Using Wildcards for monitoring logs.

[jonathan.pugh]

Hi guys,

On my setup i have a nagios alert looking for CRITICAL and ERROR in log files in a certain folder.

My current nagios check:

# log checks
seek_dir = /etc/nagios/logchecks
check_path = /usr/lib/nagios/plugins/check_log2.pl
/var/log/messages:
NOTICE
/var/log/example
CRITICAL
ERROR

My question, is there a way to wildcard this in nagios. I have tried

/var/log/*

However nagios doesn't understand this.
Added question, if there is a way to wildcard the logs is there a way to exclude Zipped/rotated log files out?

Thanks for reading

[rkennedy]

For our reference, which plugin are you attempting to use, and can you post it for us to look at?

[jonathan.pugh]

# $Id: check_log2.pl,v 1.2 2005/12/16 18:41:45 harpermann Exp $
#
# Log file regular expression detector for Nagios.
# Written by Aaron Bostick ([email protected])
# Last modified: 05-02-2002
#
# Thanks and acknowledgements to Ethan Galstad for Nagios and the check_log
# plugin this is modeled after.
#
# Usage: check_log2 -F <log_file> -O <seek_file> -q <pattern> [-e <negpattern>]

This what you're looking for?

Examples:
#
# Check for login failures in the syslog...
#
# check_log -F /var/log/messages -O /usr/local/nagios/var/check_log.badlogins.old -Q "LOGIN FAILURE"
#
# Check for port scan alerts generated by Psionic's PortSentry software...
#
# check_log -F /var/log/messages -O /usr/local/nagios/var/check_log.portscan.old -Q "attackalert"
#

# Paths to commands used in this script. These
# may have to be modified to match your system setup.

PATH="/usr/bin:/usr/sbin:/bin:/sbin"

PROGNAME=`basename $0`
PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'`

#. $PROGPATH/utils.sh
. /usr/local/nagios/libexec/utils.sh

print_usage() {
echo "Usage: $PROGNAME -F logfile -O oldlog -Q query"
echo "Usage: $PROGNAME --help"
}

print_help() {
echo ""
print_usage
echo ""
echo "Log file pattern detector plugin for Nagios"
echo ""
support
}

# Make sure the correct number of command line
# arguments have been supplied

if [ $# -lt 6 ]; then
print_usage
exit $STATE_UNKNOWN
fi

# Grab the command line arguments

exitstatus=$STATE_WARNING #default
while test -n "$1"; do
case "$1" in
--help)
print_help
exit $STATE_OK
;;
-h)
print_help
exit $STATE_OK
;;
-F)
logfile=$2
shift
;;
-O)
oldlog=$2
shift
;;
-Q)
query=$2
shift
;;
*)
echo "Unknown argument: $1"
print_usage
exit $STATE_UNKNOWN
;;
esac
shift
done

# If the source log file doesn't exist, exit

if [ ! -e $logfile ]; then
echo "Log check error: Log file $logfile does not exist!"
exit $STATE_UNKNOWN
echo $STATE_UNKNOWN > $oldlog.STATE
fi

# If the oldlog file doesn't exist, this must be the first time
# we're running this test, so copy the original log file over to
# the old diff file and exit

if [ ! -e $oldlog ]; then
cat $logfile > $oldlog
if [ `tail -1 $logfile | grep -i $query | wc -l` -gt 0 ]
then
echo "Log check data initialized... Last line contained error message."
echo $STATE_CRITICAL > $oldlog.STATE
exit $STATE_CRITICAL
else
echo "Log check data initialized..."
echo $STATE_OK > $oldlog.STATE
exit $STATE_OK
fi
fi

# A bug which was caught very late:
# If newlog is shorter than oldlog, the diff used below will return
# false positives for the query because the will be in $oldlog. Why?
# Because $oldlog is not rolled over / rotated, like $newlog. I need
# to fix this in a kludgy way.

if [ `wc -l $logfile|awk '{print $1}'` -lt `wc -l $oldlog|awk '{print $1}'` ]
then
rm $oldlog
cat $logfile > $oldlog
if [ `tail -1 $logfile | grep -i $query | wc -l` -gt 0 ]
then
echo "Log check data re-initialized... Last line contained error message."
echo $STATE_CRITICAL > $oldlog.STATE
exit $STATE_CRITICAL
else
echo "Log check data re-initialized..."
echo $STATE_OK > $oldlog.STATE
exit $STATE_OK
fi
fi

# Everything seems fine, so compare it to the original log now

# The temporary file that the script should use while
# processing the log file.
if [ -x mktemp ]; then
tempdiff=`mktemp /tmp/check_log.XXXXXXXXXX`
else
tempdate=`/bin/date '+%H%M%S'`
tempdiff="/tmp/check_log.${tempdate}"
touch $tempdiff
fi

diff $logfile $oldlog > $tempdiff

if [ `wc -l $tempdiff|awk '{print $1}'` -eq 0 ]
then
rm $tempdiff
touch $oldlog.STATE
exitstatus=`cat $oldlog.STATE`
echo "LOG FILE - No status change detected. Status = $exitstatus"
exit $exitstatus
fi

# Count the number of matching log entries we have
count=`grep -c "$query" $tempdiff`

# Get the last matching entry in the diff file
lastentry=`grep "$query" $tempdiff | tail -1`

rm -f $tempdiff
cat $logfile > $oldlog

if [ "$count" = "0" ]
then
echo "Log check ok - 0 pattern matches found"
exitstatus=$STATE_OK
echo $STATE_OK > $oldlog.STATE
else
echo "Log check NOK - $lastentry"
exitstatus=$STATE_CRITICAL
echo $STATE_CRITICAL > $oldlog.STATE
fi

exit $exitstatus

[rkennedy]

Code: Select all

# This plugin will scan a log file (specified by the <log_file> option)
# for a specific pattern (specified by the <pattern> option).  Successive
# calls to the plugin script will only report *new* pattern matches in the
# log file, since an copy of the log file from the previous run is saved
# to <old_log_file>.
#    3.  You *must* supply a different <old_file_log> for each service that
#        you define to use this plugin script - even if the different services
#        check the same <log_file> for pattern matches.  This is necessary
#        because of the way the script operates.

Because of how the plugin stores states, and they are unique to each log file, I don't think it's going to be possible. You might want to look at our Nagios Log Server solution if that's something you're interested in, as it's built more for the logging situations like this.