I need to monitor an apache log file for the *lack* of connections from
two specific private netblocks. The server gets connections from many
networks, but if these specific netblocks stop showing up, it means that
an upstream VPN isn't passing traffic, so there's a problem that needs
to be addressed. I do monitor the VPN itself separately, but sometimes
the path to this particular destination can break silently.
If I use a configuration file such as this:
check file vzw-to-update with path /var/log/apache2/updates5080_access.log
if content != "^100\.10[79]" for 1 cycles then alert
The problem is, monit's logfile is filled with reports of content
matches, and it goes into alert immediately.
Nov 29 15:18:00 sts-ocs-web-a monit[519]: 'vzw-to-update' content match:
Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.201.27.227 - -
[29/Nov/2016:15:17:02 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071
"-" "Wget/1.10.2"
Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.213.233.142 - -
[29/Nov/2016:15:17:03 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071
"-" "Wget/1.10.2"
Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.211.141.193 - -
[29/Nov/2016:15:17:05 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071
"-" "Wget/1.10.2"
Which is true, since the log has lots of entries that don't match that
string's *absence*
So I thought I could be clever, and ignore the content that is *not* the
string whose absence I'm looking for -
check file vzw-to-update with path /var/log/apache2/updates5080_access.log
ignore content != "^100\.10[79]"
if content != "^100\.10[79]" for 2 cycles then alert
But as I suspected, it basically creates a 'black hole' - it never
alerts (confirmed by blocking those networks for several minutes with
iptables).
I'm not really sure how to tackle this problem - which may be more of a
problem with my (weak) understanding of eregex syntax rather than a
monit problem.
--
Paul Theodoropoulos
www.anastrophe.com
--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general