Thanks for the reply, Tino. Yes - I should have mentioned, that in fact
I have been using an external script to perform this task - I was just
hoping that there might be a more "elegant" way to manage it. My
existing script does the trick well enough, and I use it to gradually
escalate the response from just clearing the route cache on the local
server, all the way up to remotely rebooting the VPN server.
On 11/29/2016 11:09 PM, Tino Hendricks wrote:
Ha! That’s a tricky one!
I’m a big fan of handling these kinds of tasks in an external script and
letting monit deal with the result of this script.
The difficulty here IMHO is that the pure *absence* of the desired string is
not the problem but the absence in… what? 60 seconds? last 500 log lines?
This is what you need to define first, I think: After what amount of time or
log lines do you want to be informed that something is wrong. And then you can
check for e.g.
tail -500 /var/log/apache2/updates5080_access.log | grep "^100\.10[79]“
for „in the last 500 log lines“
or
tail -500 /var/log/apache2/updates5080_access.log | grep "`date
+%d/%b/%Y:%H:%M`“
for „within the last 500 log lines, within the last minute“
HTH
Tino
Am 30. November 2016 um 02:11:08, Paul Theodoropoulos
([email protected](mailto:[email protected])) schrieb:
I need to monitor an apache log file for the *lack* of connections from
two specific private netblocks. The server gets connections from many
networks, but if these specific netblocks stop showing up, it means that
an upstream VPN isn't passing traffic, so there's a problem that needs
to be addressed. I do monitor the VPN itself separately, but sometimes
the path to this particular destination can break silently.
If I use a configuration file such as this:
check file vzw-to-update with path /var/log/apache2/updates5080_access.log
if content != "^100\.10[79]" for 1 cycles then alert
The problem is, monit's logfile is filled with reports of content
matches, and it goes into alert immediately.
Nov 29 15:18:00 sts-ocs-web-a monit[519]: 'vzw-to-update' content match:
Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.201.27.227 - -
[29/Nov/2016:15:17:02 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071
"-" "Wget/1.10.2"
Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.213.233.142 - -
[29/Nov/2016:15:17:03 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071
"-" "Wget/1.10.2"
Nov 29 15:18:00 sts-ocs-web-a monit[519]: 75.211.141.193 - -
[29/Nov/2016:15:17:05 -0800] "GET /updates/filetimes HTTP/1.0" 200 50071
"-" "Wget/1.10.2"
Which is true, since the log has lots of entries that don't match that
string's *absence*
So I thought I could be clever, and ignore the content that is *not* the
string whose absence I'm looking for -
check file vzw-to-update with path /var/log/apache2/updates5080_access.log
ignore content != "^100\.10[79]"
if content != "^100\.10[79]" for 2 cycles then alert
But as I suspected, it basically creates a 'black hole' - it never
alerts (confirmed by blocking those networks for several minutes with
iptables).
I'm not really sure how to tackle this problem - which may be more of a
problem with my (weak) understanding of eregex syntax rather than a
monit problem.
--
Paul Theodoropoulos
www.anastrophe.com
--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
--
Paul Theodoropoulos
www.anastrophe.com
--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
