nagiosxi check logfile for unix

[michaelli]

Dear support,

I have a problem about nagios XI use "check_nrpe!check_logfiles" for checking unix's system logging message.

Eg. I have set 3 mins for checking messages periodically. If there are many error find in message file within 3mins. Nagios XI only display the latest error.

Our operation team request to display all error in nagios. Does it possible to do that?

Or I suggest it can display all error/warning within 2 hours.

Thanks.

[abrist]

See: http://labs.consol.de/nagios/check_logfiles/

Our operation team request to display all error in nagios. Does it possible to do that?

You can set the plugin to generate multiline output:

–report=[short|long|html]This option turns on multiline output (Default: off). The setting html generates a table which display the last hits in the service details view.

Or I suggest it can display all error/warning within 2 hours.

You will most likely have to write, and then subsequently call, a custom script from check_logfiles. Take a look at the link above (a few pages down), there is an example of calling an external script from check_logfiles. Just a warning, this can get complex quickly.

[michaelli]

Hi abrist,

Thanks. It is work for add $options = 'report=long, maxlength=1024'; in cfg file.

But how to configure all errors are display in State History?

[abrist]

I do not believe you can do so. First, state history is limited to non-multiline output, also, the plugin will only output the max you have configured.

[michaelli]

Hi abrist,

I hope this feature can be added to future version because system support do no need to login hosts to review the error messages.

Moreover, Does it possible to show all error entry in "Operations Center" and "Operations Screen"?

[tmcdonald]

I don't think a feature request of this sort will make it in, because we have another product specifically for log analysis: Nagios Log Server

It's painless to set up, and does an incredible job of taking in logs, storing them, and allowing for later retrieval. It's a much better solution than trying to force a scheduled active check to look back over a period of time.

[eloyd]

Maybe I'll take all the custom programming I've done and turn them into plugins on the nagios exchange, but here's what I do (in English, not in code):

Fire off a check that does:

Code: Select all

comm -13 <old file in temp dir> <new file> | grep -c <thing we are looking for>; cp <new log file> <old file in temp dir>

This is a quick and dirty way to see what's in the new file that wasn't in the old file, grep for the error condition I'm trying to find, and then count the numbers. Process the exit status for OK WARNING CRITICAL and you have yourself a plugin.

[michaelli]

Hi eloyd,

Thanks for your reply. Do you mean we can use your method to allow nagios display all error in same state?

Could you describe more detail which file used for compare and update which file for nagios read.

[eloyd]

I will use /var/log/maillog as an example, and pretend that you are looking for "Aborted" logins. You first have to copy /var/log/maillog to a temporary file, and then you can run this:

Code: Select all

[ ! -r "/tmp/mailog" ] && cp /var/log/maillog /tmp/maillog && exit
comm -13 /tmp/maillog /var/log/maillog | grep -c "Aborted"
cp /var/log/maillog /tmp/maillog

That will tell you how many times the word "Aborted" appeared since the last time the check was run. This is very basic, but I think it is what you are trying to do. Wrap this into a more robust script that checks error codes and warning/critical values and you have yourself a Naigos plugin.

[tmcdonald]

eloyd's post will work for showing a total count, but if you need a comprehensive historical log of the results then you either need to check very frequently and hope your interval catches them all, or implement rsyslog and send to Logserver. Not trying to push a product on you, but that's one of the many reasons we launched Logserver in the first place.