monitoring for absence of a string

[Paul Theodoropoulos]

I need to monitor an apache log file for the *lack* of connections from 
two specific private netblocks. The server gets connections from many 
networks, but if these specific netblocks stop showing up, it means that 
an upstream VPN isn't passing traffic, so there's a problem that needs 
to be addressed. I do monitor the VPN itself separately, but sometimes 
the path to this particular destination can break silently.

If I use a configuration file such as this:

check file vzw-to-update with path /var/log/apache2/updates5080_access.log
if content != "^100\.10[79]" for 1  cycles then alert

The problem is, monit's logfile is filled with reports of content 
matches, and it goes into alert immediately.

Nov 29 15:18:00 sts-ocs-web-a monit[519]: 'vzw-to-update' content match:
Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.201.27.227 - - 
[29/Nov/2016:15:17:02 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071 
"-" "Wget/1.10.2"
Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.213.233.142 - - 
[29/Nov/2016:15:17:03 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071 
"-" "Wget/1.10.2"
Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.211.141.193 - - 
[29/Nov/2016:15:17:05 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071 
"-" "Wget/1.10.2"

Which is true, since the log has lots of entries that don't match that 
string's *absence*

So I thought I could be clever, and ignore the content that is *not* the 
string whose absence I'm looking for -

check file vzw-to-update with path /var/log/apache2/updates5080_access.log
ignore content != "^100\.10[79]"
if content != "^100\.10[79]" for 2  cycles then alert

But as I suspected, it basically creates a 'black hole' - it never 
alerts (confirmed by blocking those networks for several minutes with 
iptables).

I'm not really sure how to tackle this problem - which may be more of a 
problem with my (weak) understanding of eregex syntax rather than a 
monit problem.

--
Paul Theodoropoulos
www.anastrophe.com