- edited description
Monit syslog logging over two lines
Looking for an explanation to unexpected behaviour that we are seeing. We have different Monit instances in different sites with different logging behaviour, both running 5.20.0.
When performing a content match, server1 one will log the content match on one line and work as expected.
Server2 will log the content match over two lines and will therefore match the line at every interval, as if a new line character has been introduced.
Here's output from server1, where we are monitoring /var/log/messages for the string "daemon at audit_pid":
[user1@server1 ~]$ sudo cat /etc/monitrc | grep "/var/log/messages" -A2
check file messages with path /var/log/messages
ignore content = "monit"
if content = "daemon at audit_pid" then exec "/home/user2/scripts/restart-auditd.sh"
[user1@server1 ~]$ sudo cat /var/log/messages | grep "user1: daemon at audit_pid" -A4
Apr 7 15:51:43 server1 user1: daemon at audit_pid
Apr 7 15:51:44 server1 monit: 'messages' content match:
Apr 7 15:51:44 server1 monit: Apr 7 15:51:43 server1 user1: daemon at audit_pid
Apr 7 15:51:44 server1 monit[1958]: 'messages' content match:#012Apr 7 15:51:43 server1 user1: daemon at audit_pid <<<<<< OUTPUT ON ONE LINE >>>>>>>
Apr 7 15:51:44 server1 monit[1958]: 'messages' exec: '/home/user2/scripts/restart-auditd.sh'
Apr 7 15:51:44 server1 monit: 'messages' exec: '/home/user2/scripts/restart-auditd.sh'
Apr 7 15:51:44 server1 monit: Stopping logging: [ OK ]
Here's the same for server2:
[user2@server2 ~]$ sudo cat /etc/monitrc | grep "/var/log/messages" -A2
check file messages with path /var/log/messages
ignore content = "monit"
if content = "daemon at audit_pid" then exec "/home/user2/scripts/restart-auditd.sh"
[user2@server2 ~]$ sudo cat /var/log/messages | grep "user2: daemon at audit_pid" -A4
Apr 7 15:23:44 server2 monit: Apr 7 15:20:30 server2 openet: daemon at audit_pid
Apr 7 15:23:44 server2 monit[8348]: 'messages' content match:
Apr 7 15:20:30 server2 openet: daemon at audit_pid <<<<<< OUTPUT OVER TWO LINES >>>>>>>
Apr 7 15:23:44 server2 monit[8348]: 'messages' exec: '/home/openet/scripts/restart-auditd.sh'
Apr 7 15:23:44 server2 monit: 'messages' exec: '/home/openet/scripts/restart-auditd.sh'
We worked around the issue by sending log messages to a standalone log file instead, but we're interested to understand the different behaviour.
We've done some tests with the logger command but cannot simulate the same behaviour.
Comments (4)
-
repo owner -
repo owner please can you pass the output to "od" utility and send the result? On both hosts:
sudo cat /var/log/messages | egrep "user[12]: daemon at audit_pid" -A4 | od -xc
-
reporter Thanks for the update, please see the attachment.
The server names are different from the call I raised, but hopefully they will make sense. I also amended the search string slightly to reduce the number of matches (we tested multiple times).
Thanks, Ian
-
repo owner Cannot find the attachments, please can you add it to this issue or send to support@mmonit.com?
Best regards, The Monit team
- Log in to comment