Git Product home page Git Product logo

sensu-plugins-logs's Introduction

Sensu Bonsai Asset Build Status Gem Version Code Climate Test Coverage Dependency Status

Sensu Plugins Logs Plugin

Overview

This plugin provides native instrumentation for monitoring log files or system logs via journald for regular expressions and a Sensu handler for logging Sensu events to log files.

Files

  • bin/check-journal.rb
  • bin/check-log.rb
  • bin/handler-logevent.rb
  • bin/handler-show-event-config.rb

check-journal Checks the systemd journal (journald) for a pattern.

check-log Checks a log file for a regular expression, skipping lines that have already been read. Stores the number of bytes read and seeks to that position next time (instead of making a backup copy of the whole log file).

handler-logevent Logs last settings['logevent']['keep'] JSON events in files as settings['logevent']['eventdir']/client/check_name/timestamp.action.

handler-show-event-config Lists the handler's config and the event it read.

Usage examples

Help

check-journal.rb

Usage: check-journal.rb (options)
    -c, --critical COUNT             Number of matches to consider a critical issue.
    -j "ARGS1 ARGS2 ...",            Pass additional arguments to journalctl, eg: "-u nginx.service"
        --journalctl_args
    -q, --pattern PAT                Pattern to search for
    -s, --since TIMESPEC             Query journal entries on or newer than the specified date/time.
    -v                               Verbose output. Helpful for debugging the plugin.
    -w, --warning COUNT              Number of matches to consider a warning    

handler-logevent.rb

Usage: handler-logevent.rb (options)
        --map-go-event-into-ruby     Enable Sensu Go to Sensu Ruby event mapping. Alternatively set envvar SENSU_MAP_GO_EVENT_INTO_RUBY=1.

Configuration

Sensu Go

Asset registration

Assets are the best way to make use of this plugin. If you're not using an asset, please consider doing so! If you're using sensuctl 5.13 or later, you can use the following command to add the asset:

sensuctl asset add sensu-plugins/sensu-plugins-logs

If you're using an earlier version of sensuctl, you can download the asset definition from this project's Bonsai asset index page.

Asset definition

---
type: Asset
api_version: core/v2
metadata:
  name: sensu-plugins-logs
spec:
  url: https://assets.bonsai.sensu.io/9ba6c6b27b5ca36538de3a13f014718ead3a1215/sensu-plugins-logs_4.0.0_centos_linux_amd64.tar.gz
  sha512: 4e29c549924b5df01c7a8e0ed105659b3e9e81ca5c919548efd03a2ccaaf83d8605130ab80132e93db6f5e25c7acddbd7f6e8c6d185567eb5f73cd420dcc2f06

Check definition

---
type: CheckConfig
spec:
  command: "check-journal.rb"
  handlers: []
  high_flap_threshold: 0
  interval: 10
  low_flap_threshold: 0
  publish: true
  runtime_assets:
  - sensu-plugins/sensu-plugins-logs
  - sensu/sensu-ruby-runtime
  subscriptions:
  - linux

Handler definition

handler-logevent

{
  "logevent": {
    "eventdir": "/var/log/sensu/events",
    "keep": 10
  }
}

Sensu Core

Check definition

{
  "checks": {
    "check-journal": {
      "command": "check-journal.rb",
      "subscribers": ["linux"],
      "interval": 10,
      "refresh": 10,
      "handlers": ["influxdb"]
    }
  }
}

Installation from source

Sensu Go

See the instructions above for asset registration.

Sensu Core

Install and setup plugins on Sensu Core.

Additional notes

Sensu Go Ruby Runtime Assets

The Sensu assets packaged from this repository are built against the Sensu Ruby runtime environment. When using these assets as part of a Sensu Go resource (check, mutator, or handler), make sure to include the corresponding Sensu Ruby Runtime Asset in the list of assets needed by the resource.

Use this plugin with Sensu Go

To use the included handlers with Sensu Go, use the --map-go-event-into-ruby argument or set environment variable SENSU_MAP_GO_EVENT_INTO_RUBY=1.

Make sure the required handler configuration JSON exists under /etc/sensu/conf.d/ or at a path in the colon-separated list of files in the environment variable SENSU_CONFIG_FILES.

