I'm suffering a bit of confusion! I'm using a file content match
rule to try to ensure that a specific string is regularly showing up
in a specific logfile, but the results and output don't make sense
to me.
Here's the rule I started out with:
check file servercomm-logs with path /var/log/servercomm.log
if content != .*100\.109\..* then alert
This is an example line from the log that matches that:
2018/06/11 13:34:57 999999 OpenReq 100.109.66.62
The '99' string is an obfuscated device id value I can't post
publicly.
In short, I want to be alerted if IP's within that declaration are
_not_ showing up in the servercomm.log regularly. In normal
circumstances, those IP's show up in the logs intermittently, but on
the order of once every several seconds (from subsecond to tens of
seconds). There is a lot of other information in the logfile.
With that rule above, the status is always "Content match". If I set
the operator to just "=" rather than "!=" - it still says just
"Content match", but no alert.
While further testing this just now, I expanded the rule with
'ignore content' lines to match all the other possible lines that do
_not_ contain the desired IP strings:
check file servercomm-logs with path /var/log/servercomm.log
ignore content = "Exec"
ignore content = "inserting"
ignore content = "initialize"
ignore content = "Received"
ignore content = "Current"
ignore content = "updated"
ignore content = "Restart"
ignore content = "connection"
ignore content = "Bad"
ignore content = "Invalid"
if content != ".*100\.109\..*" then alert
With that rule, I still get "Content match", and if I swap the
operator to "=", it still says content match, and no alert.
I've tried it without the beginning/ending regex declarations -
if content != "100\.109" then alert
Same results. I've tried it with and without quotes around the
content match - same results.
*Sometimes*, after a 'monit reload', the status will show "OK" - but
if I do a 'monit reload' again - with no intervening changes - It'll
switch back to 'Content match'.
At minimum, I would expect when it reports "Content match", I'd be
getting an alert, but well beyond that, I cannot figure out what I'm
doing wrong with my content declarations.
Any insights will be gratefully received!
--
Paul Theodoropoulos
www.anastrophe.com
--