monit-general
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: File content matching

From: Bryan Harris
Subject: Re: File content matching
Date: Mon, 11 Jun 2018 17:14:24 -0400
> "  ensure that a specific string is regularly showing up in a specific logfile "

I wonder if Monit does not supply a feature like that? You could write a script that performs the check every minute (or every Monit cycle) and the script can tell Monit to alert by return code.

For example, really really bad pseudo-code follows:

_date=`date --correct-options-go-here_:-)`
if ! egrep -q "^$_date.*100\.109\..*"; then exit 1; fi
exit 0

Then set Monit to run once per minute.

If your script egrep command does not find the match, it will exit 1 and Monit will alert.

If your script egrep finds the match every Monit cycle, it will exit 0 and Monit will not alert.

V/r,
Bryan

On Mon, Jun 11, 2018 at 4:51 PM Paul Theodoropoulos <address@hidden> wrote:
I'm suffering a bit of confusion! I'm using a file content match rule to try to ensure that a specific string is regularly showing up in a specific logfile, but the results and output don't make sense to me.

Here's the rule I started out with:

check file servercomm-logs with path /var/log/servercomm.log
if content != .*100\.109\..* then alert

This is an example line from the log that matches that:
2018/06/11 13:34:57 999999 OpenReq 100.109.66.62

The '99' string is an obfuscated device id value I can't post publicly.

In short, I want to be alerted if IP's within that declaration are _not_ showing up in the servercomm.log regularly. In normal circumstances, those IP's show up in the logs intermittently, but on the order of once every several seconds (from subsecond to tens of seconds). There is a lot of other information in the logfile.

With that rule above, the status is always "Content match". If I set the operator to just "=" rather than "!=" - it still says just "Content match", but no alert.

While further testing this just now, I expanded the rule with 'ignore content' lines to match all the other possible lines that do _not_ contain the desired IP strings:

check file servercomm-logs with path /var/log/servercomm.log
ignore content = "Exec"
ignore content = "inserting"
ignore content = "initialize"
ignore content = "Received"
ignore content = "Current"
ignore content = "updated"
ignore content = "Restart"
ignore content = "connection"
ignore content = "Bad"
ignore content = "Invalid"
if content != ".*100\.109\..*" then alert

With that rule, I still get "Content match", and if I swap the operator to "=", it still says content match, and no alert.

I've tried it without the beginning/ending regex declarations -

if content != "100\.109" then alert

Same results. I've tried it with and without quotes around the content match - same results.

*Sometimes*, after a 'monit reload', the status will show "OK" - but if I do a 'monit reload' again - with no intervening changes - It'll switch back to 'Content match'.

At minimum, I would expect when it reports "Content match", I'd be getting an alert, but well beyond that, I cannot figure out what I'm doing wrong with my content declarations.

Any insights will be gratefully received!
-- 
Paul Theodoropoulos
www.anastrophe.com
--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general


--
So the HP guy comes up to me and he says, 'If you say nasty things like that to vendors you're not going to get anything'. I said 'no, in eight years of saying nothing, we've got nothing, and I'm going to start saying nasty things, in the hope that some of these vendors will start giving me money so I'll shut up'.

 -Theo De Raadt
reply via email to
[Prev in Thread] Current Thread [Next in Thread]