search

lausser / check_logfiles

A plugin (monitoring-plugin, not nagios-plugin, see also http://is.gd/PP1330) which scans logfiles for patterns.
https://omd.consol.de/docs/plugins/check_logfiles/
GNU General Public License v2.0
46 stars 27 forks source link

for some reason it is not working on network device logs #49

Open majed17 opened 4 years ago

majed17 commented 4 years ago

Peace,

sudo ./check_logfiles --logfile=/var/log/messages --criticalpattern "sshd"
CRITICAL - (1 errors in check_logfiles.protocol-2020-02-28-10-33-45) - Feb 28 10:33:45 src@nagios.bmg.de sudo[19162]:   nagios : TTY=pts/0 ; PWD=/usr/lib64/nagios/plugins ; USER=root ; COMMAND=./check_logfiles --logfile=/var/log/messages --criticalpattern sshd |'default_lines'=17 'default_warnings'=0 'default_criticals'=1 'default_unknowns'=0

but on a cisco router log:

sudo ./check_logfiles --logfile=/var/log/cisco/ciscoRouter/2020/02/28/local7.log  --criticalpattern="User=ali" 
OK - no errors or warnings|'default_lines'=308 'default_warnings'=0 'default_criticals'=0 'default_unknowns'=

am i doing something wrong, or is there some bug?

nicnictout commented 3 years ago

Hello,

i have a similar issue with network devices that sens tabulation in their message and are coded as ^i in final log. Did you check with cat -A if such special characters are present in the file of your cisco ?

lausser commented 3 years ago

I have no idea of cisco logs. How does the line in the logfile look like?

nicnictout commented 3 years ago

Here a line displayed with cat -A: Nov 18 10:55:02 host1 host1[21071]: device Down^ISystem^IDevice^IID: 1326^Ixxx.xxx.xxx.xxx^ITop > France > TLS > host1 > APPLICATION^IBornes AP$

if i made a simple cat i saw tabulations instead of ^i. (not displayed properly here) Nov 18 10:55:02 host1 host1[21071]: device Down System Device ID: 1326 xxx.xxx.xxx.xxx Top > France > TLS > host1 > APPLICATION Bornes AP

If i echo the line directly in the logfile, the plugins match the line and raised an alarm. Issue seems coming from syslog-ng interpretation and coding of tabulation

I tried to make a prescript that will make a sed subtitute to replace tab by space on the whole logfile, but plugins in this case read the whole file again, even with noallyoucaneat option activated.

I'm studying option to rework the incoming message directly with syslog to make the substitute when new message is incoming. Of course if there is a way that plugins deals this by itself, i'm 101% agree :)

lausser commented 3 years ago

And something like

Top.France.TLS.*….

does not match?

Von: nicnictout @. Gesendet: Donnerstag, 18. November 2021 16:57 An: lausser/check_logfiles @.> Cc: Gerhard Lausser @.>; Comment @.> Betreff: Re: [lausser/check_logfiles] for some reason it is not working on network device logs (#49)

Here a line displayed with cat -A: Nov 18 10:55:02 host1 host1[21071]: device Down^ISystem^IDevice^IID: 1326^Ixxx.xxx.xxx.xxx^ITop > France > TLS > host1 > APPLICATION^IBornes AP$

if i made a simple cat i saw tabulations instead of ^i. Nov 18 10:55:02 host1 host1[21071]: device Down System Device ID: 1326 xxx.xxx.xxx.xxx Top > France > TLS > host1 > APPLICATION Bornes AP

If i echo the line directly in the logfile, the plugins match the line and raised an alarm.

I tried to make a prescript that will make a sed subtitute to replace tab by space on the whole logfile, but plugins in this case read the whole file again, even with noallyoucaneat option activated.

I'm studying option to rework the incoming message directly with syslog to make the substitute when new message is incoming. Of course if there is a way that plugins deals this by itself, i'm 101% agree :)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/lausser/check_logfiles/issues/49#issuecomment-972998759 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AABQSOFSMIL3YT5CGCCQCXLUMUO47ANCNFSM4K5OF2LQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub .

nicnictout commented 3 years ago

unfortunately not, even .* as regex does not match line as soon as this tabulaton appears

majed17 commented 3 years ago

Although i moved to check_log3.pl, but i am glad to help solve problems

./check_logfiles --logfile=/var/log/cisco/ciscoRotar12/2021/11/19/ciscoRotar12.log  --criticalpattern="User=Ali" 
OK - no errors or warnings|'default_lines'=5 'default_warnings'=0 'default_criticals'=0 'default_unknowns'=0

cat -A /var/log/cisco/ciscoRotar12/2021/11/19/ciscoRotar12.log

Nov 19 10:23:57 ciscoRotar12/ciscoRotar12 005261: Nov 19 10:23:57.372: %CRYPTO-6-VPN_TUNNEL_STATUS: (Server) Authentication PASSED User=Ali Group=ALI Client_public_addr=184.127.29.10 Server_public_addr=186.157.17.44 $

anything more needed?

nicnictout commented 3 years ago

For my part, i setup a rule in syslog to substitute tabulations by spaces and plugins works again perfectly.

Majed, when you post your cat -A output, all tabulations are removed and replaced by spaces, did you see anything within your terminal, make a screenshot maybe ;)

majed17 commented 3 years ago

well, the only difference between cat and cat -A is the "44 $" i.e a space and $ sign are added in the end but i think your solution is like buying a kane instead of fixing the disease by adding sulfur powder

nicnictout commented 3 years ago

Ok nothing strange in your string so... I found more easy and quicker to add a rewrite rule in syslog than trying to debug the plugins script with its thousand lines of code :)

majed17 commented 3 years ago

as wise people say, laziness is half the way to hell, and that is why Microsoft is buggy buggy buggy!