File content matching

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

File content matching

Paul Theodoropoulos
I'm suffering a bit of confusion! I'm using a file content match rule to try to ensure that a specific string is regularly showing up in a specific logfile, but the results and output don't make sense to me.

Here's the rule I started out with:

check file servercomm-logs with path /var/log/servercomm.log
if content != .*100\.109\..* then alert

This is an example line from the log that matches that:
2018/06/11 13:34:57 999999 OpenReq 100.109.66.62

The '99' string is an obfuscated device id value I can't post publicly.

In short, I want to be alerted if IP's within that declaration are _not_ showing up in the servercomm.log regularly. In normal circumstances, those IP's show up in the logs intermittently, but on the order of once every several seconds (from subsecond to tens of seconds). There is a lot of other information in the logfile.

With that rule above, the status is always "Content match". If I set the operator to just "=" rather than "!=" - it still says just "Content match", but no alert.

While further testing this just now, I expanded the rule with 'ignore content' lines to match all the other possible lines that do _not_ contain the desired IP strings:

check file servercomm-logs with path /var/log/servercomm.log
ignore content = "Exec"
ignore content = "inserting"
ignore content = "initialize"
ignore content = "Received"
ignore content = "Current"
ignore content = "updated"
ignore content = "Restart"
ignore content = "connection"
ignore content = "Bad"
ignore content = "Invalid"
if content != ".*100\.109\..*" then alert

With that rule, I still get "Content match", and if I swap the operator to "=", it still says content match, and no alert.

I've tried it without the beginning/ending regex declarations -

if content != "100\.109" then alert

Same results. I've tried it with and without quotes around the content match - same results.

*Sometimes*, after a 'monit reload', the status will show "OK" - but if I do a 'monit reload' again - with no intervening changes - It'll switch back to 'Content match'.

At minimum, I would expect when it reports "Content match", I'd be getting an alert, but well beyond that, I cannot figure out what I'm doing wrong with my content declarations.

Any insights will be gratefully received!
-- 
Paul Theodoropoulos
www.anastrophe.com

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: File content matching

Paul Theodoropoulos
As a related  followup, in the interim until I figure this out, I can run a program status check on the following script, and it provides the result I'd expect:

#!/bin/sh
tail -100 /var/log/servercomm.log|grep "100\.109" >/dev/null 2>&1


On 6/11/18 13:50, Paul Theodoropoulos wrote:
I'm suffering a bit of confusion! I'm using a file content match rule to try to ensure that a specific string is regularly showing up in a specific logfile, but the results and output don't make sense to me.


-- 
Paul Theodoropoulos
www.anastrophe.com

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: File content matching

Bryan Harris
In reply to this post by Paul Theodoropoulos
> "  ensure that a specific string is regularly showing up in a specific logfile "

I wonder if Monit does not supply a feature like that? You could write a script that performs the check every minute (or every Monit cycle) and the script can tell Monit to alert by return code.

For example, really really bad pseudo-code follows:

_date=`date --correct-options-go-here_:-)`
if ! egrep -q "^$_date.*100\.109\..*"; then exit 1; fi
exit 0

Then set Monit to run once per minute.

If your script egrep command does not find the match, it will exit 1 and Monit will alert.

If your script egrep finds the match every Monit cycle, it will exit 0 and Monit will not alert.

V/r,
Bryan

On Mon, Jun 11, 2018 at 4:51 PM Paul Theodoropoulos <[hidden email]> wrote:
I'm suffering a bit of confusion! I'm using a file content match rule to try to ensure that a specific string is regularly showing up in a specific logfile, but the results and output don't make sense to me.

Here's the rule I started out with:

check file servercomm-logs with path /var/log/servercomm.log
if content != .*100\.109\..* then alert

This is an example line from the log that matches that:
2018/06/11 13:34:57 999999 OpenReq 100.109.66.62

The '99' string is an obfuscated device id value I can't post publicly.

In short, I want to be alerted if IP's within that declaration are _not_ showing up in the servercomm.log regularly. In normal circumstances, those IP's show up in the logs intermittently, but on the order of once every several seconds (from subsecond to tens of seconds). There is a lot of other information in the logfile.

With that rule above, the status is always "Content match". If I set the operator to just "=" rather than "!=" - it still says just "Content match", but no alert.

While further testing this just now, I expanded the rule with 'ignore content' lines to match all the other possible lines that do _not_ contain the desired IP strings:

check file servercomm-logs with path /var/log/servercomm.log
ignore content = "Exec"
ignore content = "inserting"
ignore content = "initialize"
ignore content = "Received"
ignore content = "Current"
ignore content = "updated"
ignore content = "Restart"
ignore content = "connection"
ignore content = "Bad"
ignore content = "Invalid"
if content != ".*100\.109\..*" then alert

With that rule, I still get "Content match", and if I swap the operator to "=", it still says content match, and no alert.

