check_log3 inconsistant results & permission denied

[chknet]

Simple Diagram of Network without backbone structure.

Nagios XI -> cloud/internet -> Remote Linux Server with NRPE configured

We are using this via a NRPE check through a Remote Linux Sever to check its own log files.

On this Remote Linux Server I have placed check_log3.pl file in /usr/local/nagios/libexec

Issue 1:
As root user, I get inconsistent results.
./check_log3 -l /var/log/messages -p 'START'
I get lots back which is expected.
./check_log3 -l /var/log/messages -p 'SELinux'
I get a 0 count. which is not expected as this word is in this log file.

Why doesn't it find the words I am searching for?

Issue 2

I have set this up in Nagios XI, as a NRPE check , I get permission denied on /var/log/messages.

I understand Linux permissions.

I am just wondering what is the recommend to set the permission for the log file reading?

I am guessing you want nagios to be in the group permission on this Remote Server.
I wish to keep my Linux server as secure as possible.

[scottwilkerson]

Could you post a copy of the check_log3 plugin you are using so we have a point of reference...

Thanks.

As for the permissions, you will need to allow the nagios user x access into the directory and r access to the log file

[chknet]

I emailed the developer of this plugin, and I got this response. It all makes sense now.

Somehow, I missed that you always need a seek file.
If you are using more than one check on a log file, make different seek files as noted below.


The plugin should run just fine as root.  What might be happening is that
the plugin is not reading the whole log, as I see you're not specifying a
seek file.  That will make the plugin store its log position in the file
/tmp/messages.seek, so that the next time is run it will start reading at
that position instead of the beginning of the file.

However, if you have more than one service check reading the same log file
this causes problems as the same seek file will be used for all checks.

You can see this happening by running the plugin with the --debug option.

You probably want to specify a seek file explicitly for each check.  E.g.:

check_log3.pl -l /var/log/messages -s /tmp/messages.fail.seek -p failed
check_log3.pl -l /var/log/messages -s /tmp/messages.selinux.seek -p SELinux

This will make the plugin use separate file position counters for each one.

When testing you can do one of these things:

- Run the plugin with the "-s /dev/null" option so it doesn't use a seek file
- "rm /tmp/messages.seek" between runs to reset the counter manually

It that doesn't help then the issue might be character set related but that
is very uncommon on Linux.  (The plugin assumes UTF-8 input, which is the
default on most installations.)
file.

My tests work just fine now. I will go change permission accordingly. I hope this helps someone else out.

[tmcdonald]

Are we all clear to close this up then?