[hobbit] log file monitoring issues
Maybe I'm just missing something in the documentation, but I can't seem to get the log file monitoring to work properly. In the example below, I'm trying to look at the "messages" and "maillog" files on Linux.
Particularly, I'm trying to EXCLUDE the following "messages" lines: Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1
Aug 9 16:44:01 www crond(pam_unix)[5382]: session opened for user root by (uid=0) Aug 9 16:44:14 www crond(pam_unix)[5382]: session closed for user root Aug 9 16:45:01 www crond(pam_unix)[5484]: session opened for user mailman by (uid=0) Aug 9 16:45:01 www crond(pam_unix)[5484]: session closed for user mailman
And EXCLUDE the following "maillog" lines: Aug 6 11:55:02 www sendmail[15076]: k76Ft1pU015076: from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1, msgid=<200608061555.k76Ft1A2015075 at HOSTNAME>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Below is the respective lines from the "client-local.cfg" file: log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root log:/var/log/maillog:10240 ignore relay=localhost.localdomain trigger denied
And below the specific log entries I'm looking for from "hobbit-clients.cfg": LOG /var/log/maillog "relaying denied" color="yellow"
Now, the problem I'm having... The "ignore" line for the /var/log/maillog file appears to be working correctly, as it does indeed ignore such entries as shown above. Also working is the "ignore session opened..." line for the /var/log/messages file.
What is NOT working is the "ignore" line for the "upsd*" lines in /var/log/messages. For the life of me, I just can't figure out how to get that to work properly. That is, two of the three "ignore" lines are not working, as those lines still show up in the "full log" output. If anyone has any ideas, let me know.
I'm also having problems with some logs not showing up on the messages page. Do you need both a "LOG" entries in the hobbit-clients.cfg AND client-local.cfg, or will an entry in only client-local.cfg be sufficient to have it show up on the messages page?
You need both. clients-local.cfg is to tell the client to report on these logs hobbit-clients.cfg is tell hobbitd to check/alert against log data reported from clients
On 8/9/06, Gary B. <gmbfly98 at gmail.com> wrote:
Maybe I'm just missing something in the documentation, but I can't seem to get the log file monitoring to work properly. In the example below, I'm trying to look at the "messages" and "maillog" files on Linux.
Particularly, I'm trying to EXCLUDE the following "messages" lines: Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1
Aug 9 16:44:01 www crond(pam_unix)[5382]: session opened for user root by (uid=0) Aug 9 16:44:14 www crond(pam_unix)[5382]: session closed for user root Aug 9 16:45:01 www crond(pam_unix)[5484]: session opened for user mailman by (uid=0) Aug 9 16:45:01 www crond(pam_unix)[5484]: session closed for user mailman
And EXCLUDE the following "maillog" lines: Aug 6 11:55:02 www sendmail[15076]: k76Ft1pU015076: from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1, msgid=<200608061555.k76Ft1A2015075 at HOSTNAME>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Below is the respective lines from the "client-local.cfg" file: log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root log:/var/log/maillog:10240 ignore relay=localhost.localdomain trigger denied
And below the specific log entries I'm looking for from " hobbit-clients.cfg": LOG /var/log/maillog "relaying denied" color="yellow"
Now, the problem I'm having... The "ignore" line for the /var/log/maillog file appears to be working correctly, as it does indeed ignore such entries as shown above. Also working is the "ignore session opened..." line for the /var/log/messages file.
What is NOT working is the "ignore" line for the "upsd*" lines in /var/log/messages. For the life of me, I just can't figure out how to get that to work properly. That is, two of the three "ignore" lines are not working, as those lines still show up in the "full log" output. If anyone has any ideas, let me know.
I'm also having problems with some logs not showing up on the messages page. Do you need both a "LOG" entries in the hobbit-clients.cfg AND client-local.cfg, or will an entry in only client-local.cfg be sufficient to have it show up on the messages page?
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
...I'm still having issues with "Permission denied" errors from Hobbit in trying to access /var/log/maillog on all my OpenBSD boxes. Apparently, the only way I've been able to get Hobbit to read them is if I set them 644. However, every time OpenBSD rotates the logs, it resets the permissions to 600. Is there any way to get this to work properly without having to run the Hobbit client as root?