Contributing

See CONTRIBUTING.md for information about contributing to this plugin.

sensu-plugins-logs's People

Contributors

analytically avatar avifried1 avatar avihay-av avatar cgeers avatar dependabot-preview[bot] avatar eheydrick avatar hartmantis avatar hillaryfraley avatar jhshadi avatar jspaleta avatar majormoses avatar mattyjones avatar mjulian avatar nlopes avatar sstarcher avatar tas50 avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

sensu-plugins-logs's Issues

Dependabot can't resolve your Ruby dependency files

Dependabot can't resolve your Ruby dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

Bundler::GemNotFound with message: Could not find gem 'kitchen-localhost (~> 0.3)' in any of the gem sources listed in your Gemfile.

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

You can mention @dependabot in the comments below to contact the Dependabot team.

Release 0.0.3

Please release 0.0.3 here on github and on rubygems...

Documentation lacking

I wonder why all sensu plugins have this common issue in them. Documentation is so lacking. How can a documentation just have 3 lines in it for 4 commands that are provided ? How come the options and tricks and tips are just not mentioned ? We have to google like crazy to find anything regarding the plugin.

You have 4 files
bin/check-journal.rb
bin/check-log.rb
bin/handler-logevent.rb
bin/handler-show-event-config.rb

And your doc has
{
"logevent": {
"eventdir": "/var/log/sensu/events",
"keep": 10
}
}

What am I missing, why isn't anyone else complaining. I am sure I am missing something really silly here. I found something useful in a issue, #1

Sorry to sound so frustrated, but all sensu plugins have the EXACT same issue. Each and every one of them. Please correct me if I am wrong here.

check-log.rb clobbers state file

when specifying a directory with -s to store the state file, the check naively assumes that there is only a single check against the given file.

If you are monitoring /var/log/nginx/access.log for instances of http_status=502 and specify -s /tmp, then a state file containing the last scanned line number gets created as /tmp/var/log/nginx/access.log.

The problem comes when you attempt to create a second check, say for instances of http_status=503 and specify the same -s /tmp directory. the two checks will end up clobbering the other's files, and detection of the regex match will be inconsistent and unreliable.

Perhaps the file's contents should contain the check name as well, i.e. /tmp/var/log/nginx/access.log should contain two lines, such as:

check_http_502:80105
check_http_503:79940

Dependabot can't resolve your Ruby dependency files

Dependabot can't resolve your Ruby dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

Bundler::GemNotFound with message: Could not find gem 'kitchen-localhost (~> 0.3)' in any of the gem sources listed in your Gemfile.

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

You can mention @dependabot in the comments below to contact the Dependabot team.

Plugin copies the file to /var/cache folder and does its checking

To get this working, I had to add sensu user to the adm group so that I can address /var/log/auth.log. But for some reason I started to get Permission Denied for /var/cache/check-log/.../var/log/auth.log. I had to give chmod 777 access (without -R) to /var/cache/check-log/.../var/log/auth.log to get it to work. Ideally adding sensu user to root group should have done the trick.

Please help me solve this issue without having to do chmod on /var/cache/check-log/.../var/log/auth.log.

Support in log entries with multiple lines

I have few application i would like to monitor with application logs that the log entries have multiple lines. i would like for the check-log check to read not only one line but to read the whole log entry to match or exclude against the patterns i supplied.

is this possible?

Dependabot can't resolve your Ruby dependency files

Dependabot can't resolve your Ruby dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

Bundler::GemNotFound with message: Could not find gem 'kitchen-localhost (<= 0.3.0, >= 0.3)' in any of the gem sources listed in your Gemfile.

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

You can mention @dependabot in the comments below to contact the Dependabot team.

A flag to ignore traversing a log file on initial read

First, thank you for the ruby plugin.

I would like to suggest the capability to ignore the initial search on a log file. This is option is important when you are starting to watch an existing log file which in some cases are extremely large in size. The initial read takes a higher that normal amount of cpu and memory to traverse the file. This new option would give the check-log.rb the capability to commerce monitoring from the last line / end of file position line in the file.

Dependabot can't resolve your Ruby dependency files

Dependabot can't resolve your Ruby dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

Bundler::GemNotFound with message: Could not find gem 'kitchen-localhost (<= 0.3.0, >= 0.3)' in any of the gem sources listed in your Gemfile.

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

You can mention @dependabot in the comments below to contact the Dependabot team.

