Logwatch is missing lines

i42mapur · September 6, 2023, 10:30am

CMK version: 2.0.0p29 (CEE)
OS version: Oracle Linux Server release 7.9

This is my logwatch.cfg file:

"/u01/app/odaorabase/oracle/diag/rdbms/*/*/trace/alert_*.log" overflow=C maxcontextlines=2,3
 W ^ORA-

So, I need to monitor several alert_*.log files, considering a warning every line that starts with “ORA-”, having 2 previous contextlines and 3 after contextlines.

I’m doing a test using this script:

I=1
while [ true ]
do
  echo "PrevContextline 3: $I" >> /u01/app/odaorabase0/oracle/diag/rdbms/bt99_sbghodat1/BT99_1/trace/alert_BT99_1.log
  echo "PrevContextline 2: $I" >> /u01/app/odaorabase0/oracle/diag/rdbms/bt99_sbghodat1/BT99_1/trace/alert_BT99_1.log
  echo "PrevContextline 1: $I" >> /u01/app/odaorabase0/oracle/diag/rdbms/bt99_sbghodat1/BT99_1/trace/alert_BT99_1.log
  echo "ORA-$I" >> /u01/app/odaorabase0/oracle/diag/rdbms/bt99_sbghodat1/BT99_1/trace/alert_BT99_1.log
  echo "ORA-17627: test $I" >> /u01/app/odaorabase0/oracle/diag/rdbms/bt99_sbghodat1/BT99_1/trace/alert_BT99_1.log
  echo "ORA-99999: test $I" >> /u01/app/odaorabase0/oracle/diag/rdbms/bt99_sbghodat1/BT99_1/trace/alert_BT99_1.log
  echo "PostContextline 1: $I" >> /u01/app/odaorabase0/oracle/diag/rdbms/bt99_sbghodat1/BT99_1/trace/alert_BT99_1.log
  echo "PostContextline 2: $I" >> /u01/app/odaorabase0/oracle/diag/rdbms/bt99_sbghodat1/BT99_1/trace/alert_BT99_1.log
  echo "PostContextline 3: $I" >> /u01/app/odaorabase0/oracle/diag/rdbms/bt99_sbghodat1/BT99_1/trace/alert_BT99_1.log
  I=$(($I+1))
sleep 30
done

So, it’s adding some lines to one of the monitored files. Some of them starting with “ORA-” and some pre and post context lines.

When I go to the GUI to see the contents of the logfile, most of the times the capture is fine and it’s showing the lines with the ORA- and the corresponding context lines, but sometimes, it’s missing lines, for example, test 97 was not detected here:

WARN	2023-09-06 10:04:00
ORA-95
ORA-17627: test 95
ORA-99999: test 95
ORA-96
ORA-17627: test 96
ORA-99999: test 96
WARN	2023-09-06 10:05:00
ORA-98
ORA-17627: test 98
ORA-99999: test 98

And a few minutes later, several test lines (from 105 to 114) were missed as well:

WARN	2023-09-06 10:08:00
ORA-103
ORA-17627: test 103
ORA-99999: test 103
ORA-104
ORA-17627: test 104
ORA-99999: test 104
WARN	2023-09-06 10:13:00
ORA-115
ORA-17627: test 115
ORA-99999: test 115

Of course, I checked and the lines are present in the logfile…

What could be the root cause of this?

Thanks and best regards,
Rafael

robin.gierse · September 7, 2023, 8:05am

Without reading past the version information: We improved a lot of things in current Checkmk releases. You might want to push for an upgrade to the latest version, before debugging something that might already be fixed.

i42mapur · September 7, 2023, 3:45pm

thanks for the advice. I’ll get the latest logwatch plugin and try with it.

robin.gierse · September 8, 2023, 5:40am

The server needs to up-to-date as well, just to be clear.

i42mapur · September 8, 2023, 6:50am

Hello Robin,

sure, I understand, but in our case it’s not so easy. I’m working with a proxy instance. So, if I update it to the latest version, I’ll need to update all the other proxy instances and the global one. That’s not possible due to some dependencies from the other teams.

Anyway, I tried yesterday the 2.1 logwatch plugin and it’s capturing all the lines.

Thanks!