for some reason it is not working on network device logs about check_logfiles HOT 10 OPEN

Hello,

i have a similar issue with network devices that sens tabulation in their message and are coded as ^i in final log.
Did you check with cat -A if such special characters are present in the file of your cisco ?

from check_logfiles.

I have no idea of cisco logs. How does the line in the logfile look like?

from check_logfiles.

Here a line displayed with cat -A:
Nov 18 10:55:02 host1 host1[21071]: device Down^ISystem^IDevice^IID: 1326^Ixxx.xxx.xxx.xxx^ITop > France > TLS > host1 > APPLICATION^IBornes AP$

if i made a simple cat i saw tabulations instead of ^i. (not displayed properly here)
Nov 18 10:55:02 host1 host1[21071]: device Down System Device ID: 1326 xxx.xxx.xxx.xxx Top > France > TLS > host1 > APPLICATION Bornes AP

If i echo the line directly in the logfile, the plugins match the line and raised an alarm.
Issue seems coming from syslog-ng interpretation and coding of tabulation

I tried to make a prescript that will make a sed subtitute to replace tab by space on the whole logfile, but plugins in this case read the whole file again, even with noallyoucaneat option activated.

I'm studying option to rework the incoming message directly with syslog to make the substitute when new message is incoming.
Of course if there is a way that plugins deals this by itself, i'm 101% agree :)

from check_logfiles.

from check_logfiles.

unfortunately not, even .* as regex does not match line as soon as this tabulaton appears

from check_logfiles.

Although i moved to check_log3.pl, but i am glad to help solve problems

./check_logfiles --logfile=/var/log/cisco/ciscoRotar12/2021/11/19/ciscoRotar12.log  --criticalpattern="User=Ali" 
OK - no errors or warnings|'default_lines'=5 'default_warnings'=0 'default_criticals'=0 'default_unknowns'=0

cat -A /var/log/cisco/ciscoRotar12/2021/11/19/ciscoRotar12.log

Nov 19 10:23:57 ciscoRotar12/ciscoRotar12 005261: Nov 19 10:23:57.372: %CRYPTO-6-VPN_TUNNEL_STATUS: (Server) Authentication PASSED User=Ali Group=ALI Client_public_addr=184.127.29.10 Server_public_addr=186.157.17.44 $

anything more needed?

from check_logfiles.

For my part, i setup a rule in syslog to substitute tabulations by spaces and plugins works again perfectly.

Majed, when you post your cat -A output, all tabulations are removed and replaced by spaces, did you see anything within your terminal, make a screenshot maybe ;)

from check_logfiles.

well, the only difference between cat and cat -A is the "44 $" i.e a space and $ sign are added in the end
but i think your solution is like buying a kane instead of fixing the disease by adding sulfur powder

from check_logfiles.

Ok nothing strange in your string so...
I found more easy and quicker to add a rewrite rule in syslog than trying to debug the plugins script with its thousand lines of code :)

from check_logfiles.

as wise people say, laziness is half the way to hell, and that is why Microsoft is buggy buggy buggy!

from check_logfiles.