-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathEVENTS
76 lines (47 loc) · 2.15 KB
/
EVENTS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
Looks for events in the Application, System and Security logs.
Scans from the most recent entries backwards. Has a maximum age
beyond which any entries are ignored.
The maximum age is determined by the msgage directive in mrbig.cfg.
Messages are filtered according to rules in msgs.cfg. Messages can
be filtered by source, type and message text. Each rule follows this
format:
action test value
The action is one of red, yellow, green or ignore.
The test is one of source, type or message.
The value depends on the test. For the source test, value is the
complete name of the message source. For the message test, value
is part of the message text. For the type test, value is one of
success, warning, error, audit_success or audit_failure.
Filtering might look something like:
red type error
red type audit_failure
yellow type warning
This will give the same default behaviour as the current BB client.
Add rules to ignore all messages from Dhcp:
ignore source dhcp
Finally we want everything about the master browser, but no alarm:
green message master browser
The list of rules is scanned from top to bottom. Every message log entry
is matched against the list. The first rule that matches determines
what will happen:
ignore = throw the entry away without looking at the other rules
red = red alarm
yellow = yellow alarm
green = green "alarm"
If an entry falls through without matching any rule, it is discarded.
This also means that an empty or missing msgs.cfg will not generate
any message alarms at all.
Matching is case-sensitive. The source string must match exactly.
The message string only has to match part of the event log entry.
---
Actions for repeated messages!
repeat 10 1800 red message master browser
Now we will get a red status if there are 10 or more messages within the
last 30 minutes with the string "master browser".
repeat 10 1800 red type error
Red status is there are 10 or more messages within the last 30 minutes
with the type error, regardless of contents.
The repeat directive can be mixed with the old filtering directives,
and Mr Big will trigger on the first match. This makes the old rules
equivalent to
repeat 1 100000 action test value