Re: monitoring for absence of a string

[Paul Theodoropoulos]

Thanks for the reply, Tino. Yes - I should have mentioned, that in fact 
I have been using an external script to perform this task - I was just 
hoping that there might be a more "elegant" way to manage it. My 
existing script does the trick well enough, and I use it to gradually 
escalate the response from just clearing the route cache on the local 
server, all the way up to remotely rebooting the VPN server.


On 11/29/2016 11:09 PM, Tino Hendricks wrote:
> Ha! That’s a tricky one!
> I’m a big fan of handling these kinds of tasks in an external script and 
> letting monit deal with the result of this script.
> The difficulty here IMHO is that the pure *absence* of the desired string is 
> not the problem but the absence in… what? 60 seconds? last 500 log lines?
>
> This is what you need to define first, I think: After what amount of time or 
> log lines do you want to be informed that something is wrong. And then you can 
> check for e.g.
>
> tail -500 /var/log/apache2/updates5080_access.log | grep "^100\.10[79]“
>         for „in the last 500 log lines“
> or
> tail -500 /var/log/apache2/updates5080_access.log | grep "`date 
> +%d/%b/%Y:%H:%M`“
>         for „within the last 500 log lines, within the last minute“
>
> HTH
>
> Tino
>
>
> Am 30. November 2016 um 02:11:08, Paul Theodoropoulos 
> (address@hidden(mailto:address@hidden)) schrieb:
>
> > I need to monitor an apache log file for the *lack* of connections from
> > two specific private netblocks. The server gets connections from many
> > networks, but if these specific netblocks stop showing up, it means that
> > an upstream VPN isn't passing traffic, so there's a problem that needs
> > to be addressed. I do monitor the VPN itself separately, but sometimes
> > the path to this particular destination can break silently.
> >   
> > If I use a configuration file such as this:
> >   
> > check file vzw-to-update with path /var/log/apache2/updates5080_access.log
> > if content != "^100\.10[79]" for 1 cycles then alert
> >   
> > The problem is, monit's logfile is filled with reports of content
> > matches, and it goes into alert immediately.
> >   
> > Nov 29 15:18:00 sts-ocs-web-a monit[519]: 'vzw-to-update' content match:
> > Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.201.27.227 - -
> > [29/Nov/2016:15:17:02 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071
> > "-" "Wget/1.10.2"
> > Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.213.233.142 - -
> > [29/Nov/2016:15:17:03 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071
> > "-" "Wget/1.10.2"
> > Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.211.141.193 - -
> > [29/Nov/2016:15:17:05 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071
> > "-" "Wget/1.10.2"
> >   
> > Which is true, since the log has lots of entries that don't match that
> > string's *absence*
> >   
> > So I thought I could be clever, and ignore the content that is *not* the
> > string whose absence I'm looking for -
> >   
> > check file vzw-to-update with path /var/log/apache2/updates5080_access.log
> > ignore content != "^100\.10[79]"
> > if content != "^100\.10[79]" for 2 cycles then alert
> >   
> > But as I suspected, it basically creates a 'black hole' - it never
> > alerts (confirmed by blocking those networks for several minutes with
> > iptables).
> >   
> > I'm not really sure how to tackle this problem - which may be more of a
> > problem with my (weak) understanding of eregex syntax rather than a
> > monit problem.
> >   
> > --
> > Paul Theodoropoulos
> > www.anastrophe.com
> >   
> > --
> > To unsubscribe:
> > https://lists.nongnu.org/mailman/listinfo/monit-general

--
Paul Theodoropoulos
www.anastrophe.com