[checkmk-commits] Check_MK Git: check_mk: logwatch: allow to classify messages based on their count

Module: check_mk Branch: master Commit: 19587113966e62c2669648fc5a01d9831e0651ad URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=19587113966e62… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Mon Nov 14 15:26:50 2011 +0100 logwatch: allow to classify messages based on their count --- ChangeLog | 2 ++ checkman/logwatch | 17 ++++++++++++++++- checks/logwatch | 46 ++++++++++++++++++++++++++++++++++++++++------ 3 files changed, 58 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index f0304ab..b6f11e7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,8 @@ to process and which levels of messages to send. * Windows agent: new config variable "host" in all sections that restricts the folling entries to certain hosts. + * logwatch: allow to classify messages based on their count (see + man page of logwatch for details) Multisite: * New nifty sidebar snapin "Speed-O-Meter" diff --git a/checkman/logwatch b/checkman/logwatch index fe9f1a8..c769e62 100644 --- a/checkman/logwatch +++ b/checkman/logwatch @@ -33,6 +33,7 @@ examples: logwatch_patterns = { "System": [ ('W', "crash"), ('I', "svchost") ], + ((10,30), "login.*failed") ], "/var/log/messages": [ ( ['test'], ALL_HOSTS, 'I', "sshd") ] } @@ -41,7 +42,14 @@ patterns (list): The parameter can be used to reclassify log messages sent by the agent. You can assign one of the three levels {'I'} (ignore), {'W'} (warning) or {'C'} (critical) to each message. It is only possible - to reclassify messages with an original level of {W} or {C}. + to reclassify messages that have already been classified + by the agent with an original level of {I}, {W} or {C}. + As of version 1.1.13i1 the Windows agent supports sending + always all messages and classifying non-problems as {I}. + This is done by a configution + via {check_mk.ini} and setting the level for a logfile to {all}. + Those messages can later be reclassified. + Each entry of the list is a pair of the new level and an extended regular expression searched in the log line. Please note, that because logwatch checks are usually @@ -49,6 +57,13 @@ patterns (list): The parameter can be used to reclassify {logwatch_patterns} instead of explicit check parameters. Example: {[ ('I', "sshd"), ('C', "foo.*bar") ]} + In the current version of this check a level can be substituted + by a pair of numbers, e.g. instead of {'W'} you can write {(10, 20)}. + In that case the message will be considered as {'I'} for the first + 9 appearances, further appearances will be classified as {'W'} and + from the 20th message on it will be {'C'}. The counts are reset each + time the host is being checked. + [configuration] logwatch_patterns (dict): A dictionary for reclassifying the level of certain messages. This is especially useful diff --git a/checks/logwatch b/checks/logwatch index 16a91e3..4e118cf 100644 --- a/checks/logwatch +++ b/checks/logwatch @@ -44,9 +44,9 @@ def inventory_logwatch(info): #logwatch_patterns = { # 'System': [ # ( 'W', 'sshd' ), -# ( ['host1', 'host2'], 'C', 'ssh' ), # only applies to certain hosts +# ( ['host1', 'host2'], 'C', 'ssh' ), # only applies to certain hosts # ( ['lnx', 'dmz'], ALL_HOSTS, 'C', 'ssh' ), # only applies to host having certain tags - +# ( ALL_HOSTS, (10, 20), 'x' ), # at 10 messages per interval warn, at 20 crit # ( 'I', '0' ) # ], # 'Application': [ @@ -55,7 +55,25 @@ def inventory_logwatch(info): # ] # } -# Extracts only pattern relevant for current host and item. +# New rule-stule logwatch_rules in WATO friendly consistent rule notation: +# +# logwatch_rules = [ +# ( [ PATTERNS ], ALL_HOSTS, [ "Application", "System" ] ), +# ] +# All [ PATTERNS ] of matching rules will be concatenated in order of +# appearance. +# +# PATTERN is a list like: +# [ ( 'I', ".*ssh.*" ), # Ignore these messages +# ( (10, 20), "login" ), # Warning at 10 messages, Critical at 20 +# ( 'C', "bad" ), # Always critical +# ( 'W', "not entirely bad" ), # Always warning +# ] +# + + + +# Extracts patterns that are relevant for the current host and item. # Constructs simple list of pairs: [ ('W', 'crash.exe'), ('C', 'sshd.*test') ] def logwatch_precompile(hostname, item, params): patterns = logwatch_patterns.get(item) @@ -82,16 +100,31 @@ def logwatch_precompile(hostname, item, params): return params -def logwatch_reclassify(patterns, text): +def logwatch_reclassify(counts, patterns, text): for level, pattern in patterns: reg = compiled_regexes.get(pattern) if not reg: reg = re.compile(pattern) compiled_regexes[pattern] = reg if reg.search(text): - return level + # If the level is not fixed like 'C' or 'W' but a pair like (10, 20), + # then we count how many times this pattern has already matched and + # assign the levels according to the number of matches of this pattern. + if type(level) == tuple: + warn, crit = level + newcount = counts.setdefault(id(pattern), 0) + 1 + counts[id(pattern)] = newcount + if newcount >= crit: + return 'C' + elif newcount >= warn: + return 'W' + else: + return 'I' + else: + return level return None + # In case of a precompiled check, params contains the precompiled # logwatch_patterns for the logfile we deal with. If using check_mk # without precompiled checks, the params must be None an will be @@ -183,6 +216,7 @@ def check_logwatch(item, params, info): else: patterns = logwatch_precompile(g_hostname, item, None) + counts = {} # for counting number of matches of a certain pattern if len(loglines) > 0: worst = 0 newloglines = [] @@ -194,7 +228,7 @@ def check_logwatch(item, params, info): else: text = "" if patterns and level != '.': # do never reclassify informational context messages - newlevel = logwatch_reclassify(patterns, text) + newlevel = logwatch_reclassify(counts, patterns, text) if newlevel != None: level = newlevel