Monitoring logfiles with changing names on a linux client
Hello out there,
i did already search for this, but couldn't' find the right things; further my perl regexp knowledge is not the best.
What I have: I have a linux client with xymon agents up and running, reporting his data to the Xymon server -> this is working fine. This linux client serves an application that creates 6 new different logfiles every day -> that's my problem. The names of the lofgiles are like this: Log.File_ABC#_YYYYMMDD_######.log The first # in the name could be numbers fom 1 to 6. YYYYMMDD is the actual day date, like 20160414. The ###### block is another numeric identifier, like 050601 or similar, which also changes every day, but not following any rule.
What I want:
My goal is to check those logiles for the keyword ERROR and let Xymon go red if this keyword occurs.
What I'm looking for is the necessary config on both the client (in localclient.cfg) and the xymon server (in client-local.cfg and analysis.cfg) using regexp.
I'm thinking about something like this to have in the linux client's localclient.cfg:
LOG ls -1 Log.File_ABC*_date +%Y%m%d\`_*.log`
But I'm not sure about the syntax here.
Further I need to know if and how this could be implemented in client-local.cfg and analysis.cfg on the Xymon server.
Anyone any idea?
Regards Christian
Christian Becker IT-Services
Christian.Becker at rhein-zeitung.net<mailto:Christian.Becker at rhein-zeitung.net>
Mittelrhein-Verlag GmbH August-Horch-Straße 28 D-56070 Koblenz Verleger und Geschäftsführer: Walterpeter Twer Reg.-Gericht Koblenz HRB 121 Finanzamt Koblenz Str.Nr. 22 65 10 285 2 www.rhein-zeitung.de<http://www.rhein-zeitung.de/>
On 14 June 2016 at 20:48, Becker Christian < christian.becker at rhein-zeitung.net> wrote:
What I have:
I have a linux client with xymon agents up and running, reporting his data to the Xymon server -> this is working fine.
This linux client serves an application that creates 6 new different logfiles every day -> that’s my problem.
The names of the lofgiles are like this: Log.File_ABC#_YYYYMMDD_######.log
The first # in the name could be numbers fom 1 to 6.
YYYYMMDD is the actual day date, like 20160414.
The ###### block is another numeric identifier, like 050601 or similar, which also changes every day, but not following any rule.
I believe this is exactly the sort of thing the backticks were designed for.
What I want:
My goal is to check those logiles for the keyword ERROR and let Xymon go red if this keyword occurs.
What I’m looking for is the necessary config on both the client (in localclient.cfg) and the xymon server (in client-local.cfg and analysis.cfg) using regexp.
Nothing is required on the client. localclient.cfg is not used if you're using centralised configuration. Specifically, the comment at the top of localclient.cfg says "By default ... In that case, THIS FILE IS NOT USED and you should IGNORE it." It's not 100% clear, but essentially, if you use centralised configuration, you don't use localclient.cfg on the client, and instead use client-local.cfg/analysis.cfg on the server.
I’m thinking about something like this to have in the linux client’s localclient.cfg:
LOG
ls -1 Log.File_ABC*_date +%Y%m%d\`_*.log`But I’m not sure about the syntax here.
That won't work due to the nested backticks. You can have only one pair of backticks.
Also, you need a colon between LOG and the rest. The very first example at the top of client-local.cfg shows:
log:FILENAME:MAXDATA
I don't think the MAXDATA is optional.
There are several ways to do what you want, by avoiding the backticks.
Option 1: Use a bash-ism, such as $(cmd) in place of cmd, like so:
log:ls -1 /path/to/Log.File_ABC*_$(date +%Y%m%d)_*.log:10240
Option 2: Use a more inclusive wildcard match, and list the newest 6 files that match:
log:ls -1t /path/to/Log.File_ABC*_*.log | head -6:10240
Option 3: Use a script on the client to show the files:
log:/usr/local/bin/show-the-files:10240
Then in show-the-files, do whatever fancing file matching, testing, excluding, etc. You can use this to show the last 6 files by date, but exclude files that are empty. You can also construct the file matching string using the date, without it interfering with the backticks in the "log:" line.
