Check_log3 pattern exclusion help

[mrjsokol]

I have used check_log3 to find per line patterns to throw alerts but the issue im having is to evaluate a pattern to exclude that has the same type of exception but the key is an ip address that is known to throw an exception but we dont want to be alerted about it. We have tried using the --and operator to include multiple lines for the condition but doesnt seem to work properly. Will get 0 results if using the neg pattern condition. The seek file was deleted every time the attempt was made. Is there a way to add additional conditions to a log evaluation when the log is read line by line typically? See SS attached.

[ssax]

Looking at the plugin options the -and option sounds like only works on a single line, I don't see any multi-line options at all.

Are they all on the same line or is it actually multi-line?

Can you post some log examples so we can see what we're working with?

[mrjsokol]

Exception
************ Exception Name ************
System.Net.Sockets.SocketException
**************** Source ****************
System
*************** Message ****************
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 0.0.0.0

The 0.0.0.0 is the actual ip address.

We have an exception that is the same format but the ip address is the correct ip address when the service goes down. We get another error within the logs that try to connect to a service that is non working. We would need to exclude the Exception with the wrong ip address so it doesnt throw the alert. The error above is in the same space/carriage return format as it appears in the logs.

[ssax]

I'm going to lab this up and see what I can find, I'm really not sure if check_log3 supports multi-line, technically a regex should but it might be hard to construct.

[mrjsokol]

Hey Sean,

Any update on the attempt to construct a regex to work with this? I saw that in XI logserver there was a way to add multi line support. Would this work in XI also and if so, is there system files needed to be modified to allow multiple line interpretation?

[ssax]

Nagios Log Server is an entirely different product that's meant to ingest/parse logs, there is no equivalent in XI.

I was unable to find a logfile monitoring plugin that supports multi-line logs. All of the ones I tested would only read a single line and compare that single line against the regex, it would not show anything for a multi-line regex.

The only thing I could recommend is that you search for this:

Code: Select all

A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

then use the -n or --negpattern to skip the line if it contains that specific IP address.

Code: Select all

-n 'X.X.X.X'

[mrjsokol]

excellent, ill give that a shot and you can close this thread. Thanks for all the help.

[scottwilkerson]

excellent, ill give that a shot and you can close this thread. Thanks for all the help.

Great

Locking thread