You need both. clients-local.cfg is to tell the client to report on these logs hobbit-clients.cfg is tell hobbitd to check/alert against log data reported from clients
On 8/9/06, Gary B. <gmbfly98 at gmail.com> wrote:
Maybe I'm just missing something in the documentation, but I can't seem to get the log file monitoring to work properly. In the example below, I'm trying to look at the "messages" and "maillog" files on Linux.
Particularly, I'm trying to EXCLUDE the following "messages" lines: Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1
Aug 9 16:44:01 www crond(pam_unix)[5382]: session opened for user root by (uid=0) Aug 9 16:44:14 www crond(pam_unix)[5382]: session closed for user root Aug 9 16:45:01 www crond(pam_unix)[5484]: session opened for user mailman by (uid=0) Aug 9 16:45:01 www crond(pam_unix)[5484]: session closed for user mailman
And EXCLUDE the following "maillog" lines: Aug 6 11:55:02 www sendmail[15076]: k76Ft1pU015076: from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1, msgid=<200608061555.k76Ft1A2015075 at HOSTNAME >, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Below is the respective lines from the "client-local.cfg" file: log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root log:/var/log/maillog:10240 ignore relay=localhost.localdomain trigger denied
And below the specific log entries I'm looking for from " hobbit-clients.cfg": LOG /var/log/maillog "relaying denied" color="yellow"
Now, the problem I'm having... The "ignore" line for the /var/log/maillog file appears to be working correctly, as it does indeed ignore such entries as shown above. Also working is the "ignore session opened..." line for the /var/log/messages file.
What is NOT working is the "ignore" line for the "upsd*" lines in /var/log/messages. For the life of me, I just can't figure out how to get that to work properly. That is, two of the three "ignore" lines are not working, as those lines still show up in the "full log" output. If anyone has any ideas, let me know.
I'm also having problems with some logs not showing up on the messages page. Do you need both a "LOG" entries in the hobbit-clients.cfg AND client-local.cfg , or will an entry in only client-local.cfg be sufficient to have it show up on the messages page?
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
Gary B. wrote:
...I'm still having issues with "Permission denied" errors from Hobbit in trying to access /var/log/maillog on all my OpenBSD boxes. Apparently, the only way I've been able to get Hobbit to read them is if I set them 644. However, every time OpenBSD rotates the logs, it resets the permissions to 600. Is there any way to get this to work properly without having to run the Hobbit client as root?
You need both. clients-local.cfg is to tell the client to report on these logs hobbit-clients.cfg is tell hobbitd to check/alert against log data reported from clients
On 8/9/06, Gary B. <gmbfly98 at gmail.com> wrote:
Maybe I'm just missing something in the documentation, but I can't seem to get the log file monitoring to work properly. In the example below, I'm trying to look at the "messages" and "maillog" files on Linux.
Particularly, I'm trying to EXCLUDE the following "messages" lines: Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1
Aug 9 16:44:01 www crond(pam_unix)[5382]: session opened for user root by (uid=0) Aug 9 16:44:14 www crond(pam_unix)[5382]: session closed for user root Aug 9 16:45:01 www crond(pam_unix)[5484]: session opened for user mailman by (uid=0) Aug 9 16:45:01 www crond(pam_unix)[5484]: session closed for user mailman
And EXCLUDE the following "maillog" lines: Aug 6 11:55:02 www sendmail[15076]: k76Ft1pU015076: from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1, msgid=<200608061555.k76Ft1A2015075 at HOSTNAME >, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Below is the respective lines from the "client-local.cfg" file: log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root log:/var/log/maillog:10240 ignore relay=localhost.localdomain trigger denied
And below the specific log entries I'm looking for from " hobbit-clients.cfg": LOG /var/log/maillog "relaying denied" color="yellow"
Now, the problem I'm having... The "ignore" line for the /var/log/maillog file appears to be working correctly, as it does indeed ignore such entries as shown above. Also working is the "ignore session opened..." line for the /var/log/messages file.
What is NOT working is the "ignore" line for the "upsd*" lines in /var/log/messages. For the life of me, I just can't figure out how to get that to work properly. That is, two of the three "ignore" lines are not working, as those lines still show up in the "full log" output. If anyone has any ideas, let me know.
I'm also having problems with some logs not showing up on the messages page. Do you need both a "LOG" entries in the hobbit-clients.cfg AND client-local.cfg , or will an entry in only client-local.cfg be sufficient to have it show up on the messages page?
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
This is what we do under:
Linux RH
chgrp <hobbit-group> /var/log/messages*
chmod g+r /var/log/messages*
Debian
addgroup <hobbit-user> adm
The files rotation preserve these settings.