#!/bin/sh
DATE=date +%Y%m%d
MATCH="Log.File_ABC[1-6]_$DATE_??????.log"
LOGDIR=/path/to/log
COUNT=0
for FILE in ls -1t $LOGDIR/$MATCH; do
[ -s $FILE ] || continue # skip empty files
echo $FILE
let COUNT=$COUNT+1
[ $COUNT -eq 6 ] && break
done
J
Hey Jeremy,
brilliant!
I decided to go with a mix of option 1 and option2.
This is what I’ve put in client-local.cfg:
log:ls /path/to/log/Log.File_ABC*.log| grep $(date +%Y%m%d):10240
Now i’m getting 6 logfiles in the msgs column -> great!
This is what I’ve put in analysis.cfg for the specific linux client: LOG %/path/to/log/Log.File_ABC*.log ERROR COLOR=red
However, this does NOT let the msgs column go red, although the files do contain the keyword ERROR, exactly matching the case. And I can see those keywords on the msgs page as well. What is going wrong here now?
P.S.: I didn’t read the hint in localclient.cfg saying that this file isn’t needed by default…..
Regards Christian
Christian Becker IT-Services
Christian.Becker at rhein-zeitung.net<mailto:Christian.Becker at rhein-zeitung.net>
Mittelrhein-Verlag GmbH August-Horch-Straße 28 D-56070 Koblenz Verleger und Geschäftsführer: Walterpeter Twer Reg.-Gericht Koblenz HRB 121 Finanzamt Koblenz Str.Nr. 22 65 10 285 2 www.rhein-zeitung.de<http://www.rhein-zeitung.de/>
Von: Jeremy Laidman [mailto:jlaidman at rebel-it.com.au] Gesendet: Dienstag, 14. Juni 2016 13:36 An: Becker Christian <christian.becker at rhein-zeitung.net> Cc: xymon at xymon.com Betreff: Re: [Xymon] Monitoring logfiles with changing names on a linux client
On 14 June 2016 at 20:48, Becker Christian <christian.becker at rhein-zeitung.net<mailto:christian.becker at rhein-zeitung.net>> wrote:
What I have: I have a linux client with xymon agents up and running, reporting his data to the Xymon server -> this is working fine. This linux client serves an application that creates 6 new different logfiles every day -> that’s my problem. The names of the lofgiles are like this: Log.File_ABC#_YYYYMMDD_######.log The first # in the name could be numbers fom 1 to 6. YYYYMMDD is the actual day date, like 20160414. The ###### block is another numeric identifier, like 050601 or similar, which also changes every day, but not following any rule.
I believe this is exactly the sort of thing the backticks were designed for.
What I want: My goal is to check those logiles for the keyword ERROR and let Xymon go red if this keyword occurs. What I’m looking for is the necessary config on both the client (in localclient.cfg) and the xymon server (in client-local.cfg and analysis.cfg) using regexp.
Nothing is required on the client. localclient.cfg is not used if you're using centralised configuration. Specifically, the comment at the top of localclient.cfg says "By default ... In that case, THIS FILE IS NOT USED and you should IGNORE it." It's not 100% clear, but essentially, if you use centralised configuration, you don't use localclient.cfg on the client, and instead use client-local.cfg/analysis.cfg on the server.
I’m thinking about something like this to have in the linux client’s localclient.cfg:
LOG ls -1 Log.File_ABC*_date +%Y%m%d\`_*.log`
But I’m not sure about the syntax here.
That won't work due to the nested backticks. You can have only one pair of backticks.
Also, you need a colon between LOG and the rest. The very first example at the top of client-local.cfg shows:
log:FILENAME:MAXDATA
I don't think the MAXDATA is optional.
There are several ways to do what you want, by avoiding the backticks.
