processes is getting truncated.
Or look at processes for that host. And you will see that the process table isn?t complete.
Ultimately, you?ll need to increase messages in your configuration file.
*From:* Jaime Kikpole <jkikpole at cairodurham.org> *Sent:* Wednesday, May 06, 2020 2:52 PM *To:* xymon at xymon.com *Subject:* False alarm on proc
My xymon system has been running well for years and it just started showing a red alarm on one of my host's processes list. It claims that there are 0 (zero) instances of every process it is checking for, but I can still ssh over to that host and see the processes in a ps command.
I'm honestly at a loss. I'm not sure how to troubleshoot this. Any advice?
*Jaime Kikpole*
*Director of Technology & Innovations* *Cairo-Durham Central School District* (518) 622-8543, x59500 cairodurham.org <https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.cairodurham.org&umid=33760788-A500-3905-8BC8-4967B16CB618&auth=19120be9529b25014b618505cb01789c5433dae7-0cd119db5bbfc7260beb80640b84368f5878c1f1>
*Technical Support:* help at cairodurham.org go.cairodurham.org/techtips <https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fgo.cairodurham.org%2ftechtips&umid=33760788-A500-3905-8BC8-4967B16CB618&auth=19120be9529b25014b618505cb01789c5433dae7-3f1cdf5014891be60a8d9cfac22252e12e3f30eb>
This electronic message and any attachment(s) may contain confidential or legally privileged information protected by law from further disclosure and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agency responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachment(s). Please notify the sender immediately by return email or telephone and permanently delete this message and attachment(s) from your system. This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
-- This electronic message and any attachment(s) may contain confidential or legally privileged information protected by law from further disclosure and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agency responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachment(s). Please notify the sender immediately by return email or telephone and permanently delete this message and attachment(s) from your system.
participants (2)
-
jkikpole@cairodurham.org
-
Paul.Root@CenturyLink.com