Dominique UNIL - University of Lausanne
Hmm, another issue I'm finding is that even with the permissions set so that the Hobbit client can read the log files, they still aren't reporting back any data. That is, the "Full log <log file>" section of the appropriate messages page has nothing.
On 8/11/06, Dominique Frise <Dominique.Frise at unil.ch> wrote:
Gary B. wrote:
...I'm still having issues with "Permission denied" errors from Hobbit in trying to access /var/log/maillog on all my OpenBSD boxes. Apparently, the only way I've been able to get Hobbit to read them is if I set them 644. However, every time OpenBSD rotates the logs, it resets the permissions to 600. Is there any way to get this to work properly without having to run the Hobbit client as root?
You need both. clients-local.cfg is to tell the client to report on these logs hobbit-clients.cfg is tell hobbitd to check/alert against log data reported from clients
On 8/9/06, Gary B. <gmbfly98 at gmail.com> wrote:
Maybe I'm just missing something in the documentation, but I can't seem to get the log file monitoring to work properly. In the example below, I'm trying to look at the "messages" and "maillog" files on Linux.
Particularly, I'm trying to EXCLUDE the following "messages" lines: Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1 Aug 9 21:19:45 www upsd[7860]: Client on 127.0.0.1 logged out Aug 9 21:19:45 www upsd[7860]: Connection from 127.0.0.1
Aug 9 16:44:01 www crond(pam_unix)[5382]: session opened for user root by (uid=0) Aug 9 16:44:14 www crond(pam_unix)[5382]: session closed for user root Aug 9 16:45:01 www crond(pam_unix)[5484]: session opened for user mailman by (uid=0) Aug 9 16:45:01 www crond(pam_unix)[5484]: session closed for user mailman
And EXCLUDE the following "maillog" lines: Aug 6 11:55:02 www sendmail[15076]: k76Ft1pU015076: from=<mailman at HOSTNAME>, size=576, class=0, nrcpts=1, msgid=<200608061555.k76Ft1A2015075 at HOSTNAME >, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Below is the respective lines from the "client-local.cfg" file: log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root log:/var/log/maillog:10240 ignore relay=localhost.localdomain trigger denied
And below the specific log entries I'm looking for from " hobbit-clients.cfg": LOG /var/log/maillog "relaying denied" color="yellow"
Now, the problem I'm having... The "ignore" line for the /var/log/maillog file appears to be working correctly, as it does indeed ignore such entries as shown above. Also working is the "ignore session opened..." line for the /var/log/messages file.
What is NOT working is the "ignore" line for the "upsd*" lines in /var/log/messages. For the life of me, I just can't figure out how to get that to work properly. That is, two of the three "ignore" lines are not working, as those lines still show up in the "full log" output. If anyone has any ideas, let me know.
I'm also having problems with some logs not showing up on the messages page. Do you need both a "LOG" entries in the hobbit-clients.cfg AND client-local.cfg , or will an entry in only client-local.cfg be sufficient to have it show up on the messages page?
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
This is what we do under:
Linux RH
chgrp <hobbit-group> /var/log/messages*
chmod g+r /var/log/messages*
Debian
addgroup <hobbit-user> adm
The files rotation preserve these settings.
Dominique UNIL - University of Lausanne
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
On Fri, Aug 11, 2006 at 10:28:40AM -0400, Gary B. wrote:
Hmm, another issue I'm finding is that even with the permissions set so that the Hobbit client can read the log files, they still aren't reporting back any data. That is, the "Full log <log file>" section of the appropriate messages page has nothing.
Probably because your client has been running for some time, and there haven't been any new entries (the file size hasn't changed).
Regards, Henrik
On 8/11/06, Henrik Stoerner <henrik at hswn.dk> wrote:
On Fri, Aug 11, 2006 at 10:28:40AM -0400, Gary B. wrote:
Hmm, another issue I'm finding is that even with the permissions set so that the Hobbit client can read the log files, they still aren't reporting back any data. That is, the "Full log <log file>" section of the appropriate messages page has nothing.
Probably because your client has been running for some time, and there haven't been any new entries (the file size hasn't changed).
Regards, Henrik
Oh... Duh... Yep, that's it. Just wrote a test entry via logger and it picked that up.
Now if I can just get my "ignore" lines to work properly, I'll be all set. When using regular expressions on the "ignore" lines, do you need to surround them as %"" like with regexes in hobbit-alerts.cfg and such?
