|
NAMEanalysis.cfg - Configuration file for the xymond_client moduleSYNOPSIS~Xymon/server/etc/analysis.cfgDESCRIPTIONThe analysis.cfg file controls what color is assigned to the status-messages that are generated from the Xymon client data - typically the cpu, disk, memory, procs- and msgs-columns. Color is decided on the basis of some settings defined in this file; settings apply to specific hosts through a set of rules.Note: This file is only used on the Xymon server - it is not used by the Xymon client, so there is no need to distribute it to your client systems. FILE FORMATBlank lines and lines starting with a hash mark (#) are treated as comments and ignored.CPU STATUS COLUMN SETTINGSLOAD warnlevel paniclevelIf the system load exceeds "warnlevel" or "paniclevel", the "cpu" status will go yellow or red, respectively. These are decimal numbers. Defaults: warnlevel=5.0, paniclevel=10.0 UP bootlimit toolonglimit [color] The cpu status goes yellow/red if the system has been up for less than "bootlimit" time, or longer than "toolonglimit". The time is in minutes, or you can add h/d/w for hours/days/weeks - eg. "2h" for two hours, or "4w" for 4 weeks. Defaults: bootlimit=1h, toolonglimit=-1 (infinite), color=yellow. CLOCK max.offset [color] The cpu status goes yellow/red if the system clock on the client
differs more than "max.offset" seconds from that of the Xymon
server. Note that this is not a particularly accurate test, since it is
affected by network delays between the client and the server, and the load
on both systems. You should therefore not rely on this being accurate to
more than +/- 5 seconds, but it will let you catch a client clock that goes
completely wrong. The default is NOT to check the system clock.
Example: Go yellow if the load average exceeds 5, and red if it exceeds 10. Also, go yellow for 10 minutes after a reboot, and after 4 weeks uptime. Finally, check that the system clock is at most 15 seconds offset from the clock of the Xymon system and go red if that is exceeded.
DISK STATUS COLUMN SETTINGSDISK filesystem warnlevel paniclevelDISK filesystem IGNORE INODE filesystem warnlevel paniclevel INODE filesystem IGNORE If the utilization of "filesystem" is reported to exceed "warnlevel" or "paniclevel", the "disk" status will go yellow or red, respectively. "warnlevel" and "paniclevel" are either the percentage used, or the space available as reported by the local "df" command on the host. For the latter type of check, the "warnlevel" must be followed by the letter "U", e.g. "1024U". The special keyword "IGNORE" causes this filesystem to be ignored completely, i.e. it will not appear in the "disk" status column and it will not be tracked in a graph. This is useful for e.g. removable devices, backup-disks and similar hardware. "filesystem" is the mount-point where the filesystem is mounted, e.g. "/usr" or "/home". A filesystem-name that begins with "%" is interpreted as a Perl-compatible regular expression; e.g. "%^/oracle.*/" will match any filesystem whose mountpoint begins with "/oracle". "INODE" works identical to "DISK", but uses the count of i-nodes in the filesystem instead of the amount of disk space. Defaults DISK: warnlevel=90%, paniclevel=95% Defaults INODE: warnlevel=70%, paniclevel=90% MEMORY STATUS COLUMN SETTINGSMEMPHYS warnlevel paniclevelMEMACT warnlevel paniclevel MEMSWAP warnlevel paniclevel If the memory utilization exceeds the "warnlevel" or "paniclevel", the "memory" status will change to yellow or red, respectively. Note: The words "PHYS", "ACT" and "SWAP" are also recognized. Example: Go yellow if more than 20% swap is used, and red if more than 40% swap is used or the actual memory utilisation exceeds 90%. Don't alert on physical memory usage.
Defaults:
PROCS STATUS COLUMN SETTINGSPROC processname minimumcount maximumcount color [TRACK=id] [TEXT=text]The "ps" listing sent by the client will be scanned for how many processes containing "processname" are running, and this is then matched against the min/max settings defined here. If the running count is outside the thresholds, the color of the "procs" status changes to "color". To check for a process that must NOT be running: Set minimum and maximum to 0. "processname" can be a simple string, in which case this
string must show up in the "ps" listing as a command. The scanner
will find a ps-listing of e.g. "/usr/sbin/cron" if you only
specify "processname" as "cron". "processname"
can also be a Perl-compatiable regular expression, e.g.
