[Nagiosplug-help] Usage of check_log

[Ralph.Grothe at itdz-berlin.de]

Hello,

I do have to apologize!

I didn't realize that check_log is a commented mere shell script.


I have to admit that even if it was a binary built from a C
source file,
I still could look up the source code from the Plug-ins tarball.
That's the advantage of open source, that you don't have to base
guesses on 
some reverse engineering.

I think I will figure out myself how it is meant to be employed.

This should give me enough to get started with this particular
plug-in



$ file /usr/local/nagios/libexec/check_log 
/usr/local/nagios/libexec/check_log:    commands text

$ head -56 /usr/local/nagios/libexec/check_log
#! /bin/sh
#
# Log file pattern detector plugin for Nagios
# Written by Ethan Galstad (nagios at nagios.org)
# Last Modified: 07-31-1999
#
# Usage: ./check_log <log_file> <old_log_file> <pattern>
#
# Description:
#
# This plugin will scan a log file (specified by the <log_file>
option)
# for a specific pattern (specified by the <pattern> option).
Successive
# calls to the plugin script will only report *new* pattern
matches in the
# log file, since an copy of the log file from the previous run
is saved
# to <old_log_file>.
#
# Output:
#
# On the first run of the plugin, it will return an OK state with
a message
# of "Log check data initialized".  On successive runs, it will
return an OK
# state if *no* pattern matches have been found in the
*difference* between the
# log file and the older copy of the log file.  If the plugin
detects any 
# pattern matches in the log diff, it will return a CRITICAL
state and print
# out a message is the following format: "(x) last_match", where
"x" is the
# total number of pattern matches found in the file and
"last_match" is the
# last entry in the log file which matches the pattern.
#
# Notes:
#
# If you use this plugin make sure to keep the following in mind:
#
#    1.  The "max_attempts" value for the service should be 1, as
this
#        will prevent Nagios from retrying the service check (the
#        next time the check is run it will not produce the same
results).
#
#    2.  The "notify_recovery" value for the service should be 0,
so that
#        Nagios does not notify you of "recoveries" for the
check.  Since
#        pattern matches in the log file will only be reported
once and not
#        the next time, there will always be "recoveries" for the
service, even
#        though recoveries really don't apply to this type of
check.
#
#    3.  You *must* supply a different <old_file_log> for each
service that
#        you define to use this plugin script - even if the
different services
#        check the same <log_file> for pattern matches.  This is
necessary
#        because of the way the script operates.
#
# Examples:
#
# Check for login failures in the syslog...
#
#   check_log /var/log/messages ./check_log.badlogins.old "LOGIN
FAILURE"
#
# Check for port scan alerts generated by Psionic's PortSentry
software...
#
#   check_log /var/log/message ./check_log.portscan.old
"attackalert"
#





> -----Original Message-----
> From: Server Admin [mailto:admin at treenetnz.com]
> Sent: Monday, August 08, 2005 6:16 PM
> To: Ralph.Grothe at itdz-berlin.de
> Cc: nagios-users at lists.sourceforge.net;
> nagiosplug-help at lists.sourceforge.net
> Subject: Re: [Nagiosplug-help] Usage of check_log
> 
> 
> Ralph.Grothe at itdz-berlin.de wrote:
> > Hello,
> > 
> > this may all be pretty obvious and self-explanatory to long
time
> > Nagios veterans.
> > 
> > But I beg your pardon, this ultra terse help screen doesn't
> > instruct me at all on the correct usage of this particular
> > plug-in.
> > Does it cause the plug-in authors such hardship to spare the
> > extra 80 chars or so for a lucid example line?
> > 
> > 
> > # libexec/check_log --help                                
> > check_log (nagios-plugins 1.4) 1.4
> > The nagios plugins come with ABSOLUTELY NO WARRANTY. You may
> > redistribute
> > copies of the plugins under the terms of the GNU General
Public
> > License.
> > For more information about these matters, see the file named
> > COPYING.
> > 
> > Usage: check_log -F logfile -O oldlog -q query
> > Usage: check_log --help
> > Usage: check_log --version
> > 
> > Log file pattern detector plugin for Nagios
> > 
> > Send email to nagios-users at lists.sourceforge.net if you have
> > questions
> > regarding use of this software. To submit patches or suggest
> > improvements,
> > send email to nagiosplug-devel at lists.sourceforge.net.
> > Please include version information with all correspondence
(when
> > possible,
> > use output from the --version option of the plugin itself).
> > 
> > 
> > 
> > For instance I'm after kernel Oops and similar utters from
the
> > kernel that are marked on my host's OS 
> > as vmunix in syslogd's main log, and almost always (except
during
> > system startup) indicate a critical condition.
> > 
> > e.g.
> > 
> > # grep vmunix /var/adm/syslog/syslog.log|tail -1
> > Apr 29 09:44:20 terra vmunix: vxfs: mesg 001: vx_nospace -
> > /dev/vg03/lvol1 file system full (1 block extent)
> > 
> > 
> > 
> > Now I would want check_nrpe to run something like
> > 
> > $libexec_dir/check_log -F /var/adm/syslog/syslog.log -q
/vmunix/
> > 
> > 
> > But according to the above usage synopsis this was wrong
syntax
> > because the -O option was lacking.
> > But then I wouldn't know what -O was good for.
> > Intuitively I would assosiate it with some intended output
file.
> > But the "oldlog" would be a bit of a misnomer.
> > Or does it relate to also parsing some older, probably
already
> > rotated logfile.
> > 
> > You see, this is all highly speculative and leaves ample
space
> > for wild guesses.
> > 
> 
> RTFM. It is in there somewhere. I found it after the same
problem.
> 
> check_log is a special case in plugins being a stateful check 
> and -O is 
> part of the solution.
> You see in order to check the log ofr updates it needs to 
> keep a record 
> of what the log looked like last time it checked. -O indicates
the 
> filename each instance of check_log needs to keep this record.
> 
> There are two catches here:
> - first, you need a unique -O and thus command for every log 
> being checked.
> - second, two consecutive checks will provide different
results.
> 	ie. the first may find entries for a WARNING/CRITICAL, 
> further checks 
> after will find none and report OKAY until a new matching log 
> entry is 
> added.
> 
> 
> AYJ
>