Skip to main content

Triggering OpenNMS notifications when patterns occur in a log file

A common problem with OpenNMS is how to monitor a log file and trigger alerts when certain conditions are met. Let me clarify with an example: you have this mission critical app that sometimes experiences internal errors. The application keeps running and still responds to requests, but the error will slow down the system and/or delay further processing. Monitoring the process and/or network polling will obviously not be able to detect the issue and the only way is to tail the application log file and look for certain messages.

The problem can usually be solved simply by forwarding the log file to OpenNMS through syslog, but what for logs generated by applications that don't speak syslog or if you don't want to configure syslog forwarding?



Collectd Tail plugin comes to the rescue. Collectd is an interesting monitoring agent which basically can be integrated with anything, even though I think it is primarily used together with Graphite.
Since Collectd does not natively speak any of the protocols supported by OpenNMS integration has to be done some through some sort of scripting.

Solution Overview

I installed Collectd (5.2, custom built rpm, thanks fpm!) on the host running the application and configured collectd to tail the log file and look for lines matching certain patterns. Whenever a line matches, a counter is incremented and if the value exceeds a threshold an external notification script is invoked. In my case I want to be notified of every single occurrence so the threshold condition is: value != 0
The notification script then forks out a call to OpenNMS'own send-event.pl. In OpenNMS I have configured a notification connected to the event UEI which sends out alerts to our support personnel.

Shown below are Collectd configuration file and the notification script. send-event.pl can be simply copied over from the OpenNMS host.


Notes

To accept events from other hosts eventd has to be configured to listen on all ip addresses (by default it binds only to 127.0.0.1). Since this can pose a security risk iptables should be used to restrict access.

The configuration file in the example above instructs Collectd to use standard output for logging and to write values out to a csv file in /tmp: I left them in so that those unfamiliar with Collectd could run collectd in foreground to figure it out, but you should disable both in production.

Comments

Popular posts from this blog

Indexing Apache access logs with ELK (Elasticsearch+Logstash+Kibana)

Who said that grepping Apache logs has to be boring?

The truth is that, as Enteprise applications move to the browser too, Apache access logs are a gold mine, it does not matter what your role is: developer, support or sysadmin. If you are not mining them you are most likely missing out a ton of information and, probably, making the wrong decisions.
ELK (Elasticsearch, Logstash, Kibana) is a terrific, Open Source stack for visually analyzing Apache (or nginx) logs (but also any other timestamped data).

From 0 to ZFS replication in 5m with syncoid

The ZFS filesystem has many features that once you try them you can never go back. One of the lesser known is probably the support for replicating a zfs filesystem by sending the changes over the network with zfs send/receive.
Technically the filesystem changes don't even need to be sent over a network: you could as well dump them on a removable disk, then receive  from the same removable disk.

A not so short guide to ZFS on Linux

Updated Oct 16 2013: shadow copies, memory settings and links for further learning.
Updated Nov 15 2013: shadow copies example, samba tuning.

Unless you've been living under a rock you should have by now heard many stories about how awesome ZFS is and the many ways it can help with saving your bacon.

The downside is that ZFS is not available (natively) for Linux because the CDDL license under which it is released is incompatible with the GPL. Assuming you are not interested in converting to one of the many Illumos distributions or FreeBSD this guide might serve you as a starting point if you are attracted  by ZFS features but are reluctant to try it out on production systems.

Basically in this post I note down both the tought process and the actual commands for implementing a fileserver for a small office. The fileserver will run as a virtual machine in a large ESXi host and use ZFS as the filesystem for shared data.