"%java.*inst[0123]" can be used to find entries in the ps-listing
for "java -Xmx512m inst2" and "java -Xmx256 inst3". In
that case, "processname" must begin with "%" followed by
the regular expression. Note that Xymon defaults to case-insensitive pattern
matching; if that is not what you want, put "(?-i)" between the
"%" and the regular expression to turn this off. E.g.
"%(?-i)HTTPD" will match the word HTTPD only when it is
upper-case.
PROC "%xymond_channel --channel=data.*xymond_rrd" 1 1 yellow or PROC "java -DCLASSPATH=/opt/java/lib" 2 5 You can have multiple "PROC" entries for the same host, all of the checks are merged into the "procs" status and the most severe check defines the color of the status. The optional TRACK=id setting causes Xymon to track the
number of processes found in an RRD file, and put this into a graph which is
shown on the "procs" status display. The id setting is a
simple text string which will be used as the legend for the graph, and also
as part of the RRD filename. It is recommended that you use only letters and
digits for the ID.
The optional TEXT=text setting is used in the summary of the "procs" status. Normally, the summary will show the "processname" to identify the process and the related count and limits. But this may be a regular expression which is not easily recognizable, so if defined, the text setting string will be used instead. This only affects the "procs" status display - it has no effect on how the rule counts or recognizes processes in the "ps" output. Example: Check that "cron" is running:
Example: Check that at least 5 "httpd" processes are
running, but not more than 20:
Defaults:
MSGS STATUS COLUMN SETTINGSLOG logfilename pattern [COLOR=color] [IGNORE=excludepattern] [OPTIONAL]The Xymon client extracts interesting lines from one or more logfiles - see the client-local.cfg(5) man-page for information about how to configure which logs a client should look at. The LOG setting determine how these extracts of log entries are processed, and what warnings or alerts trigger as a result. "logfilename" is the name of the logfile. Only logentries from this filename will be matched against this rule. Note that "logfilename" can be a regular expression (if prefixed with a '%' character). "pattern" is a string or regular expression. If the logfile data matches "pattern", it will trigger the "msgs" column to change color. If no "color" parameter is present, the default is to go "red" when the pattern is matched. To match against a regular expression, "pattern" must begin with a '%' sign - e.g "%WARNING|NOTICE" will match any lines containing either of these two words. Note that Xymon defaults to case-insensitive pattern matching; if that is not what you want, put "(?-i)" between the "%" and the regular expression to turn this off. E.g. "%(?-i)WARNING" will match the word WARNING only when it is upper-case. "excludepattern" is a string or regular expression that can be used to filter out any unwanted strings that happen to match "pattern". The OPTIONAL keyword causes the check to be skipped if the logfile does not exist. Example: Trigger a red alert when the string "ERROR"
appears in the "/var/adm/syslog" file:
Example: Trigger a yellow warning on all occurrences of the word
"WARNING" or "NOTICE" in the "daemon.log"
file, except those from the "lpr" system:
Defaults:
Note that no logfiles are checked by default. Any log data reported by a client will just show up on the "msgs" column with status OK (green). FILES STATUS COLUMN SETTINGSFILE filename [color] [things to check] [OPTIONAL] [TRACK]DIR directoryname [color] [size<MAXSIZE] [size>MINSIZE] [TRACK] These entries control the status of the "files" column. They allow you to check on various data for files and directories. filename and directoryname are names of files or directories, with a full path. You can use a regular expression to match the names of files and directories reported by the client, if you prefix the expression with a '%' character. color is the color that triggers when one or more of the checks fail. The OPTIONAL keyword causes this check to be skipped if the file does not exist. E.g. you can use this to check if files that should be temporary are not deleted, by checking that they are not older than the max time you would expect them to stick around, and then using OPTIONAL to ignore the state where no files exist. The TRACK keyword causes the size of the file or directory to be tracked in an RRD file, and presented in a graph on the "files" status display. For files, you can check one or more of the following:
For directories, you can check one or more of the following:
Experience shows that it can be difficult to get these rules right. Especially when defining minimum/maximum values for file sizes, when they were last modified etc. The one thing you must remember when setting up these checks is that the rules describe criteria that must be met - only when they are met will the status be green. So "mtime<600" means "the difference between current time and the mtime of the file must be less than 600 seconds - if not, the file status will go red". PORTS STATUS COLUMN SETTINGSPORT criteria [MIN=mincount] [MAX=maxcount] [COLOR=color] [TRACK=id] [TEXT=displaytext]The "netstat" listing sent by the client will be scanned for how many sockets match the criteria listed. The criteria you can use are:
"addr" is typically "10.0.0.1:80" for the IP
10.0.0.1, port 80. Or "*:80" for any local address, port 80. Note
that the Xymon clients normally report only the numeric data for
IP-addresses and port-numbers, so you must specify the port number (e.g.
