[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

File content matching

From: Paul Theodoropoulos
Subject: File content matching
Date: Mon, 11 Jun 2018 13:50:29 -0700
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.0

I'm suffering a bit of confusion! I'm using a file content match rule to try to ensure that a specific string is regularly showing up in a specific logfile, but the results and output don't make sense to me.

Here's the rule I started out with:

check file servercomm-logs with path /var/log/servercomm.log
if content != .*100\.109\..* then alert

This is an example line from the log that matches that:
2018/06/11 13:34:57 999999 OpenReq

The '99' string is an obfuscated device id value I can't post publicly.

In short, I want to be alerted if IP's within that declaration are _not_ showing up in the servercomm.log regularly. In normal circumstances, those IP's show up in the logs intermittently, but on the order of once every several seconds (from subsecond to tens of seconds). There is a lot of other information in the logfile.

With that rule above, the status is always "Content match". If I set the operator to just "=" rather than "!=" - it still says just "Content match", but no alert.

While further testing this just now, I expanded the rule with 'ignore content' lines to match all the other possible lines that do _not_ contain the desired IP strings:

check file servercomm-logs with path /var/log/servercomm.log
ignore content = "Exec"
ignore content = "inserting"
ignore content = "initialize"
ignore content = "Received"
ignore content = "Current"
ignore content = "updated"
ignore content = "Restart"
ignore content = "connection"
ignore content = "Bad"
ignore content = "Invalid"
if content != ".*100\.109\..*" then alert

With that rule, I still get "Content match", and if I swap the operator to "=", it still says content match, and no alert.

I've tried it without the beginning/ending regex declarations -

if content != "100\.109" then alert

Same results. I've tried it with and without quotes around the content match - same results.

*Sometimes*, after a 'monit reload', the status will show "OK" - but if I do a 'monit reload' again - with no intervening changes - It'll switch back to 'Content match'.

At minimum, I would expect when it reports "Content match", I'd be getting an alert, but well beyond that, I cannot figure out what I'm doing wrong with my content declarations.

Any insights will be gratefully received!
Paul Theodoropoulos

reply via email to

[Prev in Thread] Current Thread [Next in Thread]