On Fri, Aug 11, 2006 at 11:54:45AM -0400, Gary B. wrote:
Now if I can just get my "ignore" lines to work properly, I'll be all set. When using regular expressions on the "ignore" lines, do you need to surround them as %"" like with regexes in hobbit-alerts.cfg and such?
No, the strings in client-local.cfg are always treated as regular expressions.
Regards, Henrik
Hmm. Any ideas why the following wouldn't work?
log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root
The "full log" output is still showing those lines. Could it be the same reason I wasn't seeing any data at all on the other servers; that is, the log file just hasn't been updated, and it's still showing those from previous lines? If so, is there a way I could tell Hobbit to clear the existing data?
On 8/11/06, Henrik Stoerner <henrik at hswn.dk> wrote:
On Fri, Aug 11, 2006 at 11:54:45AM -0400, Gary B. wrote:
Now if I can just get my "ignore" lines to work properly, I'll be all set. When using regular expressions on the "ignore" lines, do you need to surround them as %"" like with regexes in hobbit-alerts.cfg and such?
No, the strings in client-local.cfg are always treated as regular expressions.
Regards, Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
On Fri, Aug 11, 2006 at 01:37:28PM -0400, Gary B. wrote:
Hmm. Any ideas why the following wouldn't work?
log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root
Two errors:
The first line has a wrong regex - it's a classic mistake to use "*" by itself to mean "anything", but that's not what it does. Your expression should be ignore upsd.* Client|Connection 127.0.0.1
Second, you can only have one "ignore" line. I admit that it would probably be useful to have multiple ignore lines, but that is not possible right now.
The "full log" output is still showing those lines. Could it be the same reason I wasn't seeing any data at all on the other servers; that is, the log file just hasn't been updated, and it's still showing those from previous lines?
No, Hobbit processes all of the logfile data through the ignore- and trigger patterns each time it sends a message to the server.
If so, is there a way I could tell Hobbit to clear the existing data?
Yes: Delete the ~hobbit/client/tmp/logfetch.HOSTNAME.status file.
Regards, Henrik
On 8/11/06, Henrik Stoerner <henrik at hswn.dk> wrote:
On Fri, Aug 11, 2006 at 01:37:28PM -0400, Gary B. wrote:
Hmm. Any ideas why the following wouldn't work?
log:/var/log/messages:10240 ignore upsd* Client|Connection 127.0.0.1 ignore session opened|closed for user mailman|root
Two errors:
The first line has a wrong regex - it's a classic mistake to use "*" by itself to mean "anything", but that's not what it does. Your expression should be ignore upsd.* Client|Connection 127.0.0.1
Ah. I actually had that originally, but since it wasn't working, I wasn't sure if it used "real" regexes, or "DOS command-line" regexes.
Second, you can only have one "ignore" line. I admit that it would probably be useful to have multiple ignore lines, but that is not possible right now.
The "full log" output is still showing those lines. Could it be the same reason I wasn't seeing any data at all on the other servers; that is, the log file just hasn't been updated, and it's still showing those from previous lines?
No, Hobbit processes all of the logfile data through the ignore- and trigger patterns each time it sends a message to the server.
Ah ha! That explains it. I removed the second ignore, and it's working perfectly now.
If so, is there a way I could tell Hobbit to clear the existing data?
Yes: Delete the ~hobbit/client/tmp/logfetch.HOSTNAME.status file.
Ah, that's simple. Note to self: if there's something you want to do with Hobbit, it's probably done fairly simply ;-)
Just ONE remaining issue now. There are still additional log files I want to check for that aren't showing up. I have this specific hosts's client-local.cfg entry defined as:
[master.homeoffice.none] log:/var/log/samba/client.nmbd.log log:/var/log/messages:10240 log:/var/log/maillog:10240 ignore relay=localhost\.localdomain trigger denied
The "messages" and "maillog" entries are showing up just fine, but the "client.nmbd.log" file is not showing up; not even with an empty "full log" section. Any ideas?
Also, do I need the escape character "\" to ignore the line that says "relay=localhost.localdomain"? I guess since "." means "any character", it will work anyway without the "\"...
On Fri, Aug 11, 2006 at 08:07:34PM -0400, Gary B. wrote:
Second, you can only have one "ignore" line. I admit that it would probably be useful to have multiple ignore lines, but that is not possible right now.
