Nagios check to check increment between 2 files

[Shwele]

Hello fellas,

Is there some check that can compare filesize between 2 recent created files. That folder is going to have generated reports that are at start going to have 2MB and due time it will increment. Idea is, to have 2 checks:

1. file has to be bigger than one created before him, if its smaller even by one 1byte, show critical on nagios.
2. if new file is indeed bigger, check if its bigger by +1MB of file before him, if it is, show critical

Check has to be done over SNMP or SSH, or any other way other than NRPE, due that sever is already in use and cant use NRPE on it.

Thanks in advance!

[mcapra]

I'm making some assumptions here; Correct me if any are wrong. This could maybe be done more easily in Python, PHP, C, Ruby, etc, but I'm not going to assume things about the host's environment other than it probably has Bash/Dash and some basic Linux commands.

Assumption: You have a path with some files in it. Those files have various sizes and "last modified" times:

Code: Select all

[root@capra_nag files]# stat /tmp/files/*
  File: ‘/tmp/files/file_0’
  Size: 73              Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 590938      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-11-17 08:26:01.435848347 -0600
Modify: 2017-11-17 08:26:01.435848347 -0600
Change: 2017-11-17 08:26:01.435848347 -0600
 Birth: -
  File: ‘/tmp/files/file_1’
  Size: 4               Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 368929      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-11-17 08:20:25.333549120 -0600
Modify: 2017-11-17 08:20:25.333549120 -0600
Change: 2017-11-17 08:20:25.333549120 -0600
 Birth: -
  File: ‘/tmp/files/file_2’
  Size: 739             Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 590926      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-11-17 08:20:31.918398250 -0600
Modify: 2017-11-17 08:20:31.918398250 -0600
Change: 2017-11-17 08:20:31.918398250 -0600
 Birth: -
  File: ‘/tmp/files/file_3’
  Size: 45004           Blocks: 88         IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 590930      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-11-17 08:20:50.513972188 -0600
Modify: 2017-11-17 08:20:50.513972188 -0600
Change: 2017-11-17 08:20:50.513972188 -0600
 Birth: -
  File: ‘/tmp/files/file_4’
  Size: 32              Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 34339831    Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-11-17 08:22:48.200275760 -0600
Modify: 2017-11-17 08:22:48.200275760 -0600
Change: 2017-11-17 08:22:59.443018167 -0600
 Birth: -

In the above case, ordered by age: file_1 > file_2 > file_3 > file_4 > file_0

So file_0 is the newest file, and file_4 is the file that is second newest. Based on your described use case, these are the 2 files we should be comparing.

stat has some very handy flags we can set to isolate specific information. Based on your described use case, we need at a minimum the name, size, and last-modified time of each file in the path. This gets us that in a semi-colon delimited form per-item in the path:

Code: Select all

[root@capra_nag files]# stat -c '%y;%n;%s' /tmp/files/*
2017-11-17 08:26:01.435848347 -0600;/tmp/files/file_0;73
2017-11-17 08:20:25.333549120 -0600;/tmp/files/file_1;4
2017-11-17 08:20:31.918398250 -0600;/tmp/files/file_2;739
2017-11-17 08:20:50.513972188 -0600;/tmp/files/file_3;45004
2017-11-17 08:22:48.200275760 -0600;/tmp/files/file_4;32

Who's output we can pipe into a clever sort command to order them by the last-modified time:

Code: Select all

[root@capra_nag files]# stat -c '%y;%n;%s' /tmp/files/* | sort -k 2 -r
2017-11-17 08:26:01.435848347 -0600;/tmp/files/file_0;73
2017-11-17 08:22:48.200275760 -0600;/tmp/files/file_4;32
2017-11-17 08:20:50.513972188 -0600;/tmp/files/file_3;45004
2017-11-17 08:20:31.918398250 -0600;/tmp/files/file_2;739
2017-11-17 08:20:25.333549120 -0600;/tmp/files/file_1;4

