Module: check_mk
Branch: master
Commit: 19587113966e62c2669648fc5a01d9831e0651ad
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=19587113966e62…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Mon Nov 14 15:26:50 2011 +0100
logwatch: allow to classify messages based on their count
---
ChangeLog | 2 ++
checkman/logwatch | 17 ++++++++++++++++-
checks/logwatch | 46 ++++++++++++++++++++++++++++++++++++++++------
3 files changed, 58 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index f0304ab..b6f11e7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,8 @@
to process and which levels of messages to send.
* Windows agent: new config variable "host" in all sections that
restricts the folling entries to certain hosts.
+ * logwatch: allow to classify messages based on their count (see
+ man page of logwatch for details)
Multisite:
* New nifty sidebar snapin "Speed-O-Meter"
diff --git a/checkman/logwatch b/checkman/logwatch
index fe9f1a8..c769e62 100644
--- a/checkman/logwatch
+++ b/checkman/logwatch
@@ -33,6 +33,7 @@ examples:
logwatch_patterns = {
"System": [ ('W', "crash"),
('I', "svchost") ],
+ ((10,30), "login.*failed") ],
"/var/log/messages": [ ( ['test'], ALL_HOSTS, 'I',
"sshd") ]
}
@@ -41,7 +42,14 @@ patterns (list): The parameter can be used to reclassify
log messages sent by the agent. You can assign one of
the three levels {'I'} (ignore), {'W'} (warning) or
{'C'} (critical) to each message. It is only possible
- to reclassify messages with an original level of {W} or {C}.
+ to reclassify messages that have already been classified
+ by the agent with an original level of {I}, {W} or {C}.
+ As of version 1.1.13i1 the Windows agent supports sending
+ always all messages and classifying non-problems as {I}.
+ This is done by a configution
+ via {check_mk.ini} and setting the level for a logfile to {all}.
+ Those messages can later be reclassified.
+
Each entry of the list is a pair of the new level and an
extended regular expression searched in the log line.
Please note, that because logwatch checks are usually
@@ -49,6 +57,13 @@ patterns (list): The parameter can be used to reclassify
{logwatch_patterns} instead of explicit check parameters.
Example: {[ ('I', "sshd"), ('C', "foo.*bar") ]}
+ In the current version of this check a level can be substituted
+ by a pair of numbers, e.g. instead of {'W'} you can write {(10, 20)}.
+ In that case the message will be considered as {'I'} for the first
+ 9 appearances, further appearances will be classified as {'W'} and
+ from the 20th message on it will be {'C'}. The counts are reset each
+ time the host is being checked.
+
[configuration]
logwatch_patterns (dict): A dictionary for reclassifying
the level of certain messages. This is especially useful
diff --git a/checks/logwatch b/checks/logwatch
index 16a91e3..4e118cf 100644
--- a/checks/logwatch
+++ b/checks/logwatch
@@ -44,9 +44,9 @@ def inventory_logwatch(info):
#logwatch_patterns = {
# 'System': [
# ( 'W', 'sshd' ),
-# ( ['host1', 'host2'], 'C', 'ssh' ), # only applies
to certain hosts
+# ( ['host1', 'host2'], 'C', 'ssh' ), # only
applies to certain hosts
# ( ['lnx', 'dmz'], ALL_HOSTS, 'C', 'ssh' ), # only
applies to host having certain tags
-
+# ( ALL_HOSTS, (10, 20), 'x' ), # at 10 messages per interval warn, at 20
crit
# ( 'I', '0' )
# ],
# 'Application': [
@@ -55,7 +55,25 @@ def inventory_logwatch(info):
# ]
# }
-# Extracts only pattern relevant for current host and item.
+# New rule-stule logwatch_rules in WATO friendly consistent rule notation:
+#
+# logwatch_rules = [
+# ( [ PATTERNS ], ALL_HOSTS, [ "Application", "System" ] ),
+# ]
+# All [ PATTERNS ] of matching rules will be concatenated in order of
+# appearance.
+#
+# PATTERN is a list like:
+# [ ( 'I', ".*ssh.*" ), # Ignore these messages
+# ( (10, 20), "login" ), # Warning at 10 messages, Critical at 20
+# ( 'C', "bad" ), # Always critical
+# ( 'W', "not entirely bad" ), # Always warning
+# ]
+#
+
+
+
+# Extracts patterns that are relevant for the current host and item.
# Constructs simple list of pairs: [ ('W', 'crash.exe'), ('C',
'sshd.*test') ]
def logwatch_precompile(hostname, item, params):
patterns = logwatch_patterns.get(item)
@@ -82,16 +100,31 @@ def logwatch_precompile(hostname, item, params):
return params
-def logwatch_reclassify(patterns, text):
+def logwatch_reclassify(counts, patterns, text):
for level, pattern in patterns:
reg = compiled_regexes.get(pattern)
if not reg:
reg = re.compile(pattern)
compiled_regexes[pattern] = reg
if reg.search(text):
- return level
+ # If the level is not fixed like 'C' or 'W' but a pair like
(10, 20),
+ # then we count how many times this pattern has already matched and
+ # assign the levels according to the number of matches of this pattern.
+ if type(level) == tuple:
+ warn, crit = level
+ newcount = counts.setdefault(id(pattern), 0) + 1
+ counts[id(pattern)] = newcount
+ if newcount >= crit:
+ return 'C'
+ elif newcount >= warn:
+ return 'W'
+ else:
+ return 'I'
+ else:
+ return level
return None
+
# In case of a precompiled check, params contains the precompiled
# logwatch_patterns for the logfile we deal with. If using check_mk
# without precompiled checks, the params must be None an will be
@@ -183,6 +216,7 @@ def check_logwatch(item, params, info):
else:
patterns = logwatch_precompile(g_hostname, item, None)
+ counts = {} # for counting number of matches of a certain pattern
if len(loglines) > 0:
worst = 0
newloglines = []
@@ -194,7 +228,7 @@ def check_logwatch(item, params, info):
else:
text = ""
if patterns and level != '.': # do never reclassify informational
context messages
- newlevel = logwatch_reclassify(patterns, text)
+ newlevel = logwatch_reclassify(counts, patterns, text)
if newlevel != None:
level = newlevel