I've made an enhancement to the client-side "logfetch" utility so that multiple ignore- and trigger-lines is possible. I just need to do a bit more testing, and then I'll make it available.
Just ONE remaining issue now. There are still additional log files I want to check for that aren't showing up. I have this specific hosts's client-local.cfg entry defined as:
[master.homeoffice.none] log:/var/log/samba/client.nmbd.log log:/var/log/messages:10240 log:/var/log/maillog:10240 ignore relay=localhost\.localdomain trigger denied
The "messages" and "maillog" entries are showing up just fine, but the "client.nmbd.log" file is not showing up; not even with an empty "full log" section. Any ideas?
Check if the configuration data makes it to the client. Does this data show up in the client's ~hobbit/client/tmp/logfetch.HOSTNAME.cfg file ?
If it does, then pick any status page from this host and click on the "Client data" link near the bottom of the page. Look for the "[msgs:...]" and "[logfile:...]" sections. Is there one for the client.nmbd.log file ?
Regards, Henrik
Second, you can only have one "ignore" line. I admit that it would probably be useful to have multiple ignore lines, but that is not possible right now.
I've made an enhancement to the client-side "logfetch" utility so that multiple ignore- and trigger-lines is possible. I just need to do a bit more testing, and then I'll make it available.
Awesome!
Just ONE remaining issue now. There are still additional log files I want to check for that aren't showing up. I have this specific hosts's client-local.cfg entry defined as:
[master.homeoffice.none] log:/var/log/samba/client.nmbd.log log:/var/log/messages:10240 log:/var/log/maillog:10240 ignore relay=localhost\.localdomain trigger denied
The "messages" and "maillog" entries are showing up just fine, but the "client.nmbd.log" file is not showing up; not even with an empty "full log" section. Any ideas?
Check if the configuration data makes it to the client. Does this data show up in the client's ~hobbit/client/tmp/logfetch.HOSTNAME.cfg file ?
If it does, then pick any status page from this host and click on the "Client data" link near the bottom of the page. Look for the "[msgs:...]" and "[logfile:...]" sections. Is there one for the client.nmbd.log file ?
A thanks to Chris Morris for solving this issue. I can't believe I missed it after staring that file for quite a while, but I was missing the :SIZE part. Adding that fixed it, and now the additional logs are showing up. I still have an issue with file permissions in OpenBSD, but at least now it's not a Hobbit-related issue.
Okay, the logs are showing up in the "Full log" section correctly now, but my LOG keyword monitoring isn't working.
Ex) [<server name>] . . . LOG /var/log/maillog did not issue MAIL/EXPN/VRFY/ETRN COLOR=yellow . . . LOG /var/log/httpd/intranet/error_log client denied COLOR=yellow
Does "client denied" and "did not issue MAIL/EXPN/VRFY/ETRN" have to be in quotes?
Just ONE remaining issue now. There are still additional log files I want to check for that aren't showing up. I have this specific hosts's client-local.cfg entry defined as:
[master.homeoffice.none] log:/var/log/samba/client.nmbd.log log:/var/log/messages:10240 log:/var/log/maillog:10240 ignore relay=localhost\.localdomain trigger denied
The "messages" and "maillog" entries are showing up just fine, but the "client.nmbd.log" file is not showing up; not even with an empty "full log" section. Any ideas?
Check if the configuration data makes it to the client. Does this data show up in the client's ~hobbit/client/tmp/logfetch.HOSTNAME.cfg file ?
If it does, then pick any status page from this host and click on the "Client data" link near the bottom of the page. Look for the "[msgs:...]" and "[logfile:...]" sections. Is there one for the client.nmbd.log file ?
A thanks to Chris Morris for solving this issue. I can't believe I missed it after staring that file for quite a while, but I was missing the :SIZE part. Adding that fixed it, and now the additional logs are showing up. I still have an issue with file permissions in OpenBSD, but at least now it's not a Hobbit-related issue.
On Mon, Aug 14, 2006 at 04:12:19PM -0400, Gary B. wrote:
Okay, the logs are showing up in the "Full log" section correctly now, but my LOG keyword monitoring isn't working.
Ex) [<server name>] . . . LOG /var/log/maillog did not issue MAIL/EXPN/VRFY/ETRN COLOR=yellow . . . LOG /var/log/httpd/intranet/error_log client denied COLOR=yellow
Does "client denied" and "did not issue MAIL/EXPN/VRFY/ETRN" have to be in quotes?