And really, since we only want the 2 "newest" files, we can pipe that output through a less clever head command to get the top 2 lines of this output (our 2 "newest" files):

Code: Select all

[root@capra_nag files]# stat -c '%y;%n;%s' /tmp/files/* | sort -k 2 -r | head -n 2
2017-11-17 08:26:01.435848347 -0600;/tmp/files/file_0;73
2017-11-17 08:22:48.200275760 -0600;/tmp/files/file_4;32

Then we can apply cut to strip this down even further to just the name and size of the 2 "newest" files in the path using a cut command (sed and awk also work here):

Code: Select all

[root@capra_nag files]# stat -c '%y;%n;%s' /tmp/files/* | sort -k 2 -r | head -n 2 | cut -d ';' -f 2,3
/tmp/files/file_0;73
/tmp/files/file_4;32

So neat; Now we have all the information we need for the described use case (and then some!). So how do we take this information and manipulate it through the power of Bash to compare the sizes of our 2 "newest" files? We write a script using all the neat tools we just learned:

Code: Select all

RAW=`stat -c '%y;%n;%s' /tmp/files/* | sort -k 2 -r | head -n 2 | cut -d ';' -f 2,3`
FILE_0=`echo $RAW | cut -d ' ' -f 1`
FILE_0_NAME=`echo $FILE_0 | cut -d ';' -f 1`
FILE_0_SIZE=`echo $FILE_0 | cut -d ';' -f 2`

FILE_1=`echo $RAW | cut -d ' ' -f 2`
FILE_1_NAME=`echo $FILE_1 | cut -d ';' -f 1`
FILE_1_SIZE=`echo $FILE_1 | cut -d ';' -f 2`

if [ $FILE_1_SIZE -gt $FILE_0_SIZE ]
then
        echo CRITICAL -- ${FILE_0_NAME} is $[$FILE_1_SIZE - $FILE_0_SIZE] bytes smaller than ${FILE_1_NAME}
        exit 2
fi
echo OK -- ${FILE_0_NAME} is larger than ${FILE_1_NAME}
exit 0

Which performs like so:

Code: Select all

[root@capra_nag tmp]# ./check_files_schwele.sh
OK -- /tmp/files/file_0 is larger than /tmp/files/file_4
[root@capra_nag tmp]# echo $?
0

And if I go and empty the contents of the "newest" file, file_0, it should be smaller than file_4. This is reflected in the script's output:

Code: Select all

[root@capra_nag tmp]# ./check_files_schwele.sh
CRITICAL -- /tmp/files/file_0 is 32 bytes smaller than /tmp/files/file_4
[root@capra_nag tmp]# echo $?
2

Assumptions aside, these are the basic building blocks for the solution in Bash. They can be tweaked depending on your specific criteria.

[bolson]

Thank you mcapra, I would take a similar approach but I would build out the script around awk statements something like this:

Code: Select all

ls -l
-rw-r--r-- 1 root root    4096 Nov 17 09:56 file1
-rw-r--r-- 1 root root 2097152 Nov 17 09:58 file2

ls -l --time-style="+%s" | tail -n +2 | awk '{print $6,$5,$7}' | sort | head -1
1510934177 4096 file1

ls -l --time-style="+%s" | tail -n +2 | awk '{print $6,$5,$7}' | sort -r | head -1
1510934313 2097152 file2

In the second command, ls fetches timestamp(epoch format for accuracy and to facilitate integer comparison), tail strips out the header, awk grabs the necessary data, sort sorts by time, and head prints the data for the oldest file. The third command does the same thing but sort -r and head gives you the newest file.

Plug these values into variables, do your comparisons, and you're good to go.

[Shwele]

Thanks guys

Sorry for not replying sooner, was really busy with workload this week.

Will test some of your solutions, it is what I guessed as well, to do with script and get response on mail of that report.

Have a great weekend!

[tmcdonald]

We'll keep this thread open for you