You are here

Parse a Unix log file for Errors

2 posts / 0 new
Last post
Matt Chamberlain
matt.chamberlain's picture
Parse a Unix log file for Errors

We're currently moving away from Nimsoft to Opsview and so far very happy.

One thing that Nimsoft has been doing that I can't figure out how to do on Opsview is to parse a log file for several string matches and report back based on the results.         

Is there a built in service check I can use for this or can anyone advise a best approach

Duncan Ferguson
dferguson's picture
The plugin 'check_log' is

The plugin 'check_log' is included in Opsview Monitor.

From the plugin itself:

# Usage: ./check_log <log_file> <old_log_file> <pattern>
#
# Description:
#
# This plugin will scan a log file (specified by the <log_file> option)
# for a specific pattern (specified by the <pattern> option).  Successive
# calls to the plugin script will only report *new* pattern matches in the
# log file, since an copy of the log file from the previous run is saved
# to <old_log_file>.
#
# Output:
#
# On the first run of the plugin, it will return an OK state with a message
# of "Log check data initialized".  On successive runs, it will return an OK
# state if *no* pattern matches have been found in the *difference* between the
# log file and the older copy of the log file.  If the plugin detects any
# pattern matches in the log diff, it will return a CRITICAL state and print
# out a message is the following format: "(x) last_match", where "x" is the
# total number of pattern matches found in the file and "last_match" is the
# last entry in the log file which matches the pattern.
#
# Notes:
#
# If you use this plugin make sure to keep the following in mind:
#
#    1.  The "max_attempts" value for the service should be 1, as this will
#        prevent the monitoring system from retrying the service check (the
#        next time the check is run it will not produce the same results).
#
#    2.  The "notify_recovery" value for the service should be 0, so that the
#        monitoring system does not notify you of "recoveries" for the check.
#        Since pattern matches in the log file will only be reported once and
#        not the next time, there will always be "recoveries" for the service,
#        even though recoveries really don't apply to this type of check.
#
#    3.  You *must* supply a different <old_file_log> for each service that
#        you define to use this plugin script - even if the different services
#        check the same <log_file> for pattern matches.  This is necessary
#        because of the way the script operates.
#
# Examples:
#
# Check for login failures in the syslog...
#
#   check_log /var/log/messages ./check_log.badlogins.old "LOGIN FAILURE"
#
# Check for port scan alerts generated by Psionic's PortSentry software...
#
#   check_log /var/log/message ./check_log.portscan.old "attackalert"
#

At this time we do not ship any Service Checks that use this plugin, but you should be able to create your own without issue.

  Duncs