locked
Unix/Linux LogFile monitoring RRS feed

  • Question

  • Ok I know this question has been asked before, I've gone all over the place trying to figure this out. I used the information from this link http://technet.microsoft.com/en-us/library/dd789036.aspx

    Now this is just in my test environment,

    I have my server name identified

    I define the log file /var/log/messages

    The filter type is by default “Regular Expression”; I am unable to change this

    The expression I’m testing for is offline

    I run the following command on my linux server to generate a test alert

    echo "Apr 20 17:12:20 drflbead11 nss_wins[3836]: Global parameter windbind offline logon found in service section" >> /var/log/messages

    I look at the messages file on the Linux server using WinSCP, and the file has been updated with the text I provided. But no alarm ever occurs. Not information, warning or critical.

    It so happens that after creating the logfile monitor using the Unix/Linux LogFile Management Pack Template it also generates a rule applied to the server, the alarm condition is critical, so when I put that entry in, it should alert…

    Any help would be greatly appreciated.

     


    Paul Arbogast
    Wednesday, April 20, 2011 8:20 PM

Answers

  • chmod would be the command you need to use, I believe.
    Microsoft Corporation
    • Marked as answer by Nicholas Li Thursday, April 28, 2011 5:42 AM
    Thursday, April 21, 2011 7:00 PM
  • When you did that, you made your account root on that server.  Root can do _anything_ so you elevated the privilege of the non-privileged account, so it is no longer non-priviledged
    Microsoft Corporation
    • Marked as answer by Nicholas Li Thursday, April 28, 2011 5:42 AM
    Thursday, April 21, 2011 7:02 PM
  •  

    Hi,

     

    Regarding the accounts configurations of monitoring Unix or Linux, please also refer to the following information:

     

    Monitoring Linux Using SCOM 2007 R2

    http://blogs.technet.com/b/birojitn/archive/2010/01/20/monitoring-linux-using-scom-2007-r2.aspx

     

    More on Unix Privileged Account vs. Unix Action Account and root-level access context

    http://blogs.msdn.com/b/scxplat/archive/2010/01/12/more-on-unix-privileged-account-vs-unix-action-account-and-root-level-access-context.aspx

     

    Preparing SCOM for cross platform monitoring

    http://scug.be/blogs/dieter/archive/2011/04/09/preparing-scom-for-cross-platform-monitoring.aspx

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

     

    Considering this is related to Cross Platform Solutions for System Center and we have specific forum for this, if you need more information or further investigation about this, it is also recommended that you go to the corresponding forum:

     

    Cross Platform Solutions for System Center Forum

    http://social.technet.microsoft.com/Forums/en-US/crossplatformgeneral/threads

     

    Hope this helps.

     

    Thanks.


    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Nicholas Li Thursday, April 28, 2011 5:42 AM
    Friday, April 22, 2011 6:13 AM
  • Yes, so any monitoring of the /var/messages log should be done using the privileged runas account (which is part of the root group).
    Bob Cornelissen - BICTT (My BICTT Blog)
    Friday, April 22, 2011 7:48 AM
  • That's one way certainly.  The other is to use any run-as account you feel like and do the right "chmod" operations on the resources involved.  Chmod lets you adjust which users can touch what (on unix) - it's different than the DOS command which only changes global read/write.

    Root is the most expedient, but your server admins might not be comfortable with the monitoring system (and thus the monitoring team) from having total control in all respects of their computers.


    Microsoft Corporation
    Saturday, April 23, 2011 3:54 PM

All replies

  • Hi Paul.

    Does your Unix Action Account have read access to the messages log file?


    mats.w | www.opsmode.com
    Thursday, April 21, 2011 8:07 AM
  • Mats, now that you mention it, I logged on as the unix action account and no it does not have the ability to read the file. I'm still learning my way around linux, what would be the command to do that? and is is possible to give that user the ability to read the whole /var/log folder?

     

    Paul

     


    Paul Arbogast
    Thursday, April 21, 2011 1:24 PM
  • Well I was hoping that was all it was, but stlil can not get this thing to generate an alarm.


    Paul Arbogast
    Thursday, April 21, 2011 1:53 PM
  • Well by adding my non-privilaged account to the root group, it works fine. I can't say I understand that.


    Paul Arbogast
    Thursday, April 21, 2011 2:42 PM
  • chmod would be the command you need to use, I believe.
    Microsoft Corporation
    • Marked as answer by Nicholas Li Thursday, April 28, 2011 5:42 AM
    Thursday, April 21, 2011 7:00 PM
  • When you did that, you made your account root on that server.  Root can do _anything_ so you elevated the privilege of the non-privileged account, so it is no longer non-priviledged
    Microsoft Corporation
    • Marked as answer by Nicholas Li Thursday, April 28, 2011 5:42 AM
    Thursday, April 21, 2011 7:02 PM
  •  

    Hi,

     

    Regarding the accounts configurations of monitoring Unix or Linux, please also refer to the following information:

     

    Monitoring Linux Using SCOM 2007 R2

    http://blogs.technet.com/b/birojitn/archive/2010/01/20/monitoring-linux-using-scom-2007-r2.aspx

     

    More on Unix Privileged Account vs. Unix Action Account and root-level access context

    http://blogs.msdn.com/b/scxplat/archive/2010/01/12/more-on-unix-privileged-account-vs-unix-action-account-and-root-level-access-context.aspx

     

    Preparing SCOM for cross platform monitoring

    http://scug.be/blogs/dieter/archive/2011/04/09/preparing-scom-for-cross-platform-monitoring.aspx

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

     

    Considering this is related to Cross Platform Solutions for System Center and we have specific forum for this, if you need more information or further investigation about this, it is also recommended that you go to the corresponding forum:

     

    Cross Platform Solutions for System Center Forum

    http://social.technet.microsoft.com/Forums/en-US/crossplatformgeneral/threads

     

    Hope this helps.

     

    Thanks.


    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Nicholas Li Thursday, April 28, 2011 5:42 AM
    Friday, April 22, 2011 6:13 AM
  • Yes, so any monitoring of the /var/messages log should be done using the privileged runas account (which is part of the root group).
    Bob Cornelissen - BICTT (My BICTT Blog)
    Friday, April 22, 2011 7:48 AM
  • That's one way certainly.  The other is to use any run-as account you feel like and do the right "chmod" operations on the resources involved.  Chmod lets you adjust which users can touch what (on unix) - it's different than the DOS command which only changes global read/write.

    Root is the most expedient, but your server admins might not be comfortable with the monitoring system (and thus the monitoring team) from having total control in all respects of their computers.


    Microsoft Corporation
    Saturday, April 23, 2011 3:54 PM