I've tried it without the beginning/ending regex declarations -

if content != "100\.109" then alert

Same results. I've tried it with and without quotes around the content match - same results.

*Sometimes*, after a 'monit reload', the status will show "OK" - but if I do a 'monit reload' again - with no intervening changes - It'll switch back to 'Content match'.

At minimum, I would expect when it reports "Content match", I'd be getting an alert, but well beyond that, I cannot figure out what I'm doing wrong with my content declarations.

Any insights will be gratefully received!
-- 
Paul Theodoropoulos
www.anastrophe.com
--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general


--
So the HP guy comes up to me and he says, 'If you say nasty things like that to vendors you're not going to get anything'. I said 'no, in eight years of saying nothing, we've got nothing, and I'm going to start saying nasty things, in the hope that some of these vendors will start giving me money so I'll shut up'.

 -Theo De Raadt

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: File content matching

Paul Theodoropoulos
My understanding was that the 'file content match' is specifically for this use case, based on the manual page description - https://mmonit.com/monit/documentation/monit.html#FILE-CONTENT-TEST

But as my followup noted, we had basically the same idea - check a script status similarly to your example, which does work adequately enough!

On 6/11/18 14:14, Bryan Harris wrote:
> "  ensure that a specific string is regularly showing up in a specific logfile "

I wonder if Monit does not supply a feature like that? You could write a script that performs the check every minute (or every Monit cycle) and the script can tell Monit to alert by return code.

For example, really really bad pseudo-code follows:

_date=`date --correct-options-go-here_:-)`
if ! egrep -q "^$_date.*100\.109\..*"; then exit 1; fi
exit 0

Then set Monit to run once per minute.

If your script egrep command does not find the match, it will exit 1 and Monit will alert.

If your script egrep finds the match every Monit cycle, it will exit 0 and Monit will not alert.

V/r,
Bryan

On Mon, Jun 11, 2018 at 4:51 PM Paul Theodoropoulos <[hidden email]> wrote:
I'm suffering a bit of confusion! I'm using a file content match rule to try to ensure that a specific string is regularly showing up in a specific logfile, but the results and output don't make sense to me.

Here's the rule I started out with:

check file servercomm-logs with path /var/log/servercomm.log
if content != .*100\.109\..* then alert

This is an example line from the log that matches that:
2018/06/11 13:34:57 999999 OpenReq 100.109.66.62

The '99' string is an obfuscated device id value I can't post publicly.

In short, I want to be alerted if IP's within that declaration are _not_ showing up in the servercomm.log regularly. In normal circumstances, those IP's show up in the logs intermittently, but on the order of once every several seconds (from subsecond to tens of seconds). There is a lot of other information in the logfile.

With that rule above, the status is always "Content match". If I set the operator to just "=" rather than "!=" - it still says just "Content match", but no alert.

While further testing this just now, I expanded the rule with 'ignore content' lines to match all the other possible lines that do _not_ contain the desired IP strings:

check file servercomm-logs with path /var/log/servercomm.log
ignore content = "Exec"
ignore content = "inserting"
ignore content = "initialize"
ignore content = "Received"
ignore content = "Current"
ignore content = "updated"
ignore content = "Restart"
ignore content = "connection"
ignore content = "Bad"
ignore content = "Invalid"
if content != ".*100\.109\..*" then alert

With that rule, I still get "Content match", and if I swap the operator to "=", it still says content match, and no alert.

I've tried it without the beginning/ending regex declarations -

if content != "100\.109" then alert

Same results. I've tried it with and without quotes around the content match - same results.

*Sometimes*, after a 'monit reload', the status will show "OK" - but if I do a 'monit reload' again - with no intervening changes - It'll switch back to 'Content match'.

At minimum, I would expect when it reports "Content match", I'd be getting an alert, but well beyond that, I cannot figure out what I'm doing wrong with my content declarations.

Any insights will be gratefully received!
-- 
Paul Theodoropoulos
www.anastrophe.com
--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general


--
So the HP guy comes up to me and he says, 'If you say nasty things like that to vendors you're not going to get anything'. I said 'no, in eight years of saying nothing, we've got nothing, and I'm going to start saying nasty things, in the hope that some of these vendors will start giving me money so I'll shut up'.

 -Theo De Raadt

-- 
Paul Theodoropoulos
www.anastrophe.com

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general