[xymon] too much data in powershell client reports
Hi all. Even after setting pretty high values for MAXMSG_CLIENT (2560) MAXMSG_STATUS (2048) i got purples from our exchange servers, mainly caused by port test being truncated after about 37000 lines. I noticed the new slimmode options in 2.27 version, but it (AFAIK) could only cut the whole port test, preventing any network port count analysis. Since most of the connections are between the (two) exchange servers, and are reported twice in IPV4 and IPV6 notation, could there be a way to filter the "internal" connections on the client side without sending them to xymon server? I attach an example.
Mario
Hi Mario
The ports check is just netstat -an. I would suggest for these servers you use slimmode as you mention and then add an external script to run your own netstat command and exclude the lines for the IPs you are not interested in.
For example, you can pipe the output of netstat to findstr and use an inverse match to exclude the lines matching the expression using /v:
netstat -an | findstr /V "127.0.0.1"
Zak
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Mario De Chenno Sent: 25 January 2018 09:13 To: xymon at xymon.com Subject: [External] [Xymon] [xymon] too much data in powershell client reports
Hi all. Even after setting pretty high values for MAXMSG_CLIENT (2560) MAXMSG_STATUS (2048) i got purples from our exchange servers, mainly caused by port test being truncated after about 37000 lines. I noticed the new slimmode options in 2.27 version, but it (AFAIK) could only cut the whole port test, preventing any network port count analysis. Since most of the connections are between the (two) exchange servers, and are reported twice in IPV4 and IPV6 notation, could there be a way to filter the "internal" connections on the client side without sending them to xymon server? I attach an example.
Mario
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
www.accenture.com
Hello, I started using slimmode with the following directive in clien- local.cfg:
[host=mbox.*] slimmode sections:who,netstat,ipconfig,route,ifstat,users clientversion:2.27:http://orwell.ceda.unina2.it/xymon/winpsclient/ xymonlogsend
but I got missing (->purple) sections (SVCS and WHO) in client log sent to xymon, as reported below. BTW, the sections in slimmode syntax seems not to match the xymon columns, what about it?
[collector:] client... [date] ... [clock] ... [clientversion] 2.27 [uname] Microsoft Windows Server 2016 Standard (build 14393) [cpu] .... [disk] .... [memory] ... [EventlogSummary] .... [msgs:EventlogSummary] ... [msgs:eventlog_Application] ... [procs] ... [uptime] ... [iis_sites] .... [XymonConfig] ... [XymonPSClientInfo] ...
Il giorno ven, 26/01/2018 alle 09.24 +0000, Beck, Zak ha scritto:
The ports check is just netstat -an. I would suggest for these servers you use slimmode as you mention and then add an external script to run your own netstat command and exclude the lines for the IPs you are not interested in.
For example, you can pipe the output of netstat to findstr and use an inverse match to exclude the lines matching the expression using /v:
netstat -an | findstr /V "127.0.0.1"
Hi Mario
Thank you for pointing this out, it has enabled me to identify a couple of issues with slimmode in v2.27 which I am hoping I have fixed successfully in v2.28.
Services were not working correctly with slimmode - the documentation has my intended behaviour, the code did not! If you use slimmode without also stating services, all services should be returned and this should now work in v2.28.
Also 'sections' was not working as it should, that should also be fixed.
Please try v2.28 (https://svn.code.sf.net/p/xymon/code/sandbox/WinPSClient/xymonclient.ps1).
BTW, the sections in slimmode syntax seems not to match the xymon columns, what about it?
The sections in slimmode syntax match the section names (in [] brackets) in the data sent, which also do not always match the column names. This is just the way it works.
Zak
-----Original Message----- From: Mario De Chenno [mailto:MARIO.DECHENNO at unicampania.it] Sent: 29 January 2018 11:55 To: Beck, Zak <zak.beck at accenture.com>; xymon at xymon.com Subject: [External] Re: [xymon] too much data in powershell client reports
Hello, I started using slimmode with the following directive in clien- local.cfg:
[host=mbox.*] slimmode sections:who,netstat,ipconfig,route,ifstat,users clientversion:2.27:http://orwell.ceda.unina2.it/xymon/winpsclient/ xymonlogsend
but I got missing (->purple) sections (SVCS and WHO) in client log sent to xymon, as reported below. BTW, the sections in slimmode syntax seems not to match the xymon columns, what about it?
[collector:] client... [date] ... [clock] ... [clientversion] 2.27 [uname] Microsoft Windows Server 2016 Standard (build 14393) [cpu] .... [disk] .... [memory] ... [EventlogSummary] .... [msgs:EventlogSummary] ... [msgs:eventlog_Application] ... [procs] ... [uptime] ... [iis_sites] .... [XymonConfig] ... [XymonPSClientInfo] ...
Il giorno ven, 26/01/2018 alle 09.24 +0000, Beck, Zak ha scritto:
The ports check is just netstat -an. I would suggest for these servers you use slimmode as you mention and then add an external script to run your own netstat command and exclude the lines for the IPs you are not interested in.
For example, you can pipe the output of netstat to findstr and use an inverse match to exclude the lines matching the expression using /v:
netstat -an | findstr /V "127.0.0.1"
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
www.accenture.com
participants (2)
-
MARIO.DECHENNO@unicampania.it
-
zak.beck@accenture.com