Yes.
Regards, Henrik
Hi folks,
I have a problem with msgs on solaris9 with hobbit 4.2. For all servers I get:
No entries in /var/adm/messages <http://lbsbb.rz.uni-frankfurt.de/hobbit-cgi/bb-hostsvc.sh?CLIENT=wiesel&SECTION=msgs:/var/adm/messages>
while messages isn't empty: cat /var/adm/messages ... Nov 2 03:30:16 wiesel sshd[27574]: [ID 800047 auth.error] error: select: Falsche Dateinummer
The link bb-hostsvc.sh?CLIENT=wiesel&SECTION=msgs:/var/adm/messages shows:
[msgs:/var/adm/messages]
My configs: hobbit-clients.cfg LOG /var/adm/messages error COLOR=yellow
client-local.cfg (untouched) [sunos] log:/var/adm/messages:10240
On the client the tmp-files are: wiesel bb> cat logfetch.wiesel.status /var/adm/messages:654:654:654:654:654:654:654 wiesel bb> cat logfetch.wiesel.cfg log:/var/adm/messages:10240
"client data" shows:
[msgs:/var/adm/messages]
[logfile:/var/adm/messages] type:100000 (file) mode:644 (-rw-r--r--) linkcount:1 owner:0 (root) group:0 (root) size:654 clock:1162464626 (2006/11/02-11:50:26) atime:1162464626 (2006/11/02-11:50:26) ctime:1162434616 (2006/11/02-03:30:16) mtime:1162434616 (2006/11/02-03:30:16)
Any ideas? Thanks! Rolf
-- Mit freundlichen Gruessen Rolf Schrittenlocher
HRZ/BDV, Senckenberganlage 31, 60054 Frankfurt Tel: (49) 69 - 798 28908 Fax: (49) 69 - 798 28817 LBS: lbs-f at mlist.uni-frankfurt.de Persoenlich: schritte at rz.uni-frankfurt.de
The logfile monitor only includes the last 30 minutes of data from the logfile. It does this by tracking where it last read from the logfile; you have:
On the client the tmp-files are: wiesel bb> cat logfetch.wiesel.status /var/adm/messages:654:654:654:654:654:654:654
meaning that for the past 7 runs of the Hobbit client, the logfile was 654 bytes. If it doesn't grow, no data is sent to Hobbit.
And before you ask: No, there is currently no configuration option which lets you can change that interval of 30 minutes.
Regards, Henrik
Hi Henrik,
thanks for the help and the fast reply! But one more question: Even though the client doesn't send new data, is it possible that the server displays the old data if you click on the "Full log /var/adm/messages" link (or any other log) on the page "...bb-hostsvc.sh?HOST=lbsdb&SERVICE=msgs"? Is the data still available on the server or is it overwritten each time the client sends something? If so, I'd like to modify hobbit in a way that each time a new log arrives at the server this is stored somewhere else and we would make it available with a link. Could you indicate the files to edit for that purpose? Or perhaps, if there is already a command for cutting the section code out from a clients message we could trigger that each time a client sends something new.
This would be helpful to monitor logs manually. Reason: We often have customers demands' to look for special entries in (application)logs which don't trigger a yellow or red alarm. These logs are spread all over the machines and we hope to get a single point of entry for all logs using hobbit.
kind regards Rolf
The logfile monitor only includes the last 30 minutes of data from the logfile. It does this by tracking where it last read from the logfile; you have:
On the client the tmp-files are: wiesel bb> cat logfetch.wiesel.status /var/adm/messages:654:654:654:654:654:654:654
meaning that for the past 7 runs of the Hobbit client, the logfile was 654 bytes. If it doesn't grow, no data is sent to Hobbit.
And before you ask: No, there is currently no configuration option which lets you can change that interval of 30 minutes.
Regards, Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
-- Mit freundlichen Gruessen Rolf Schrittenlocher
HRZ/BDV, Senckenberganlage 31, 60054 Frankfurt Tel: (49) 69 - 798 28908 Fax: (49) 69 - 798 28817 LBS: lbs-f at mlist.uni-frankfurt.de Persoenlich: schritte at rz.uni-frankfurt.de
participants (5)
-
Dominique.Frise@unil.ch
-
gmbfly98@gmail.com
-
henrik@hswn.dk
-
jjj863@gmail.com
-
Schrittenlocher@rz.uni-frankfurt.de