1. Tildeslash Avatar Tildeslash
  2. Untitled project
  3. Monit
  4. Issues

Monit syslog logging over two lines

Issue #589 new
Ian Stacey created an issue

Looking for an explanation to unexpected behaviour that we are seeing. We have different Monit instances in different sites with different logging behaviour, both running 5.20.0.

When performing a content match, server1 one will log the content match on one line and work as expected.

Server2 will log the content match over two lines and will therefore match the line at every interval, as if a new line character has been introduced.

Here's output from server1, where we are monitoring /var/log/messages for the string "daemon at audit_pid":

[user1@server1 ~]$ sudo cat /etc/monitrc | grep "/var/log/messages"  -A2
check file messages with path /var/log/messages
  ignore content = "monit"
  if content = "daemon at audit_pid" then exec "/home/user2/scripts/restart-auditd.sh"

[user1@server1 ~]$ sudo cat /var/log/messages | grep "user1: daemon at audit_pid" -A4
Apr  7 15:51:43 server1 user1: daemon at audit_pid
Apr  7 15:51:44 server1 monit: 'messages' content match:
Apr  7 15:51:44 server1 monit: Apr  7 15:51:43 server1 user1: daemon at audit_pid
Apr  7 15:51:44 server1 monit[1958]: 'messages' content match:#012Apr  7 15:51:43 server1 user1: daemon at audit_pid <<<<<< OUTPUT ON ONE LINE >>>>>>>
Apr  7 15:51:44 server1 monit[1958]: 'messages' exec: '/home/user2/scripts/restart-auditd.sh'
Apr  7 15:51:44 server1 monit: 'messages' exec: '/home/user2/scripts/restart-auditd.sh'
Apr  7 15:51:44 server1 monit: Stopping logging: [  OK  ]

Here's the same for server2: 

[user2@server2 ~]$ sudo cat  /etc/monitrc |  grep "/var/log/messages"  -A2
check file messages with path /var/log/messages
  ignore content = "monit"
  if content = "daemon at audit_pid" then exec "/home/user2/scripts/restart-auditd.sh"

[user2@server2 ~]$ sudo cat  /var/log/messages | grep "user2: daemon at audit_pid" -A4
Apr  7 15:23:44 server2 monit: Apr  7 15:20:30 server2 openet: daemon at audit_pid
Apr  7 15:23:44 server2 monit[8348]: 'messages' content match:
Apr  7 15:20:30 server2 openet: daemon at audit_pid   <<<<<< OUTPUT OVER TWO LINES >>>>>>>
Apr  7 15:23:44 server2 monit[8348]: 'messages' exec: '/home/openet/scripts/restart-auditd.sh'
Apr  7 15:23:44 server2 monit: 'messages' exec: '/home/openet/scripts/restart-auditd.sh'

We worked around the issue by sending log messages to a standalone log file instead, but we're interested to understand the different behaviour.

We've done some tests with the logger command but cannot simulate the same behaviour.

Comments (4)

  2. Tildeslash repo owner

    please can you pass the output to "od" utility and send the result? On both hosts:

    sudo cat /var/log/messages | egrep "user[12]: daemon at audit_pid" -A4 | od -xc
  3. Ian Stacey reporter

    Thanks for the update, please see the attachment.

    The server names are different from the call I raised, but hopefully they will make sense. I also amended the search string slightly to reduce the number of matches (we tested multiple times).

    Thanks, Ian

  4. Tildeslash repo owner

    Cannot find the attachments, please can you add it to this issue or send to support@mmonit.com?

    Best regards, The Monit team

  5. Log in to comment
Assignee
Type
bug
Priority
minor
Status
new
Component
Monit
Version
5.19.0
Votes
0
Watchers
2