"80") instead of the service name ("www").
The socket count found is then matched against the min/max settings defined here. If the count is outside the thresholds, the color of the "ports" status changes to "color". To check for a socket that must NOT exist: Set minimum and maximum to 0. The optional TRACK=id setting causes Xymon to track the
number of sockets found in an RRD file, and put this into a graph which is
shown on the "ports" status display. The id setting is a
simple text string which will be used as the legend for the graph, and also
as part of the RRD filename. It is recommended that you use only letters and
digits for the ID.
The TEXT=displaytext option affects how the port appears on the "ports" status page. By default, the port is listed with the local/remote/state rules as identification, but this may be somewhat difficult to understand. You can then use e.g. "TEXT=Secure Shell" to make these ports appear with the name "Secure Shell" instead. Defaults: mincount=1, maxcount=-1 (unlimited), color="red". Note: No ports are checked by default. Example: Check that the SSH daemon is listening on port 22. Track the number of active SSH connections, and warn if there are more than 5. PORT LOCAL=%[.:]22$ STATE=LISTEN "TEXT=SSH listener" PORT LOCAL=%[.:]22$ STATE=ESTABLISHED MAX=5 TRACK=ssh TEXT=SSH SVCS status (Microsoft Windows clients)SVC servicename status=(started|stopped) [startup=automatic|disabled|manual]DS - RRD based status overrideDS column filename:dataset rules COLOR=colorname TEXT=explanation"column" is the statuscolumn that will be modified. "filename" is the name of the RRD file holding the data you use for comparison. "dataset" is the name of the dataset in the RRD file - the "rrdtool info" command is useful when determining these. "rules" determine when to apply the override. You can use ">", ">=", "<" or "<=" to compare the current measurement value against one or more thresholds. "explanation" is a text that will be shown to explain the override - you can use some placeholders in the text: "&N" is replaced with the name of the dataset, "&V" is replaced with the current value, "&L" is replaced by the low threshold, "&U" is replaced with the upper threshold. NOTE: This rule uses the raw data value from a client to examine the rules. So this type of test is only really suitable for datasets that are of the "GAUGE" type. It cannot be used meaningfully for datasets that use "COUNTER" or "DERIVE" - e.g. the datasets that are used to capture network packet traffic - because the data stored in the RRD for COUNTER-based datasets undergo a transformation (calculation) when going into the RRD. Xymon does not have direct access to the calculated data. Example: Flag "conn" status a yellow if responsetime
exceeds 100 msec.
MQ Series SETTINGSMQ_QUEUE queuename [age-warning=N] [age-critical=N] [depth-warning=N] [depth-critical=N]MQ_CHANNEL channelname [warning=PATTERN] [alert=PATTERN] This is a set of checks for checking the health of IBM MQ message-queues. It requires the "mq.sh" or similar collector module to run on a node with access to the MQ "Queue Manager" so it can report the status of queues and channels. The MQ_QUEUE setting checks the health of a single queue: You can warn (yellow) or alert (red) based on the depth of the queue, and/or the age of the oldest entry in the queue. These values are taken directly from the output generated by the "runmqsc" utility. The MQ_CHANNEL setting checks the health of a single MQ channel: You can warn or alert based on the reported status of the channel. The PATTERN is a normal pattern, i.e. either a list of status keywords, or a regular expression pattern. CHANGING THE DEFAULT SETTINGSIf you would like to use different defaults for the settings described above, then you can define the new defaults after a DEFAULT line. E.g. this would explicitly define all of the default settings:
RULES TO SELECT HOSTSAll of the settings can be applied to a group of hosts, by preceding them with rules. A rule defines of one of more filters using these keywords (note that this is identical to the rule definitions used in the alerts.cfg(5) file).PAGE=targetstring Rule matching an alert by the name of the page in Xymon. "targetstring" is the path of the page as defined in the hosts.cfg file. E.g. if you have this setup:
