Waiting longer than one polling failure to alert
My apologies if this is covered in the docs or in past discussions,my google-fu hasn't come through for me on this one. We're running 4.1.2p1, and we have several troublesome hosts that, for whatever reason, are constantly experiencing periodic disconnects with the hobbit server. I'm not too concerned about the disconnects (we have some new firewalls that are probably to blame, and by all other indications, the hosts and services are fine), but we're constantly getting alerts. Is there any way to make hobbit alert on a host or service, only after it's failed two or three times in a row?
Thanks in advance,
Mark
I believe you want to look in the man pages for alerting for the DELAY option.
=G=
From: Mark Stoltzfus [mailto:mark.stoltzfus at pmigroup.com] Sent: Monday, March 10, 2008 3:40 PM To: hobbit at hswn.dk Subject: [hobbit] Waiting longer than one polling failure to alert
My apologies if this is covered in the docs or in past discussions, my google-fu hasn't come through for me on this one. We're running 4.1.2p1, and we have several troublesome hosts that, for whatever reason, are constantly experiencing periodic disconnects with the hobbit server. I'm not too concerned about the disconnects (we have some new firewalls that are probably to blame, and by all other indications, the hosts and services are fine), but we're constantly getting alerts. Is there any way to make hobbit alert on a host or service, only after it's failed two or three times in a row?Thanks in advance,
Mark
Hi Mark,
see the man page:
"DURATI Rule matching an alert if the event has lasted longer/shorter
ON than the given duration. E.g. DURATION>10m (lasted longer than 10
minutes) or DURATION<2h (only sends alerts the first 2 hours).
Unless explicitly stated, this is in minutes - you can use 'm',
'h', 'd' for 'minutes', 'hours' and 'days' respectively.
" You can configure your alerts only being triggered after a period of time...
eg: HOST=* EXHOST=%(acp.*) EXSERVICE=msgs,cpu MAIL $helpdesk DURATION>2 REPEAT=60 UNMATCHED COLOR=red FORMAT=plain MAIL $security DURATION>60 REPEAT=600 COLOR=red UNMATCHED FORMAT=plain MAIL $manager DURATION>120 REPEAT=600 RECOVERED COLOR=red FORMAT=plain
As you can see in the example, we use this to trigger the escalation process...
Hope this helps!
mit freundlichen Grüßen - Best regards Hälsningar - Met vriendelijke groeten Sincères salutations
Oliver Grube EU Security&Controls Manager
"Mark Stoltzfus"
<mark.stoltzfus at p
migroup.com> To
<hobbit at hswn.dk>
2008-03-10 20:40 cc
Subject
Please respond to [hobbit] Waiting longer than one
hobbit at hswn.dk polling failure to alert
My apologies if this is covered in the docs or in past discussions, mygoogle-fu hasn’t come through for me on this one. We’re running 4.1.2p1, and we have several troublesome hosts that, for whatever reason, are constantly experiencing periodic disconnects with the hobbit server. I’m not too concerned about the disconnects (we have some new firewalls that are probably to blame, and by all other indications, the hosts and services are fine), but we’re constantly getting alerts. Is there any way to make hobbit alert on a host or service, only after it’s failed two or three times in a row?
Thanks in advance,
Mark
Campbell�s Germany GmbH Registergericht Luebeck � Reg. Nr. HRB 4082 Geschaeftsfuehrer: Joseph B. Folds III
Geschaeftssitz: Geniner Strasse 88 - 100 23560 Luebeck Deutschland
This e-mail and any files transmitted with it may contain confidential information and is intended solely for use by the individual to whom it is addressed. If you received this e-mail in error, please notify the sender, do not disclose its contents to others and delete it from your system.
You can also look in the bb-hosts man pages for the badhttp, badconn tags.
Thanks, Larry Barber
On Mon, Mar 10, 2008 at 2:53 PM, Oliver Grube <oliver_grube at campbellsoup.com> wrote:
Hi Mark,
see the man page:
*"DURATION*Rule matching an alert if the event has lasted longer/shorter than the given duration. E.g. *DURATION>10m* (lasted longer than 10 minutes) or *DURATION<2h* (only sends alerts the first 2 hours). Unless explicitly stated, this is in minutes - you can use 'm', 'h', 'd' for 'minutes', 'hours' and 'days' respectively. " You can configure your alerts only being triggered after a period of time...
eg: HOST=* EXHOST=%(acp.*) EXSERVICE=msgs,cpu MAIL $helpdesk DURATION>2 REPEAT=60 UNMATCHED COLOR=red FORMAT=plain MAIL $security DURATION>60 REPEAT=600 COLOR=red UNMATCHED FORMAT=plain MAIL $manager DURATION>120 REPEAT=600 RECOVERED COLOR=red FORMAT=plain
As you can see in the example, we use this to trigger the escalation process...
Hope this helps!
mit freundlichen Grüßen - Best regards Hälsningar - Met vriendelijke groeten Sincères salutations
Oliver Grube EU Security&Controls Manager
[image: Inactive hide details for "Mark Stoltzfus" <mark.stoltzfus at pmigroup.com>]"Mark Stoltzfus" < mark.stoltzfus at pmigroup.com>
*"Mark Stoltzfus" <mark.stoltzfus at pmigroup.com>* 2008-03-10 20:40 Please respond to hobbit at hswn.dkTo
<hobbit at hswn.dk> cc
Subject
[hobbit] Waiting longer than one polling failure to alert My apologies if this is covered in the docs or in past discussions, my google-fu hasn't come through for me on this one. We're running 4.1.2p1, and we have several troublesome hosts that, for whatever reason, are constantly experiencing periodic disconnects with the hobbit server. I'm not too concerned about the disconnects (we have some new firewalls that are probably to blame, and by all other indications, the hosts and services are fine), but we're constantly getting alerts. Is there any way to make hobbit alert on a host or service, only after it's failed two or three times in a row?
Thanks in advance,
Mark
Campbell's Germany GmbH Registergericht Luebeck • Reg. Nr. HRB 4082 Geschaeftsfuehrer: Joseph B. Folds III
Geschaeftssitz: Geniner Strasse 88 - 100 23560 Luebeck Deutschland
This e-mail and any files transmitted with it may contain confidential information and is intended solely for use by the individual to whom it is addressed. If you received this e-mail in error, please notify the sender, do not disclose its contents to others and delete it from your system.
participants (4)
-
Galen.Johnson@sas.com
-
lebarber@gmail.com
-
mark.stoltzfus@pmigroup.com
-
oliver_grube@campbellsoup.com