"msgs" alerts, sending 10240 bytes and line-buffering
I'm having an issue on my Solaris clients running an older Xymon 4.3.12. (I have a test build of 4.3.21 waiting in the wings.)
We constantly get scanned by our IT Security people, resulting in "/var/adm/messages" entries like
Aug 24 09:23:39 myorgsun6 nrpe[15035]: [ID 808958 daemon.warning] refused
connect from itsecurity-scanner.my.do.main (access denied)
I put an IGNORE entry into "analysis.cfg" to ignore any lines with "itsecurity-scanner.my.do.main" but I keep getting them - they often look like this:
-- red Mon Aug 24 09:55:37 PDT 2015 - Log files NOT ok
&red Critical entries in <a href="/xymon-cgi/svcstatus.sh?CLIENT=myorgsun6&SECTION=msgs:/var/adm/messages">/var/adm/messages</a> &red ess denied)
As you can see the "messages" entry has been clipped off leading to the raw "denied" string which triggered the alert. It's random - sometimes it's clipped down to "do.main access denied", for example.
I'm using a bog-standard
[sunos] log:/var/adm/messages:10240
entry in client-local.cfg.
My theory is that by sending 10240 bytes of the "messages" file across, it leaves things open to the possibility of sending "clipped" lines - leading to partial lines that avoid my IGNORE string as a result.
Am I correct?
Is there anything in the newer releases that addresses this?
- GregGreg
You might be right that the message is being clipped. If so, you should see Xymon log messages to that effect.
Perhaps add the IGNORE clause to the client-local.cfg message instead. This will cause the messages to be dropped at the client side. Not only can you forget about these messages on the Xymon server, but also you're less likely to have a clipped message. Like so:
[sunos] log:/var/adm/messages:10240 ignore refused connect from itsecurity-scanner.my.do.main
You could also increase the maximum from 10240.
Cheers Jeremy
On 25 August 2015 at 08:11, Greg Earle <earle at isolar.dyndns.org> wrote:
I'm having an issue on my Solaris clients running an older Xymon 4.3.12. (I have a test build of 4.3.21 waiting in the wings.)
We constantly get scanned by our IT Security people, resulting in "/var/adm/messages" entries like
Aug 24 09:23:39 myorgsun6 nrpe[15035]: [ID 808958 daemon.warning] refused
connect from itsecurity-scanner.my.do.main (access denied)I put an IGNORE entry into "analysis.cfg" to ignore any lines with "itsecurity-scanner.my.do.main" but I keep getting them - they often look like this:
-- red Mon Aug 24 09:55:37 PDT 2015 - Log files NOT ok
&red Critical entries in <a href="/xymon-cgi/svcstatus.sh?CLIENT=myorgsun6&SECTION=msgs:/var/adm/messages">/var/adm/messages</a> &red ess denied)
As you can see the "messages" entry has been clipped off leading to the raw "denied" string which triggered the alert. It's random - sometimes it's clipped down to "do.main access denied", for example.
I'm using a bog-standard
[sunos] log:/var/adm/messages:10240
entry in client-local.cfg.
My theory is that by sending 10240 bytes of the "messages" file across, it leaves things open to the possibility of sending "clipped" lines - leading to partial lines that avoid my IGNORE string as a result.
Am I correct?
Is there anything in the newer releases that addresses this?
- Greg
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
participants (2)
-
earle@isolar.DynDNS.ORG
-
jlaidman@rebel-it.com.au