TextLog - Look for expression

All questions related to installations, configurations and maintenance of Advanced Host Monitor (including additional tools such as RMA for Windows, RMA Manager, Web Servie, RCC).
Post Reply
JuergenF
Posts: 331
Joined: Sun Jan 26, 2003 6:00 pm
Location: Germany, North Rhine-Westphalia

TextLog - Look for expression

Post by JuergenF »

Dear all,

is there a problem ? Or maybe I'm to blind to see ?
I use the following expression for checking a syslog file on a linux system (with rma Agent on that system)
(HM V7.10, passive RMA Platform: Linux (Red Hat, Mandrake, SuSE), V1.25)

Look for expression:
("-1-" or "-2-" or "-3-" or "-4-" or "-5-") and ("dcdw000" or "dcdw001") and not ("dcdw0015" and "FastEthernet4/3") and not ("dcdw0004" and "FastEthernet1/22")

And I get an alarm for this kind of message
*******************************************
Message from HostMonitor (host changed status)

Test : TextLog: wersv090:/var/log/warn - Core
Method: Text Log test
Status : Warning
Date : 2008-03-22 04:36:24
Reply : Mar 22 04:34:48 dcdw0004.wetter.dematic.de 252: Mar 22 04:34:37.208: %LINK-3-UPDOWN: Interface FastEthernet1/22, changed state to up

Recurrences : 1
Last status: Ok
Total tests: 7764
Alive ratio : 96.19 %
Dead ratio: 3.81 %

Folder: Wetter Switches
**********************************************
From my point of view the
and not ("dcdw0004" and "FastEthernet1/22")
should avoid raising an alarm.

By the way:
and not ("dcdw0015" and "FastEthernet4/3")
is working fine - means no alarm

Thanks

Juergen

PS: from :/var/log/warn
Mar 21 03:27:25 dcdw0015.wetter.dematic.de 9288: Mar 21 03:27:19.898: %LINK-3-UPDOWN: Interface FastEthernet4/3, changed state to down
Mar 21 03:27:26 dcdw0015.wetter.dematic.de 9289: Mar 21 03:27:19.898: %LINK-SP-3-UPDOWN: Interface FastEthernet4/3, changed state to down
Mar 21 03:27:26 dcdw0015.wetter.dematic.de 9290: Mar 21 03:27:20.690: %LINK-3-UPDOWN: Interface FastEthernet4/3, changed state to up
Mar 21 03:27:27 dcdw0015.wetter.dematic.de 9291: Mar 21 03:27:20.694: %LINK-SP-3-UPDOWN: Interface FastEthernet4/3, changed state to up
Mar 20 16:19:26 dcdw0004.wetter.dematic.de 239: Mar 20 16:19:17.425: %LINK-3-UPDOWN: Interface FastEthernet1/22, changed state to down
Mar 20 16:19:26 dcdw0004.wetter.dematic.de 240: Mar 20 16:19:17.793: %LINK-3-UPDOWN: Interface FastEthernet1/22, changed state to up

The test: (HM V7.10, passive RMA Platform: Linux (Red Hat, Mandrake, SuSE), V1.25)
;-----------------------------------------------------------------------------
;- HostMonitor`s export/import file -
;- Generated by HostMonitor at 2008-03-22 05:04:52 -
;- Source file: E:\Program Files\HostMonitor\DCC-Network.hml -
;- Generation mode: Selected_Tests -
;-----------------------------------------------------------------------------


; ------- Test #01 -------


Method = TextLog
;--- Common properties ---
;DestFolder = DCC\Wetter Switches\
RMAgent = FTP.90 - wersv090
Title = TextLog: wersv090:/var/log/warn - Core
Comment = TextLog: wersv090:/var/log/warn - Core
RelatedURL =
ScheduleMode= Regular
Schedule = 7 Days, 24 Hours
Interval = 300
Alerts = Mail to DCC-Network-Team
ReverseAlert= No
UnknownIsBad= Yes
WarningIsBad= Yes
UseWarning = Yes
WarningExpr = %udv_status_bad%
UseCommonLog= Yes
PrivLogMode = Default
CommLogMode = Default
SyncCounters= Yes
SyncAlerts = No
DependsOn = list
MasterTest-Alive = WERSV090 - FTP .90
;--- Test specific properties ---
File = /var/log/warn
FileMacros = No
LookFor = ("-1-" or "-2-" or "-3-" or "-4-" or "-5-") and ("dcdw000" or "dcdw001") and not ("dcdw0015" and "FastEthernet4/3") and not ("dcdw0004" and "FastEthernet1/22")
LookMode = Expression
MatchCase = No
WholeWord = No
UseMacros = No
AlertMode = AllEvents
ReplyMode = Line
ReplyFilter = WholeLine
ReplyRange1 = 0
ReplyRange2 = 0

;-----------------------------------------------------------------------------
; Exported 1 items
Top
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:
Contact KS-Soft

Post by KS-Soft »

I would recommend to put additional brackets
("-1-" or "-2-" or "-3-" or "-4-" or "-5-") and ("dcdw000" or "dcdw001") and (not ("dcdw0015" and "FastEthernet4/3")) and (not ("dcdw0004" and "FastEthernet1/22"))
otherwise 1st not can be applied to ("dcdw0015" and "FastEthernet4/3") and not ("dcdw0004" and "FastEthernet1/22") expression

Regards
Alex
Top
JuergenF
Posts: 331
Joined: Sun Jan 26, 2003 6:00 pm
Location: Germany, North Rhine-Westphalia

Post by JuergenF »

KS-Soft wrote:I would recommend to put additional brackets
("-1-" or "-2-" or "-3-" or "-4-" or "-5-") and ("dcdw000" or "dcdw001") and (not ("dcdw0015" and "FastEthernet4/3")) and (not ("dcdw0004" and "FastEthernet1/22"))
otherwise 1st not can be applied to ("dcdw0015" and "FastEthernet4/3") and not ("dcdw0004" and "FastEthernet1/22") expression

Regards
Alex
Hi Alex,

that works. As
... and not (("dcdw0015" and "FastEthernet4/3") or ("dcdw0004" and "FastEthernet1/22"))
does.

But is that correct behavior from mathematical / logical point of view ?

Whatever, I have a solution.

Many thanks

Juergen
Top
Post Reply

Return to “Configuration, Maintenance, Troubleshooting”