[Check_mk (english)] Linux Logwatch

Hi All,

I want to check one log file and I want to be notified when one specified entry in this log will be ten or more times a day. If such entries will be less than ten check_mk should show status OK, but as you will see ten or more should be status WARNING, and then after crossing 20 status should be CRITICAL. Is it possible to do this check_mk? Now I must many times a day to check the log file manually commands as follows:

# cat service.log | grep ‘specified_entry’ | wc -l

Pozdrawiam,

Radosław Bąk

Hi All,

I want to check one log file and I want to be notified when one specified entry in this log will be ten or more times a day. If such entries will be less than ten check_mk should show status OK, but as you will see ten or more should be status WARNING, and then after crossing 20 status should be CRITICAL. Is it possible to do this check_mk? Now I must many times a day to check the log file manually commands as follows:

# cat service.log | grep ‘specified_entry’ | wc -l

Pozdrawiam,

Radosław Bąk

Hi Ken,

PERFECT - it's working like i wanted
Thanks a lot.

Maybe Check_MK TEAM can add this to official version of OMD/Check_MK?

Pozdrawiam,
Radosław Bąk

----- Oryginalna wiadomość -----
Od: "Ken Smith" <smithk190@macewan.ca>
Do: "Radosław Bąk" <radoslaw.bak@ipopema.pl>, checkmk-en@lists.mathias-kettner.de
Wysłane: wtorek, 2 kwiecień 2013 16:30:50
Temat: Re: [Check_mk (english)] Linux Logwatch

Radoslaw,

I had a similar requirement so I constructed a test to run in the plugins directory on the server and a check to catch the returned results.

First, run "cmk --paths" and look for the "Locally installed checks" directory. Put the following check script into that directory and save it as "log_file_err"

######log_file_err_script###################

# Normal inventory results

# [['0']]

#default levels are based on number of errors found in a two min interval.

log_file_err_default_levels = (2, 5)

def inventory_log_file_err(checkname, info):

if len(info) == 1:

return [(None, "log_file_err_default_levels")]

# the check function (log_file_err)

def check_log_file_err(item, params, info):

warn, crit = params

count = int(info[0][0])

perfdata =

perf =["ERR", info[0][0]]

perfdata.append(perf)

message = "count = %s (warning at %s, critical at %s) " % (count, warn, crit)

if warn == 0 or count < warn:

return (0, "OK - %s" % message, perfdata )

elif count >= crit:

return (2, "CRIT - %s" % message, perfdata )

else:

return (1, "WARN - %s" % message, perfdata )

# declare the check to Check_MK

check_info['log_file_err'] = \

(check_log_file_err, "Log File Errs", 1, inventory_log_file_err)

#######end_of_script######################

Now you need a script to run on the remote server which will return a value to this script.

If you run the "check_mk_agent" on the remote server and then scroll back to the top of the data returned, it will tell you where the "plugins" directory is found.

In the plugins directory save the following script as "log_file_err" and make it executable. (obviously you will need to query your specific log for your specific entry).

Here is the script:

######log_file_err_plugin###################

#!/bin/bash

TIME=`date -u +"%Y-%m-%d %R"`

TIME1=`date -u -d "-1 mins" +"%Y-%m-%d %R"`

TIME2=`date -u -d "-2 mins" +"%Y-%m-%d %R"`

echo '<<<log_file_err>>>'

grep -e "$TIME" -e "$TIME1" -e "$TIME2" /path/to/logs/service.log | grep -i " specific error " | wc -l

#######end_of_plugin######################

--- How does it work -----

Basically the plugin will run each time that the check_mk_agent is run and it will determine three time strings( now, now-1 min, and now-2 mins). Then it searches the log file

for lines containing those time strings (looks like 2013-04-02 14:07) and then looks for your "specific error" on any lines returned and counts the number of times. It then

returns:

<<<log_file_err>>>

0

Simple, eh!

--- the check part ---

Well, the check part is like every other check_mk check. It has an "inventory" part and a "check" part. Once you have the plugin script working on the remote server you will need

to run "cmk -I remoteserver" for it to find the new "log_file_err" check. After you have done the inventory then you can run "cmk -vp remoteserver" to see what the check_mk program

will see.

Normally, check_mk will poll the server every minute and the plugin will return the number of "specific errors" it has seen in the last 3 minutes. The check will keep track of this count and

if it exceeds either the warn level (2) or the critical level (5) then it will send the appropriate notification.

I hope this helps you achieve your test goals.

Regards,

Ken Smith

Radosław Bąk<radoslaw.bak@ipopema.pl> 3/26/2013 09:09 AM >>>

Hi All,

I want to check one log file and I want to be notified when one specified entry in this log will be ten or more times a day. If such entries will be less than ten check_mk should show status OK, but as you will see ten or more should be status WARNING , and then after crossing 20 status should be CRITICAL . Is it possible to do this check_mk? Now I must many times a day to check the log file manually commands as follows:

# cat service.log | grep ‘specified_entry’ | wc -l

Pozdrawiam,

Radosław Bąk

Another approach would be to use the event console. Using this you can count, expect and rewrite messages. Have a look at the docs for details.

Regards
Lars