Module: check_mk Branch: master Commit: a9e2e60ed304083416a5b3350c6b5cda903c6622 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a9e2e60ed30408… Author: Andreas Boesl &lt;ab(a)mathias-kettner.de&gt; Date: Wed Jan 21 12:18:47 2015 +0100 #1672 Now able reclassify logwatch messages before forwarding them to the event console You are now able to apply already existing logwatch patterns to the messages which are sent to the event console. Each message can be reclassified to a different alert level and even set to IGNORED, which causes a message not to be sent to the event console. This pre-sorting might reduce the load of the event console. Keep in mind that the logwatch pattern are configured by host and the logfile name. These restrictions do also apply to the messages intented for the event console. So you can configure a logwatch pattern specifially designed for a message from a certain logfile. For example, you can reclassify any messages from a logfile <i>access.log</i> containing "C Login error" to "I Login error". Any message of <i>access.log</i> containing the "Login error" pattern will therefore get ignored and not sent to the event console. --- .werks/1672 | 20 +++++++++++++ ChangeLog | 1 + checks/logwatch | 51 ++++++++++++++++++++++++++++++++++ web/plugins/wato/check_parameters.py | 15 +++++++++- 4 files changed, 86 insertions(+), 1 deletion(-) diff --git a/.werks/1672 b/.werks/1672 new file mode 100644 index 0000000..8459260 --- /dev/null +++ b/.werks/1672 @@ -0,0 +1,20 @@ +Title: Now able reclassify logwatch messages before forwarding them to the event console +Level: 2 +Component: ec +Compatible: compat +Version: 1.2.7i1 +Date: 1421838593 +Class: feature + +You are now able to apply already existing logwatch patterns to the messages which +are sent to the event console. Each message can be reclassified to a different alert level +and even set to IGNORED, which causes a message not to be sent to the event console. +This pre-sorting might reduce the load of the event console. + +Keep in mind that the logwatch pattern are configured by host and the logfile name. +These restrictions do also apply to the messages intented for the event console. +So you can configure a logwatch pattern specifially designed for a message from a certain logfile. + +For example, you can reclassify any messages from a logfile <i>access.log</i> containing "C Login error" to +"I Login error". Any message of <i>access.log</i> containing the "Login error" pattern will therefore get ignored and +not sent to the event console. diff --git a/ChangeLog b/ChangeLog index f6f89bc..84f5647 100644 --- a/ChangeLog +++ b/ChangeLog @@ -152,6 +152,7 @@ Event Console: * 1845 Keep record of original source IP address of a syslog message or SNMP trap... * 1873 SEC: Escaping event text of event console messages correctly in views... + * 1672 Now able reclassify logwatch messages before forwarding them to the event console... * 1839 FIX: Fix exception when notifying EC alert into monitoring for traps (because PID is missing) * 1813 FIX: Fixed bug in event console rule editor when no contact groups configured diff --git a/checks/logwatch b/checks/logwatch index d4554f9..d24596d 100644 --- a/checks/logwatch +++ b/checks/logwatch @@ -584,8 +584,30 @@ def check_logwatch_ec(item, params, info): messages = [] cur_time = syslog_time() forwarded_logfiles = set([]) + + # Get the logwatch patterns if they are not already precompiled + if "logwatch_patterns" not in params: + logwatch_ec_precompile(g_hostname, None, params) + for logfile, lines in logs.items(): + # Determine logwatch patterns specifically for this logfile + log_reclassify_patterns = [] + for entry in params["logwatch_patterns"]: + patterns, log_items = entry + for log_item in log_items: + reg = regex(log_item) + if reg.search(logfile): + log_reclassify_patterns.extend(patterns) + for line in lines: + if log_reclassify_patterns: + counts = {} # unused... + level, text = line.split(" ", 1) + level = logwatch_reclassify(counts, log_reclassify_patterns, line[2:]) or level + if level == "I": # Ignored lines are not forwarded + continue + + msg = '<%d>' % (facility + logwatch_to_prio(line[0]),) msg += '%s %s %s: %s' % (cur_time, g_hostname, logfile, line[2:]) messages.append(msg) @@ -650,6 +672,35 @@ def check_logwatch_ec(item, params, info): return (2, 'Unable to forward messages to event console (%s). Lost %d messages.' % (e, num_messages)) +def logwatch_ec_precompile(hostname, item, params): + if not params.get("logwatch_reclassify"): + params.update({"logwatch_patterns": []}) + return params + + if not serviceruleset_is_converted(logwatch_rules): + convert_service_ruleset(logwatch_rules) + + tags = tags_of_host(hostname) + logwatch_patterns = [] + # Filter out any logwatch_rules which do apply to to this host + # 1st filter: Do not use rules where the hostname does not match + # 2nd filter: Do not use rules with configured items where no item matches the + # "restrict_logfiles" condition (if applicable) + for rule in logwatch_rules: + patterns, hosts, rule_items = rule + if hostname in hosts: + if params.get("restrict_logfiles"): + for rule_item in rule_items: + if rule_item == "" or logwatch_ec_forwarding_enabled(params, rule_item): + logwatch_patterns.append( (map(lambda x: x[:2], patterns), rule_items) ) + break + else: + logwatch_patterns.append( (map(lambda x: x[:2], patterns), rule_items) ) + params.update({"logwatch_patterns": logwatch_patterns}) + return params + +precompile_params['logwatch.ec'] = logwatch_ec_precompile + check_info['logwatch.ec'] = { 'check_function': check_logwatch_ec, 'inventory_function': inventory_logwatch_ec, diff --git a/web/plugins/wato/check_parameters.py b/web/plugins/wato/check_parameters.py index d65b304..d06f302 100644 --- a/web/plugins/wato/check_parameters.py +++ b/web/plugins/wato/check_parameters.py @@ -6503,8 +6503,21 @@ register_check_parameters(subgroup_applications, "all of the logfiles listed here are reported by the monitored system."), ) ), + ('logwatch_reclassify', + Checkbox( + title = _("Reclassify messages before forwarding them to the EC"), + label = _("Apply logwatch patterns"), + help = _("If this option is enabled, the logwatch lines are first reclassified by the logwatch " + "patterns before they are sent to the event console. If you reclassify specific lines to " + "IGNORE they are not forwarded to the event console. This takes the burden from the " + "event console to process the message itself through all of its rulesets. The reclassifcation " + "of each line takes into account from which logfile the message originates. So you can create " + "logwatch reclassification rules specifically designed for a logfile <i>access.log</i>, " + "which do not apply to other logfiles."), + ) + ) ], - optional_keys = ['restrict_logfiles', 'expected_logfiles'], + optional_keys = ['restrict_logfiles', 'expected_logfiles', 'logwatch_reclassify'], ), ], default_value = '',