Then the "All servers" page is found with PAGE=servers, the "Webservers" page is PAGE=servers/web and the "Database servers" page is PAGE=servers/db. Note that you can also use regular expressions to specify the page name, e.g. PAGE=%.*/db would find the "Database servers" page regardless of where this page was placed in the hierarchy. The top-level page has a the fixed name /, e.g. PAGE=/ would match all hosts on the Xymon frontpage. If you need it in a regular expression, use PAGE=%^/ to avoid matching the forward-slash present in subpage-names. EXPAGE=targetstring Rule excluding a host if the pagename matches. HOST=targetstring Rule matching a host by the hostname. "targetstring" is either a comma-separated list of hostnames (from the hosts.cfg file), "*" to indicate "all hosts", or a Perl-compatible regular expression. E.g. "HOST=dns.foo.com,www.foo.com" identifies two specific hosts; "HOST=%www.*.foo.com EXHOST=www-test.foo.com" matches all hosts with a name beginning with "www", except the "www-test" host. EXHOST=targetstring Rule excluding a host by matching the hostname. CLASS=classname Rule match by the client class-name. You specify the class-name for a host when starting the client through the "--class=NAME" option to the runclient.sh script. If no class is specified, the host by default goes into a class named by the operating system. EXCLASS=classname Exclude all hosts belonging to "classname" from this rule. DISPLAYGROUP=groupstring Rule matching an alert by the text of the display-group (text following the group, group-only, group-except heading) in the hosts.cfg file. "groupstring" is the text for the group, stripped of any HTML tags. E.g. if you have this setup:
Then the hosts in the Web-group can be matched with DISPLAYGROUP=Web, and the database servers can be matched with DISPLAYGROUP="Production databases". Note that you can also use regular expressions, e.g. DISPLAYGROUP=%database. If there is no group-setting for the host, use "DISPLAYGROUP=NONE". EXDISPLAYGROUP=groupstring Rule excluding a group by matching the display-group string. TIME=timespecification Rule matching by the time-of-day. This is specified as the DOWNTIME time specification in the hosts.cfg file. E.g. "TIME=W:0800:2200" applied to a rule will make this rule active only on week-days between 8AM and 10PM. EXTIME=timespecification Rule excluding by the time-of-day. This is also specified as the DOWNTIME time specification in the hosts.cfg file. E.g. "TIME=W:0400:0600" applied to a rule will make this rule exclude on week-days between 4AM and 6AM. This applies on top of any TIME= specification, so both must match. DIRECTING ALERTS TO GROUPSFor some tests - e.g. "procs" or "msgs" - the right group of people to alert in case of a failure may be different, depending on which of the client rules actually detected a problem. E.g. if you have PROCS rules for a host checking both "httpd" and "sshd" processes, then the Web admins should handle httpd-failures, whereas "sshd" failures are handled by the Unix admins.To handle this, all rules can have a "GROUP=groupname" setting. When a rule with this setting triggers a yellow or red status, the groupname is passed on to the Xymon alerts module, so you can use it in the alert rule definitions in alerts.cfg(5) to direct alerts to the correct group of people. RULES: APPLYING SETTINGS TO SELECTED HOSTSRules must be placed after the settings, e.g.
If you have multiple settings that you want to apply the same rules to, you can write the rules *only* on one line, followed by the settings. E.g.
will apply the three settings to all of the "db" hosts on week-days between 8AM and 4PM. This can be combined with per-settings rule, in which case the per-settings rule overrides the general rule; e.g.
will result in the load-limits being 7.0/12.0 for the "bax.foo.com" host, and 3.0/8.0 for all other foo.com hosts. The entire file is evaluated from the top to bottom, and the first match found is used. So you should put the specific settings first, and the generic ones last. NOTESFor the LOG, FILE and DIR checks, it is necessary also to configure the actual file- and directory-names in the client-local.cfg(5) file. If the filenames are not listed there, the clients will not collect any data about these files/directories, and the settings in the analysis.cfg file will be silently ignored.The ability to compute file checksums with MD5, SHA1 or RMD160 should not be used for general-purpose file integrity checking, since the overhead of calculating these on a large number of files can be significant. If you need this, look at tools designed for this purpose - e.g. Tripwire or AIDE. At the time of writing (april 2006), the SHA-1 and RMD160 algorithms are considered cryptographically safe. The MD5 algorithm has been shown to have some weaknesses, and is not considered strong enough when a high level of security is required. SEE ALSOxymond_client(8), client-local.cfg(5), xymond(8), xymon(7)
Visit the GSP FreeBSD Man Page Interface. |