I don't understand what the `--crit` and `--warn` flags are supposed to do

I don't know how to interpret "Critical/Warning level if pattern has a group."

It seems like --crit N would only trigger a critical event if the check found N or more matching lines.
It seems like --warn-only --warn N would trigger a warning event if the check found N or more matching lines.

These don't work for me as expected, and don't seem relevant to the code at all. Was a breaking change in Ruby that's affecting this? I'm using Ruby 2.3.1, and it seems like it's impossible to get in to the if m[1] clause at https://github.com/sensu-plugins/sensu-plugins-logs/blob/master/bin/check-log.rb#L192.

If I'm misunderstanding the intended use of --crit and --warn, what are they intended to do?

If my interpretation is correct, I'm happy to submit a PR to update them (it's pretty much ready to go). But I worry that it could be a breaking change for existing implementations.

Update README

Updating the README.md with

  • Basic functionality is documented
  • Examples are documented: At least one per script
  • Has a license
  • Platforms

check_log configuration issues

Hi,

I'm using the check_log to check my logfiles on certain keywords, for example "error". If a new error is written to the log file, sensu gives me an error. After a couple of seconds, the critical error disappears. How should I configure my check in order to check the log file on a word like ERROR and that the error stays as long the error exists in the log file?

My check looks a bit like this:

{
  "checks": {
    "check_log": {
      "command": "/etc/sensu/plugins/check-log.rb -f /opt/test/logs/testDocker.log -q 'ERROR'",
      "interval": 10,
      "subscribers": ["subscriber1"]
    }
  }
}

Thanks in advance

Compatibility with CentOS?

I've installed sensu-plugins-logs as a Sensu Go asset via Bonsai, and I've hit a bit of a snag with running checks on our CentOS systems, namely that they don't pick up the asset.

It looks like this is because the filter expression in the asset definition is checking entity.system.platform for the value 'rhel', but this key contains 'centos' on the systems in question. I've noticed that most of the other plugins we're using are checking entity.system.platform_family, which does contain 'rhel'.

Is this by design because of a compatibility issue, or is this something that could potentially be changed?

Versions of things: CentOS 7.7, Sensu Go 5.18.1, sensu-plugins-logs 4.0.0

Large output returned from the plugin causing sensu server to hang

We encounter some issue when a large amount of errors has been written to the log and the --return flag is set all. the matched errors in the log are collected and sent in the response body sent to the sensu server. few times we encounter a very large response that caused the sensu server to hang.

We might want to implement an option to limit the number of errors in order to avoid large output sent to the sensu server.

New release and new gem

Hi,
When is a new release planned for the plugin? Since the last release on March 12 2016 there have been a couple of fixes made to the plugin.
I install all plugins as gems on my servers, is there some better way to get the latest fixes other than waiting for new gem to be released?

check-journal.rb lauch journalctl with embeded library

check-journal.rb lauch journalctl with library path pointing to embeded library.
So journalctl returns :

journalctl: /var/cache/sensu/sensu-agent/ff3ba13e1a20f89eaac7613fc2c072a8a355918dbaf158b8d1565ebf02d066f3382dde872c1d80002ded762d8a3a860ccce20410b8d
edb47b69fd7038e918dde/lib/libcrypt.so.1: version `XCRYPT_2.0' not found (required by /lib/systemd/libsystemd-shared-245.so)
journalctl: /var/cache/sensu/sensu-agent/ff3ba13e1a20f89eaac7613fc2c072a8a355918dbaf158b8d1565ebf02d066f3382dde872c1d80002ded762d8a3a860ccce20410b8d
edb47b69fd7038e918dde/lib/libcrypt.so.1: version `XCRYPT_4.4' not found (required by /lib/systemd/libsystemd-shared-245.so)

Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal

Workaround can be add LD_LIBRARY_PATH= in front of journalctl cmd
So the command is LD_LIBRARY_PATH= journalctl #{journalctl_args}

Feature Request: Include flag for Context in Check_log.rb

Per user feedback: Having a flag to return number of lines before and/or after from a matching pattern line.

This will give user added context in instances where you have, as an example, a stack trace in the log file and may need the previous 15 lines or so for context.

No File option

I was wondering if we can have a new option for the check-logs.rb plugin, since I'm running into a new issue in my env.
Can we have an option to not alert if the file is not present?

Please let me know
Thank you
Devon

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.