search

lausser / check_logfiles

A plugin (monitoring-plugin, not nagios-plugin, see also http://is.gd/PP1330) which scans logfiles for patterns.
https://omd.consol.de/docs/plugins/check_logfiles/
GNU General Public License v2.0
46 stars 27 forks source link

seekfiles ignored after server reboot #65

Open nicutor opened 2 years ago

nicutor commented 2 years ago

Hi,

I gave a reboot to the server and even if the seekfile was there, the logfile was fully processed again.

$protocolsdir = '/usr/local/test/tmp/logfiles';
$seekfilesdir = '/usr/local/test/tmp/logfiles';
$protocolretention = '30';
$scriptpath = '/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/local/test/bin';
$options = 'preview=1';

@searches = (
  {
    tag => 'test',
    logfile => '/usr/local/test/logs/test_log',
    criticalpatterns => [
      '\{test\}'
    ],
    options => 'nologfilenocry,nosavethresholdcount,maxlength=1024,allyoucaneat,criticalthreshold=1,script',
    script => 'logfiles_test.sh'
  }
);

Because of this, the script was run again even if was not supposed to do so.

Is this the normal behaviour? I am missing something? Shouldn't the seekfile be used all the time if exists?

Thank you.

lausser commented 2 years ago

You should run it with "-v", then you see some internals, especially how the plugin sees a changed logfile.

Von: Nicu B @. Gesendet: Donnerstag, 20. Januar 2022 10:01 An: lausser/check_logfiles @.> Cc: Subscribed @.***> Betreff: [lausser/check_logfiles] seekfilesdir ignored after server reboot (Issue #65)

Hi,

I gave a reboot to the server and even if the seekfile was there, the logfile was fully processed again.

$protocolsdir = '/usr/local/test/tmp/logfiles'; $seekfilesdir = '/usr/local/test/tmp/logfiles'; $protocolretention = '30'; $scriptpath = '/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/local/test/bin'; $options = 'preview=1';

@searches = ( { tag => 'test', logfile => '/usr/local/test/logs/test_log', criticalpatterns => [ '{test}' ], options => 'nologfilenocry,nosavethresholdcount,maxlength=1024,allyoucaneat,criticalthreshold=1,script', script => 'logfiles_test.sh' } );

Because of this, the script was run again even if was not supposed to do so.

Is this the normal behaviour? I am missing something? Shouldn't the seekfile be used all the time if exists?

Thank you.

— Reply to this email directly, view it on GitHub https://github.com/lausser/check_logfiles/issues/65 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AABQSOG4Q7UQHRY4XGEWZL3UW7FL5ANCNFSM5MMETUXA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub . You are receiving this because you are subscribed to this thread. https://github.com/notifications/beacon/AABQSOCEYSQXVIYCVEYGQWTUW7FL5A5CNFSM5MMETUXKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4QQ2QSKQ.gif Message ID: @. @.> >

hpreusse commented 2 years ago

Same issue here, the "check_logfiles -v" is attached. Striking is the message

Fri Jan 28 15:47:23 2022: this is not the same logfile /appl/laugh/test.log 64774:4163772 != 64770:4163772

check_logfiles thinks that this is a new file due to the changing device id. Informations about the system: this is a KVM VM, file system is xfs and we're using LVM. The changing device id's are visible in the seek file (parameter "devino"). How can we avoid that then device id's are read and used to recognize the log file? Thanks!

changing_device_id.log

hpreusse commented 2 years ago

Another remark: the elastic people have similar issues, here the file identity strategy can be configured.

lausser commented 2 years ago

I just made check_logfiles-4.0.1.3.tar.gz

It adds an option ramdomdevno, which ignores the device number and only looks at the inode.

Von: hpreusse @. Gesendet: Freitag, 28. Januar 2022 16:53 An: lausser/check_logfiles @.> Cc: Gerhard Lausser @.>; Comment @.> Betreff: Re: [lausser/check_logfiles] seekfiles ignored after server reboot (Issue #65)

Same issue here, the "check_logfiles -v" is attached. Striking is the message

Fri Jan 28 15:47:23 2022: this is not the same logfile /appl/laugh/test.log 64774:4163772 != 64770:4163772

check_logfiles thinks that this is a new file due to the changing device id. Informations about the system: this is a KVM VM, file system is xfs and we're using LVM. The changing device id's are visible in the seek file (parameter devino). How can we avoid that then device id's are read and used to recognize the log file? Thanks!

changing_device_id.log https://github.com/lausser/check_logfiles/files/7959928/changing_device_id.log

— Reply to this email directly, view it on GitHub https://github.com/lausser/check_logfiles/issues/65#issuecomment-1024350320 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AABQSOEM4IRWJFAFAWAJ53LUYK3VZANCNFSM5MMETUXA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub . You are receiving this because you commented.Message ID: @.***>

hpreusse commented 2 years ago

Sorry, I'm to stupid to use that option. What am I doing wrong? ramdomdevno does not work either although the commit c29c3d4 gives the idea that correct option name is randomdevno. Thanks!

[icinga@hostname ~]$ /opt/laugh/icinga/scripts/check_logfiles_v4.0.1.3 -v '--criticalpattern' 'error|fehler' '--logfile' '/appl/laugh/test.log' '--warningpattern' 'warning|warnung'                                                          Mon Jan 31 21:16:53 2022: ==================== /appl/laugh/test.log ==================
Mon Jan 31 21:16:53 2022: try pre2seekfile /var/tmp/check_logfiles/check_logfiles.test.log.seek instead
Mon Jan 31 21:16:53 2022: try pre3seekfile /tmp/check_logfiles._appl_laugh_test.log.seek instead
Mon Jan 31 21:16:53 2022: no seekfile /var/tmp/check_logfiles/check_logfiles._appl_laugh_test.log.seek found
Mon Jan 31 21:16:53 2022: but logfile /appl/laugh/test.log found
Mon Jan 31 21:16:53 2022: ILS lastlogfile = /appl/laugh/test.log
Mon Jan 31 21:16:53 2022: ILS lastoffset = 119 / lasttime = 0 (Thu Jan  1 01:00:00 1970) / inode = 64770:4163772
Mon Jan 31 21:16:53 2022: the logfile did not change
Mon Jan 31 21:16:53 2022: keeping position 119 and time 0 (Thu Jan  1 01:00:00 1970) for inode 64770:4163772 in mind
OK - no errors or warnings|'default_lines'=0 'default_warnings'=0 'default_criticals'=0 'default_unknowns'=0
[icinga@hostname ~]$ /opt/laugh/icinga/scripts/check_logfiles_v4.0.1.3 -v '--criticalpattern' 'error|fehler' '--logfile' '/appl/laugh/test.log' '--warningpattern' 'warning|warnung' --randomdevno
Unknown option: randomdevno
<snip>
[icinga@hostname ~]$ /opt/laugh/icinga/scripts/check_logfiles_v4.0.1.3 -version
check_logfiles_v4.0.1.3 v4.0.1.3
hpreusse commented 2 years ago

I can confirm that version 4.1 (when using the option --randomdevno) solves the issue for me. Many thanks!