MSGS from BBWin client goes purple
Can someone help on this?
We are having some trouble with BBWin. Our linux clients are configured in central mode, so all the configuration is made on the server. Now we have to watch some Windows clients, which are configured in local mode.
The problem is with the "msgs". One specific client goes purple sometimes. But not the entire host, only msgs column. Procs, disk, memory, svcs and etc are all green, only msgs column goes purple.
My BBWin.cfg is as follows
<?xml version="1.0" encoding="utf-8" ?> <configuration> <bbwin> <setting name="bbdisplay" value="ourbbdisplay:1984" /> ... <setting name="mode" value="local" /> <setting name="configclass" value="win32" /> ... <load name="msgs" value="msgs.dll"/> <load name="procs" value="procs.dll"/> <load name="stats" value="stats.dll"/> <load many others...> ... </bbwin> <cpu> ... </cpu> <disk> ... </disk> <externals> ... </externals> <memory> ... </memory> <msgs> <setting name="alwaysgreen" value="false" /> <setting name="delay" value="30m" /> <match logfile="System" type="error" alarmcolor="red" /> <match logfile="System" type="warning" alarmcolor="yellow" /> <match logfile="Application" type="error" alarmcolor="red" /> <match logfile="Application" type="warning" alarmcolor="yellow" /> <match logfile="Security" type="fail" /> <ignore logfile="Security" eventid="537" /> <ignore logfile="Application" eventid="17" />
</msgs> <procs> ... </procs> <svcs> ... </svcs> <uptime> ... </uptime> </configuration>
Is there something wrong with the configuration? How can I find out why is it going purple? There's no "Client data" avaliable, maybe because it's running in "local mode"?
Thanks.
-- Ricardo Alberto Schütz - Consultor
Redix - Gestão em T.I. com Software Livre http://www.redix.com.br - contato at redix.com.br Tel. Coml.: +55 (47) 3323-7313 Tel. Cel.: +55 (47) 9186-9868
Hello,
2008/4/22, Ricardo Alberto Schutz <ricardo at redix.com.br>:
Can someone help on this?
We are having some trouble with BBWin. Our linux clients are configured in central mode, so all the configuration is made on the server. Now we have to watch some Windows clients, which are configured in local mode.
The problem is with the "msgs". One specific client goes purple sometimes. But not the entire host, only msgs column. Procs, disk, memory, svcs and etc are all green, only msgs column goes purple.
My BBWin.cfg is as follows
<?xml version="1.0" encoding="utf-8" ?> <configuration> <bbwin> <setting name="bbdisplay" value="ourbbdisplay:1984" /> ... <setting name="mode" value="local" /> <setting name="configclass" value="win32" /> ... <load name="msgs" value="msgs.dll"/> <load name="procs" value="procs.dll"/> <load name="stats" value="stats.dll"/> <load many others...> ... </bbwin> <cpu> ... </cpu> <disk> ... </disk> <externals> ... </externals> <memory> ... </memory> <msgs> <setting name="alwaysgreen" value="false" /> <setting name="delay" value="30m" /> <match logfile="System" type="error" alarmcolor="red" /> <match logfile="System" type="warning" alarmcolor="yellow" /> <match logfile="Application" type="error" alarmcolor="red" /> <match logfile="Application" type="warning" alarmcolor="yellow" /> <match logfile="Security" type="fail" /> <ignore logfile="Security" eventid="537" /> <ignore logfile="Application" eventid="17" /> </msgs> <procs> ... </procs> <svcs> ... </svcs> <uptime> ... </uptime> </configuration>
Is there something wrong with the configuration? How can I find out why is it going purple? There's no "Client data" avaliable, maybe because it's running in "local mode"?
The problem may be that there are too many events in your event log, so it takes too much time to get the last 30 minutes events to be sent to hobbit.
Could you check how many events are generated in your event log every minute ?
Regards,
-- Etienne GRIGNON
An HTML attachment was scrubbed... URL: <http://lists.xymon.com/pipermail/xymon/attachments/20080425/5601cbbf/attachment.html>
Hi Ricardo,
2008/4/25 Ricardo Alberto Schutz <ricardo at redix.com.br>:
Well, I surely can't count on my fingers how many events are generated every minute. But I can say it gets close to 200 security events per second. What would result in something about 360k events every 30 minutes.
Hobbit client shouldn't analyze these events and return to the server only the matching ones?
If you have rules for the security event log, BBWin will parse every event from the last 30 minutes. So, 360k events takes some time to be parsed every 5 minutes.
Regards,
-- Etienne GRIGNON
participants (2)
-
etienne.grignon@gmail.com
-
ricardo@redix.com.br