[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: monitoring for absence of a string
|
From: |
Tino Hendricks |
|
Subject: |
Re: monitoring for absence of a string |
|
Date: |
Wed, 30 Nov 2016 08:09:57 +0100 |
Ha! That’s a tricky one!
I’m a big fan of handling these kinds of tasks in an external script and
letting monit deal with the result of this script.
The difficulty here IMHO is that the pure *absence* of the desired string is
not the problem but the absence in… what? 60 seconds? last 500 log lines?
This is what you need to define first, I think: After what amount of time or
log lines do you want to be informed that something is wrong. And then you can
check for e.g.
tail -500 /var/log/apache2/updates5080_access.log | grep "^100\.10[79]“
for „in the last 500 log lines“
or
tail -500 /var/log/apache2/updates5080_access.log | grep "`date
+%d/%b/%Y:%H:%M`“
for „within the last 500 log lines, within the last minute“
HTH
Tino
Am 30. November 2016 um 02:11:08, Paul Theodoropoulos
(address@hidden(mailto:address@hidden)) schrieb:
> I need to monitor an apache log file for the *lack* of connections from
> two specific private netblocks. The server gets connections from many
> networks, but if these specific netblocks stop showing up, it means that
> an upstream VPN isn't passing traffic, so there's a problem that needs
> to be addressed. I do monitor the VPN itself separately, but sometimes
> the path to this particular destination can break silently.
>
> If I use a configuration file such as this:
>
> check file vzw-to-update with path /var/log/apache2/updates5080_access.log
> if content != "^100\.10[79]" for 1 cycles then alert
>
> The problem is, monit's logfile is filled with reports of content
> matches, and it goes into alert immediately.
>
> Nov 29 15:18:00 sts-ocs-web-a monit[519]: 'vzw-to-update' content match:
> Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.201.27.227 - -
> [29/Nov/2016:15:17:02 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071
> "-" "Wget/1.10.2"
> Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.213.233.142 - -
> [29/Nov/2016:15:17:03 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071
> "-" "Wget/1.10.2"
> Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.211.141.193 - -
> [29/Nov/2016:15:17:05 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071
> "-" "Wget/1.10.2"
>
> Which is true, since the log has lots of entries that don't match that
> string's *absence*
>
> So I thought I could be clever, and ignore the content that is *not* the
> string whose absence I'm looking for -
>
> check file vzw-to-update with path /var/log/apache2/updates5080_access.log
> ignore content != "^100\.10[79]"
> if content != "^100\.10[79]" for 2 cycles then alert
>
> But as I suspected, it basically creates a 'black hole' - it never
> alerts (confirmed by blocking those networks for several minutes with
> iptables).
>
> I'm not really sure how to tackle this problem - which may be more of a
> problem with my (weak) understanding of eregex syntax rather than a
> monit problem.
>
> --
> Paul Theodoropoulos
> www.anastrophe.com
>
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general