DX Unified Infrastructure Management

  • Private Community
 View Only

 Create a regular expression for logmon probe

Miller Echagarreta's profile image
Miller Echagarreta posted Jun 15, 2021 06:51 PM
Hi dear community.

I need monitoring a line on logs with logmon probe, but the challenge is to read the line and when this line is not present generate the alarm.

The logs contain this estate connection ----->

Proto  Recv-Q   Send-Q      Local Address               Foreign Address             (state)
-----     ------        ------       ----------------------          ----------------------       -------------
tcp4      0              0             10.29.10.68.32799         172.122.138.55.6503     ESTABLISHED
tcp4      0              0             10.29.10.68.56256         172.122.138.56.6504     ESTABLISHED
tcp4      0              0             10.29.10.68.32810          172.122.138.55.6505     ESTABLISHED

I thinked to create a profile with command option but the logmon can't deploy on the device because It is an appliance but it allows you to export the logs to a server via sftp.

How to create an expression that indicate when the connection isn't ESTABLISHED?. On the logs the state not change only not appear, for example if the connection for "10.29.10.68.32799 - 172.122.138.55.6503" it's close the line not appear on the logs.

¿ Any Idea ?
Garin Walsh's profile image
Garin Walsh posted Jun 15, 2021 10:55 PM
It's not exactly clear what your goal is but to answer part of the question:

to match lines that aren't ESTABLICHED you can use

/^((?!ESTABLISHED).)*$/
Miller Echagarreta's profile image
Miller Echagarreta posted Jun 16, 2021 12:48 PM
Thanks @Garin Walsh, I tested with this RE /^((?!tcp4\s+0\s+0\s+10\.29\.10\.68\.[0-9]+\s+172\.122\.138\.55\.6503\s+ESTABLISHED).)*$/  but the alarm is generated.

I need is that when the line (tcp4 0 0 10.29.10.68.32799 172.122.138.55.6503 ESTABLISHED) does not appear in the logs it generates the alert, because when it does not appear it is indicative that the connection is not established.

The normal thing is that logmon looks for a pattern that indicates a failure, in this case it is the opposite ...​
David Michel's profile image
David Michel posted Jun 16, 2021 12:54 PM
When not  ESTABLISHED, what's in the log there? 
nothing? is it possible to reconfigure the host application so it puts something meaningful there, that logmon can match on? 
It is just a question of the foreign address being available? if so perhaps url_response can verify that.
Miller Echagarreta's profile image
Miller Echagarreta posted Jun 16, 2021 01:03 PM
Hi @David Michel Because it is a banking core and because it complies with regulatory norms, it does not allow any delegated system to reach the ports through the network. In fact my initial strategy was to use net_connect. For this reason it was exported to a logs, now the mission is to monitor it​​
Kurt Mairamhof's profile image
Kurt Mairamhof posted Jun 17, 2021 02:27 AM
Hi,
in the IM GUI (not sure about MCS) there is an option under Watcher rules advanced tab. It is kind of a heartbeat check. It's called 'Match on every run', meaning
- If the pattern is matched all is fine
- if not the alarm in the standard tab definition is raised

When you check the tickbox under 'Send clear alarm' under the advanced tab, the alarm is cleared on a consecutive run of the profile if the message is seen again.

Guillaume Briere's profile image
Guillaume Briere posted Jun 17, 2021 11:41 AM

Hello,

I don't know if the OS is windows or linux but let's say it's linux.
Could you create a script locally that will connect to your remote server that will do ssh <user>@<server> netstat -ant|grep -i established >> /dev/null && echo "yes" || echo "no"

If you can't remotely logs to the server because it's an appliance, just do: grep -i established <remoteserver.log> >> /dev/null && echo "yes" || echo "no"

Then from the watcher tab you configure a "clear" alarm if you find "yes" and another where you generate an alarm if you find "no".

I always find easier to deal with "non-existent" string by script compare to build the negative regex.