Hello out there,
yesterday i recognized that one of our servers has error messages in /var/log/messages every day.
The entries are:
Aug 8 11:08:26 mrv-online-4 kernel: [3356791.776050] EXT4-fs (dm-8): error count since last fsck: 6 Aug 8 11:08:26 mrv-online-4 kernel: [3356791.776080] EXT4-fs (dm-8): initial error at time 1468716722: ext4_journal_check_start:56 Aug 8 11:08:26 mrv-online-4 kernel: [3356791.776085] EXT4-fs (dm-8): last error at time 1468743842: ext4_put_super:798
In the analysis.cfg of the Xymon server, there is a DEFAULT section with the following content:
DEFAULT
These are the built-in defaults.
UP 3
CLOCK 60
LOAD 5.0 10.0
DISK * 90 95
MEMPHYS 100 101
MEMSWAP 80 90
MEMACT 90 97
FILE /var/log/ntp SIZE>0
FILE %/var/(adm|log)/messages
LOG %/var/(adm|log)/messages WARNING IGNORE=%(smbd|STORVSC:*.WARNING\!|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=yellow
LOG %/var/(adm|log)/messages %(I/O|read).error IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt) COLOR=red
LOG %/var/(adm|log)/messages Remounting.filesystem.read-only COLOR=red
LOG %/var/(adm|log)/messages ERROR IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red
LOG %/var/(adm|log)/messages FAIL IGNORE=%(smbd|Connection.reset.by.peer|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport|NT_STATUS_LOGON_FAILURE|LOGIN|STARTTLS) COLOR=red
LOG %/var/(adm|log)/messages CRITICAL IGNORE=%(smbd|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red
LOG %/var/(adm|log)/messages ALERT COLOR=red
LOG %/var/(adm|log)/messages There.are.errors.in.the.filesystem COLOR=red
PROC "syslog"I was thinking, that this directive LOG %/var/(adm|log)/messages ERROR IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red should msgs let go to red, since the message of the affected server contains the keyword "error", even in lowercase. But the history of the msgs test for the affected server doesn't show any red status. I do not have the statement (?-i) in the analysis.cfg as documented in the Xymon man-pages:
Note that Xymon defaults to case-insensitive pattern matching; if that is not what you want, put "(?-i)" between the "%" and the regular expression to turn this off. E.g. "%(?-i)WARNING" will match the word WARNING only when it is upper-case.
Is my thinking wrong?
Regards Christian
Christian Becker IT-Services
Mittelrhein-Verlag GmbH August-Horch-Straße 28 D-56070 Koblenz Verleger und Geschäftsführer: Walterpeter Twer Reg.-Gericht Koblenz HRB 121 Finanzamt Koblenz Str.Nr. 22 65 10 285 2 www.rhein-zeitung.de<http://www.rhein-zeitung.de/>
Christian
On Tue, Aug 9, 2016 at 5:53 PM Becker Christian < christian.becker at rhein-zeitung.net> wrote: <snip>
I was thinking, that this directive
LOG %/var/(adm|log)/messages ERRORIGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red
should msgs let go to red, since the message of the affected server contains the keyword “error”, even in lowercase. But the history of the msgs test for the affected server doesn’t show any red status.
I do not have the statement (?-i) in the analysis.cfg as documented in the Xymon man-pages:
*Note that Xymon defaults to case-insensitive pattern matching; if that is not what you want, put "(?-i)" between the "%" and the regular expression to turn this off. E.g. "%(?-i)WARNING" will match the word WARNING only when it is upper-case.*
*Is my thinking wrong?*
A little.
The man page mentions using "%(?-i)" in the context of matching regular expressions. For non-regular-expressions, this doesn't apply. The code that performs a non-RE match is:
return (strstr(datatosearch, pattern) != NULL);"strstr()" is a case-sensitive string match, so "ERROR" will not match "error".
You can either have a second line with the lower-case string, or convert to regular expression, and take advantage of the case-insensitive match:
LOG %/var/(adm|log)/messages %ERRORIGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red
Cheers Jeremy
Hi Jeremy,
Thank you for your help – that was a good explanation to me of what the man pages do not really show ;-)
Regards Christian
Christian Becker IT-Services
Mittelrhein-Verlag GmbH August-Horch-Straße 28 D-56070 Koblenz Verleger und Geschäftsführer: Walterpeter Twer Reg.-Gericht Koblenz HRB 121 Finanzamt Koblenz Str.Nr. 22 65 10 285 2 www.rhein-zeitung.de<http://www.rhein-zeitung.de/>
Von: Jeremy Laidman [mailto:jlaidman at rebel-it.com.au] Gesendet: Mittwoch, 10. August 2016 05:47 An: Becker Christian <christian.becker at rhein-zeitung.net>; xymon at xymon.com Betreff: Re: [Xymon] analysis.cfg - LOG - keyword matching
Christian On Tue, Aug 9, 2016 at 5:53 PM Becker Christian <christian.becker at rhein-zeitung.net<mailto:christian.becker at rhein-zeitung.net>> wrote: <snip> I was thinking, that this directive LOG %/var/(adm|log)/messages ERROR IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=red should msgs let go to red, since the message of the affected server contains the keyword “error”, even in lowercase. But the history of the msgs test for the affected server doesn’t show any red status. I do not have the statement (?-i) in the analysis.cfg as documented in the Xymon man-pages:
Note that Xymon defaults to case-insensitive pattern matching; if that is not what you want, put "(?-i)" between the "%" and the regular expression to turn this off. E.g. "%(?-i)WARNING" will match the word WARNING only when it is upper-case.
Is my thinking wrong? A little.
The man page mentions using "%(?-i)" in the context of matching regular expressions. For non-regular-expressions, this doesn't apply. The code that performs a non-RE match is:
return (strstr(datatosearch, pattern) != NULL);"strstr()" is a case-sensitive string match, so "ERROR" will not match "error".
You can either have a second line with the lower-case string, or convert to regular expression, and take advantage of the case-insensitive match:
LOG %/var/(adm|log)/messages %ERROR IGNORE=%(fd0|smbd|read_fd_with_timeout|Connection.reset.by.peer|error\.txt|gdm-simple-greeter|GdmDisplay|GdmSession|GDM|packagekitd|parport) COLOR=redCheers Jeremy
participants (2)
-
christian.becker@rhein-zeitung.net
-
jlaidman@rebel-it.com.au