Option 1: Use a bash-ism, such as $(cmd) in place of cmd, like so:
log:ls -1 /path/to/Log.File_ABC*_$(date +%Y%m%d)_*.log:10240
Option 2: Use a more inclusive wildcard match, and list the newest 6 files that match:
log:ls -1t /path/to/Log.File_ABC*_*.log | head -6:10240
Option 3: Use a script on the client to show the files:
log:/usr/local/bin/show-the-files:10240
Then in show-the-files, do whatever fancing file matching, testing, excluding, etc. You can use this to show the last 6 files by date, but exclude files that are empty. You can also construct the file matching string using the date, without it interfering with the backticks in the "log:" line.
#!/bin/sh
DATE=date +%Y%m%d
MATCH="Log.File_ABC[1-6]_$DATE_??????.log"
LOGDIR=/path/to/log
COUNT=0
for FILE in ls -1t $LOGDIR/$MATCH; do
[ -s $FILE ] || continue # skip empty files
echo $FILE
let COUNT=$COUNT+1
[ $COUNT -eq 6 ] && break
done
J
On 14/06/16 23:04, Becker Christian wrote:
Hey Jeremy,
_brilliant!_
I decided to go with a mix of option 1 and option2.
This is what I’ve put in client-local.cfg:
log:
ls/path/to/log/Log.File_ABC*.log| grep $(date +%Y%m%d):10240Now i’m getting 6 logfiles in the msgs column -> great!
This is what I’ve put in analysis.cfgfor the specific linux client:
LOG%/path/to/log/Log.File_ABC*.log ERROR COLOR=red
However, this does _NOT_ let the msgs column go red, although the files do contain the keyword ERROR, exactly matching the case. And I can see those keywords on the msgs page as well.
What is going wrong here now?
I think something like this might work:
LOG%/path/to/log/Log.File_ABC.*.log ERROR COLOR=red
C* means zero or more of the letter C, while .* means 0 or more of any character....
Also, it isn't "anchored" at the beginning/end, so you shouldn't need to add a .* to the beginning/end....
Hope that helps.
Regards, Adam
-- Adam Goryachev Website Managers www.websitemanagers.com.au
Hey Adam,
“I think something like this might work: LOG %/path/to/log/Log.File_ABC.*.log ERROR COLOR=red“
Having modified the line as mentioned by you in the above example did the trick. Thank you folks!
Regards Christian
Christian Becker IT-Services
Christian.Becker at rhein-zeitung.net<mailto:Christian.Becker at rhein-zeitung.net>
Mittelrhein-Verlag GmbH August-Horch-Straße 28 D-56070 Koblenz Verleger und Geschäftsführer: Walterpeter Twer Reg.-Gericht Koblenz HRB 121 Finanzamt Koblenz Str.Nr. 22 65 10 285 2 www.rhein-zeitung.de<http://www.rhein-zeitung.de/>
Von: Xymon [mailto:xymon-bounces at xymon.com] Im Auftrag von Adam Goryachev Gesendet: Dienstag, 14. Juni 2016 15:09 An: xymon at xymon.com Betreff: Re: [Xymon] Monitoring logfiles with changing names on a linux client
On 14/06/16 23:04, Becker Christian wrote: Hey Jeremy,
brilliant!
I decided to go with a mix of option 1 and option2.
This is what I’ve put in client-local.cfg:
log:ls /path/to/log/Log.File_ABC*.log| grep $(date +%Y%m%d):10240
Now i’m getting 6 logfiles in the msgs column -> great!
This is what I’ve put in analysis.cfg for the specific linux client: LOG %/path/to/log/Log.File_ABC*.log ERROR COLOR=red
However, this does NOT let the msgs column go red, although the files do contain the keyword ERROR, exactly matching the case. And I can see those keywords on the msgs page as well. What is going wrong here now? I think something like this might work: LOG %/path/to/log/Log.File_ABC.*.log ERROR COLOR=red
C* means zero or more of the letter C, while .* means 0 or more of any character....
Also, it isn't "anchored" at the beginning/end, so you shouldn't need to add a .* to the beginning/end....
Hope that helps.
Regards, Adam
Adam Goryachev Website Managers www.websitemanagers.com.au<http://www.websitemanagers.com.au>
participants (3)
-
christian.becker@rhein-zeitung.net
-
jlaidman@rebel-it.com.au
-
mailinglists@websitemanagers.com.au