Real-time logfile monitoring

[willemdh]

Hello,
Is there a way to not use a separator or split in a real-time logfile check

[/settings/logfile/real-time/checks/LOG_DrosoService]
file = M:\ApplicationLogs\DrosoService\log.txt
destination = NSCA,FILE
filter = column4 like 'INFO'
critical = column4 like 'INFO'
column separator=;

I have some logfiles with variable structured data and would like to just

• check if the last log line contains string x
• if so send to NSCA

Tried omitting column separator but that doesn't work. Also notices that a space as separtor also doesn't work.

Any tips to achive the above?

[mickem]

It is called column split=; I just noticed my blog is wrong (though separator sounds better I think)...
As for space that is a known issue, which I should have fixed ages ago really...
I have fixed it for realtime filters in the "Next build" so will be fixed soon... (hopefully)

[willemdh]

Thanks Michael, Looking forward to the fix. Is there a way to not use a separator and just consider each line as one column? I'm just trying to alert if a new logline contains 'ERROR'. It would theoretically not be necessary to split the log into multiple columns for this particular case.

[mickem]

there is a line you can use as well and substring match that (or regexp)

[mickem]

BTW cant upload from #osmc (netowkr issues) so wont be a fix till i get hiome...

[willemdh]

No problem Michael. i'm not really sure what you mean with

there is a line you can use as well and substring match that (or regexp)

Do you mean this:

[/settings/logfile/real-time/checks/LOG_DrosoService]
file = M:\ApplicationLogs\DrosoService\log.txt
destination = NSCA,FILE
critical = line like 'ERROR'

[mickem]

yes thats what I mean... not 100% sure it is called line but that should be in the docs...

[willemdh]

Michael,

I have tried to get this working on the latest stable release 0.4.4.12 as wel as 0.4.1.105, but have not been able to get it working. It doesn't even seem to notice any changes on 0.4.4.12..

My C:\Logtest.txt looks like this:

INFO;text 
INFO;text 
WARNING;text 
INFO;text 
INFO;text 

And i'm populating it with

echo INFO;text >> C:\Logtest.txt
echo WARNING;text >> C:\Logtest.txt

These are the relevant parts of the nsclient.ini on 0.4.4.12:

[/modules]
CheckDisk = 1
CheckEventLog = 1
CheckExternalScripts = 1
CheckHelpers = 1
CheckLogFile = 1
CheckNSCP = 1
CheckSystem = 1
CheckTaskSched = 0
CheckWMI = 1
CommandClient = 0
DotnetPlugins = 0
GraphiteClient = 0
NRDPClient = 0
NRPEClient = 0
NRPEServer = 1
NSCAClient = 1
NSCAServer = 0
NSClientServer = 1
PythonScript = 0
Scheduler = 0
SimpleCache = 0
SimpleFileWriter = 0
SMTPClient = 0
SyslogClient = 0
WEBServer = 0

[/settings/logfile]

[/settings/logfile/real-time]
enabled = 1

[/settings/logfile/real-time/checks]

[/settings/logfile/real-time/checks/LOG_Test1]
file = C:\Logtest.txt
destination = NSCA,FILE
filter = line like 'WARNING'
critical = line like 'WARNING'

[/settings/logfile/real-time/checks/LOG_Test2]
file = C:\Logtest.txt
destination = NSCA,FILE
filter = column1 like 'WARNING'
critical = column1 like 'WARNING'
column split=;

As you can see I tested with line and column but neither seem to be working on 0.4.4.12.
On 0.4.1.105 I do get it working, but only when I'm using the 'column separator=;' not with line.

Let me know if you notice anything missing in my config. I have been searching through your documentation at examples but couldn't find any.

[mickem]

Two things.

1, using c:\ is not a good idea.
The way this works (in windows) is that you subscribe to a folder (recursively) for changes.
o using c:\test.txt will mean nsclient++ will get change notifications pretty much all the time.
(And thus end up using a lot of CPU).

2, there was an issue when the file did not exist on startup which will be fixed in the next build.
Apart from that this works handsomely (for me).

My slightly modified (working) config:

[/modules]
CheckLogFile = 1
SimpleFileWriter = 1

[/settings/logfile/real-time]
enabled = 1

[/settings/logfile/real-time/checks/LOG_Test1]
file = C:\source\test\test.txt
destination = FILE
filter = line like 'WARNING'
critical = line like 'WARNING'

[/settings/logfile/real-time/checks/LOG_Test2]
file = C:\source\test\test.txt
destination = FILE
filter = column1 like 'WARNING'
critical = column1 like 'WARNING'
column split=;

[/settings/writers/file]
file = C:\source\test\out.txt

What I get in out.txt is the following:

LOG_Test2 CRITICAL C:\source\test\test.txt: 1 (WARNING, text , )
LOG_Test1 CRITICAL C:\source\test\test.txt: 1 (WARNING;text , , )

When I get back from OSMC (sunday) I will push a build which fixes the file is missing on start.

[willemdh]

Hmm at home atm where I can't get this to work on 0.5.0.9..

[/modules]
CheckLogFile = 1
SimpleFileWriter = 1

[/settings/logfile/real-time]
enabled = 1

[/settings/logfile/real-time/checks]

[/settings/logfile/real-time/checks/LOG_Test1]
file = C:\Nagios\NAF\Logtest.log
destination = FILE
filter = line like 'WARNING'
critical = line like 'WARNING'

[/settings/logfile/real-time/checks/LOG_Test2]
file = C:\Nagios\NAF\Logtest.log
destination = FILE
severity = CRITICAL
filter = column1 like 'hello'
critical = column2 like 'world'
column split =;

[/settings/writers/file]
syntax = ${alias-or-command} ${result} ${message}
file = C:\Nagios\NAF\output.txt
channel = FILE

nscp test does't even seem to notice file changes. I'll test again next release. It's like checklogfile is't even started.
Just also tested on 0.4.4 and I'm also not getting it to work there.. :(

Could you please specify the version you used to test this and your complete nsclient.ini? There must be something different if it works for you....

[mickem]

I am using an unreleased build based of master so there could be changes (did numerous fixes for the workshop at OSMC). This build will be out as soon as I get back home.

The config I posted above is the full one I used...