Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Getting issue with check_logfile plugin

https://support.nagios.com/forum/viewtopic.php?t=47410

Page 1 of 1

Getting issue with check_logfile plugin

Posted: Wed Feb 07, 2018 1:28 am
by ericssonvietnam
I am using the below configuration file in order to generate the alert for the mentioned pattern but it is not giving the alert as mentioned threshold count.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++===

Code: Select all

[ericsson@euc-3-3-uc-00-0 conf]$ cat Error_code_404.conf
$seekfilesdir = '/home/ericsson/logfile_basedir/tmp';
$protocolsdir = '/home/ericsson/logfile_basedir/tmp';
$scriptpath = '/home/ericsson/bin';
#$MACROS = { CL_DISK01 => "/dev/dsk/c0d1", CL_DISK02 => "/dev/dsk/c0d2" };
@searches = (
        {
                tag => 'Error_code_404',
                criticalpatterns => ['HTTP/1.1" 404'] ,
                logfile =>'/opt/universalcache/logs/access.log',
                #options => 'sticky=1800,noprotocol,report=long,allyoucaneat',
                rotation => 'REDHAT',
                #warningthreshold => 100,
                criticalthreshold => 3500
        }
);
++++++++++
check interval 3 minutes

Code: Select all

-C "sudo /home/ericsson/bin/check_logfiles -f /home/ericsson/logfile_basedir/conf/Error_code_404.conf"
-t 60 -o StrictHostKeyChecking=no -l ericsson -E
++++++++++++++++++++++++++++++++++++++++++++
let me know if i am missing anything in configuration file.let me know if you required logfile to verify the same.

Re: Getting issue with check_logfile plugin

Posted: Wed Feb 07, 2018 11:59 am
by cdienger
It looks like you just need to escape the quotes in the pattern. Try:

criticalpatterns => ['HTTP/1.1\" 404'] ,

Re: Getting issue with check_logfile plugin

Posted: Fri Feb 09, 2018 2:54 am
by ericssonvietnam
cdienger wrote:It looks like you just need to escape the quotes in the pattern. Try:

criticalpatterns => ['HTTP/1.1\" 404'] ,
After changing the pattern as well i am getting alert at very less count can you suggest how can i fix this as it is pending from long time

Below is how i have done the analysis for the check.
Alerts which are mentioned in state history i have observed that check interval is 3 min but time large time difference between OK pattern and alert generated if i am calculating the count in between the OK pattern and alert that only it is crossing the threshold defined
2/9/2018 4:24 EUC-3-3-UC00-0 Error_code_403 1 CRITICAL HARD 1 1 OK OK CRITICAL - (1 errors in Error_code_403.protocol-2018-02-09-04-24-51) - - CDN 1.152.111.190 203.36.130.179 racingviconlinehlslive3968.ngcdn.telstra.com - - - [08/Feb/2018:17:24:43.826 +0000] GET /out/u/protected/rcnsyn-mo-000-c3063-delpkg1-delogg1-abr1/63"
2/9/2018 3:25 EUC-3-3-UC00-0 Error_code_403 1 OK HARD 1 1 CRITICAL CRITICAL OK - no errors or warnings
2/9/2018 3:22 EUC-3-3-UC00-0 Error_code_403 1 CRITICAL HARD 1 1 OK OK CRITICAL - (1 errors in Error_code_403.protocol-2018-02-09-03-22-23) - - CDN 110.140.95.84 203.36.130.179 racingviconlinehlslive3968.ngcdn.telstra.com - - - [08/Feb/2018:16:19:48.717 +0000] GET /out/u/protected/rcnsyn-mo-000-c3063-delpkg1-delogg1-abr1/63"
2/9/2018 2:25 EUC-3-3-UC00-0 Error_code_403 1 OK HARD 1 1 CRITICAL CRITICAL OK - no errors or warnings
2/9/2018 2:22 EUC-3-3-UC00-0 Error_code_403 1 CRITICAL HARD 1 1 OK OK CRITICAL - (1 errors in Error_code_403.protocol-2018-02-09-02-22-56) - - CDN 110.140.95.84 203.36.130.179 racingviconlinehlslive3968.ngcdn.telstra.com - - - [08/Feb/2018:15:22:19.827 +0000] GET /out/u/protected/rcnsyn-mo-000-c3063-delpkg1-delogg1-abr1/63"
2/9/2018 1:35 EUC-3-3-UC00-0 Error_code_403 1 OK HARD 1 1 CRITICAL CRITICAL OK - no errors or warnings

let me know if you require something else
Analysis done is as shown below.
########################################
Alert
2/9/2018 3:22 EUC-3-3-UC00-0 Error_code_403 1 CRITICAL HARD 1 1 OK OK CRITICAL - (1 errors in Error_code_403.protocol-2018-02-09-03-22-23) - - CDN 110.140.95.84 203.36.130.179 racingviconlinehlslive3968.ngcdn.telstra.com - - - [08/Feb/2018:16:19:48.717 +0000] GET /out/u/protected/rcnsyn-mo-000-c3063-delpkg1-delogg1-abr1/63"
2/9/2018 2:25 EUC-3-3-UC00-0 Error_code_403 1 OK HARD 1 1 CRITICAL CRITICAL OK - no errors or warnings
###########################################
Logfile count in 3 min befor alert generation
[evigaur@chw-com0-nagfm-00 ~]$ sed -n '/2018:16:15/,/2018:16:20/p' /home/evigaur/access.1518102601.11723.log > /home/evigaur/logtime2.txt
[evigaur@chw-com0-nagfm-00 ~]$ grep -i "403" logtime2.txt |wc -l
412
#############################################################
If i am taking the logs for the time window of one hour is giving me the alert above threshold value am suspecting that check is not taking the data for the 3 min time interval
[evigaur@chw-com0-nagfm-00 ~]$ sed -n '/2018:15:20/,/2018:16:20/p' /home/evigaur/access.1518102601.11723.log > /home/evigaur/logtime2-new.txt
[evigaur@chw-com0-nagfm-00 ~]$ grep -i "403" logtime2-new.txt |wc -l
4077
++++++++++++++++++++++++++++++++++++++++++++++++++
Can you suggest how i can fix this ASAP as its pending from long time.
Hope will get the fix ASAP Let me know if you required anything else form my side.

Re: Getting issue with check_logfile plugin

Posted: Fri Feb 09, 2018 4:15 pm
by kyang
Can you suggest how i can fix this ASAP as its pending from long time.
Is this service pending from this plugin correct? Was it like this before, or did it happen after you made changing the pattern?

Could you give us a screenshot just to be sure?
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited