Monitoring /var/adm/messages

Hello to all,
we are developing system for monitoring of the servers trough reading of the /var/adm/messages file.
Since there are numerous messages in this file we are wondering what regular expressions to use in order to extract serious/critical alerts from this file.
Does anybody have set of regular expressions to search for in this file for serious/critical events?
Thanks in advance.
Dejan

Hi ,
You can try to play whit /etc/syslog.conf . In this way you can made a filter for emergency and critical problem and redirect it to a specific file .
For example , the following line will redirect all the the emargency and critical message to /var/adm/message.critical
*.emerg;*.crit;* /var/adm/message.critical
I hope this help to develop your tool
xavier

Similar Messages

  • Email notification of warning messages generated in /var/adm/messages

    I�m using �mdmonitord� to periodically check status of my disks in RAID 1 (using Solaris Volume Management) If/when problem occurs the errors/warnings will be logged to[b] /var/adm/messages file. What do I need to configure/enable to monitor /var/adm/messages for particual WARNING messages and to notify me via email.
    Similar utility on LINUX is Logwatch: http://www2.logwatch.org:81/index.html

    Check /etc/init.d/dtcp , i guess it would be copyrighted to fujitsu-siemens if its the fujitsu dtcp. You can also9 do a pkginfo -l SMAWdtcp, which seems to be the name of the fujitsu package. Hmm, odd name for a Fujitsu package.
    Actually i found the following Fujitsu bug:
    A0559315 Fix flood of messages like dml_send DB_PS_Udp_Con_Remove_List failed
    - caused by trying to send the message to a node that is down.
    .. which seems rather familiar.
    Its fixed with fujitsu patch 901199-08
    Other Fujitsu DTCP patches are
    901191-08 and 901244-01
    Note that to get Fujitsu patches you need a special account, once you have an account you can download them from http://patches.ts.fujitsu.com/

  • Different msgid shown in /var/adm/message as opposed to command line.

    I've been trying to investigate an issue of how the /var/adm/messages alarms which has a message ID is different from a command line msgid output but have not been successful.
    The test I have done is as follow:
    logger -p local0.error -t TEST "Test Alarm for message ID"
    The output I get in /var/adm/messages is :
    May 3 14:00:28 hostname TEST: [ID 702911 local0.error] Test Alarm for message ID
    However, when I compare the ID generated with /usr/sbin/msgid, the ID seems to be different.
    bash-3.00# echo "Test Alarm for message ID" | msgid
    *231001* Test Alarm for message ID
    As you can see, the ID generated is different. Because of this, it's causing some issues on the alarm monitoring system and everything seems to fall under ID 702911. Anyone know how I can solve this problem?
    Thanks in advance.

    The source code for logger is available:
    http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/logger/logger.c
    You could try fixing it... Looking at the syslog() calls it clearly has "%s" as one of the options. I guess you could find another piece of source code that makes syslog() calls and figure out what construct "should" be there.

  • Sun logs: /var/adm/messages vs. /var/svc/log/*

    On Solaris 10, is /var/adm/messages still the "gold standard" for startup and shutdown log messages, or have the critical logs moved to /var/svc/log/$service_name?
    It's not like I can't look in one or the other, but I'm trying to gauge the relative importance of the two.
    Is there another location that I'm overlooking?

    aaron.m wrote:
    On Solaris 10, is /var/adm/messages still the "gold standard" for startup and shutdown log messages, or have the critical logs moved to /var/svc/log/$service_name?Depends on what you mean by "startup" messages. There are two types I can think of.
    During boot the kernel might generate a few messages about drivers and buffers and stuff. This is stored in a kernel buffer that is visible when you type 'dmesg'. When syslog starts up, it dumps the contents into the messages file so you have a static copy. I don't think this behavior changes between Solaris 9 and Solaris 10.
    For the actual startup "scripts" (SMF, /etc/init.d, /etc/rc?), Solaris 9 and earlier didn't have any sort of capture location. It was common for scripts to print to STDOUT/STDERR, and that would be delivered to the console only. Since many of the scripts are running before filesystems are mounted read/write, it didn't try to save the output.
    Now with SMF, it does more work to capture that output and you can find that in the service log files that you mention.
    So none of the logs have really moved, but you now have more logs than you did before.
    Darren

  • SSH Error in the /var/adm/messages

    Dears
    I Have an error that appers many times in the system messages file,
    **sshd[5437]: [ID 800047 auth.crit] fatal: Read from socket failed: Connection reset by peer**
    i disabled the telnet and use the SSH to connect to the system, i dont have any problems in SSH my System but i always notice this error in the /var/adm/messages, does anyone knows what is this error and why it is generated?
    thanks

    Dear All i am also having the same problems
    No1: MY SEVER T1000 having this problem,
    Server was installed with jumpstart
    Connection to 172.16.14.52 closed by foreign host.
    # ssh 172.16.14.52
    @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that the RSA host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    69:15:c9:67:86:a4:43:95:9e:7d:d6:70:78:ea:46:cb.
    Please contact your system administrator.
    Add correct host key in /.ssh/known_hosts to get rid of this message.
    Offending key in /.ssh/known_hosts:3
    RSA host key for 172.16.14.52 has changed and you have requested strict checking.
    Host key verification failed
    No2: sshd[4070]: [ID 800047 auth.crit] fatal: Read from socket failed:Connection reset by peer
    any body can help me..

  • /var/adm/messages regopen warning

    Hello,
    I am observing a warning message in the /var/adm/messages
    file of my Solaris 2.8 machine after I have run my application
    for several hours (under a load). The resulting behavior is that
    my application no longer responds to external requests and essentially
    appears to hang.
    The warning is the following:
    Aug 23 16:44:07 eas1nc2 reg: [ID 286125 kern.warning] WARNING: regopen: failed, attempted to open > 1000 streams
    Does anyone have any ideas as to what could be causing this
    as well as possible resolutions.
    Thanks in advance!!
    Brad

    Hello,
    Take a look at /etc/syslog.conf. I think that by deafult this file should contain two entries that make the system log into /var/adm/messages. Are there these entries?
    Bye,
    Joseba M. Iturbe

  • Scsi messages in /var/adm/messages file

    Hi,
    After open the /var/adm/messages i have the SCSI error messages:
    Jul 8 15:45:13 kapttdw2 Corrupt label; wrong magic number
    Jul 8 15:45:13 kapttdw2 scsi: [ID 107833 kern.warning] WARNING: /ssm@0,0/pci@1a,600000/SUNW,qlc@1/fp@0,0/ssd@w5006048452a65588,2 (ssd129):
    Jul 8 15:45:13 kapttdw2 Corrupt label; wrong magic number
    Jul 8 15:45:13 kapttdw2 scsi: [ID 107833 kern.warning] WARNING: /ssm@0,0/pci@1a,600000/SUNW,qlc@1/fp@0,0/ssd@w5006048452a65588,2 (ssd129):
    Jul 8 15:45:13 kapttdw2 Corrupt label; wrong magic number
    Jul 8 15:45:13 kapttdw2 scsi: [ID 107833 kern.warning] WARNING: /ssm@0,0/pci@1a,600000/SUNW,qlc@1/fp@0,0/ssd@w5006048452a65588,2 (ssd129):
    Jul 8 15:45:13 kapttdw2 Corrupt label; wrong magic number
    Jul 8 15:45:13 kapttdw2 scsi: [ID 107833 kern.warning] WARNING: /ssm@0,0/pci@1a,600000/SUNW,qlc@1/fp@0,0/ssd@w5006048452a65588,2 (ssd129):
    Jul 8 15:45:13 kapttdw2 Corrupt label; wrong magic number
    Jul 8 15:45:13 kapttdw2 scsi: [ID 107833 kern.warning] WARNING: /ssm@0,0/pci@1a,600000/SUNW,qlc@1/fp@0,0/ssd@w5006048452a65588,2 (ssd129):
    Jul 8 15:45:13 kapttdw2 Corrupt label; wrong magic number
    Jul 8 15:45:13 kapttdw2 scsi: [ID 107833 kern.warning] WARNING: /ssm@0,0/pci@1a,600000/SUNW,qlc@1/fp@0,0/ssd@w5006048452a65588,2 (ssd129):
    Jul 8 15:45:13 kapttdw2 Corrupt label; wrong magic number
    bash-2.05$
    Please help me to correct this error
    Thank

    This issue on hostname `kapttdw2` seems to be the same as you reported in your other thread for hostname `kapttdw1`.
    [http://forums.sun.com/thread.jspa?threadID=5391935|http://forums.sun.com/thread.jspa?threadID=5391935]
    Perhaps you just need to label these disks (as you were advised for those other disks).
    Also, since these drives are in an EMC peripheral, you might consider opening a support case with that storage vendor and get advice from them.

  • /var/adm/messages file not updatiing

    Hi All!
    Can you pls help, I´m new into solaris, so I´ve got a problem, ever since I didi "> messages" inside the /var/adm/ direcotory the messages file does not update anymore.~
    I´ve done ps -ef ! grep syslogd, and the deamon is running. So pls can you help?
    regards
    F.R.

    Make sure /var/adm/message is writable by root only (chmod 600) and restart syslogd (svcadm restart system-log)

  • Getting lot of errors like :0x408 in /var/adm/messages file in Solaris 10

    Hi,
    Can anyone help me regarding the following errors being found in the /var/adm/messages file:
    Nov 24 03:36:07 x9ce1 :0x408
    Nov 24 03:36:07 x9ce1 dtcp: [ID 702911 kern.notice] WARNING GW (dtcp_klib.c,198) (53449,33458) (0xac120fd5,0xac126503)
    Nov 24 03:36:07 x9ce1 dtcp: [ID 702911 kern.notice] WARNING PS (ps_udp.c,415) Error ps_do_DB_PS_Udp_Placement
    Nov 24 03:36:07 x9ce1 :0x408
    Nov 24 03:56:06 x9ce1 :0x408
    Nov 24 03:56:06 x9ce1 dtcp: [ID 702911 kern.notice] WARNING GW (dtcp_klib.c,198) (55961,33458) (0xac120fd5,0xac126503)
    Nov 24 03:56:06 x9ce1 dtcp: [ID 702911 kern.notice] WARNING PS (ps_udp.c,415) Error ps_do_DB_PS_Udp_Placement
    Nov 24 03:56:06 x9ce1 :0x408
    The frequency of this error is very high and I wanted to find out what could be the reason behind its occurrence?
    Thanks.
    Any useful comments will be most welcome :)
    Jahan

    Check /etc/init.d/dtcp , i guess it would be copyrighted to fujitsu-siemens if its the fujitsu dtcp. You can also9 do a pkginfo -l SMAWdtcp, which seems to be the name of the fujitsu package. Hmm, odd name for a Fujitsu package.
    Actually i found the following Fujitsu bug:
    A0559315 Fix flood of messages like dml_send DB_PS_Udp_Con_Remove_List failed
    - caused by trying to send the message to a node that is down.
    .. which seems rather familiar.
    Its fixed with fujitsu patch 901199-08
    Other Fujitsu DTCP patches are
    901191-08 and 901244-01
    Note that to get Fujitsu patches you need a special account, once you have an account you can download them from http://patches.ts.fujitsu.com/

  • Finding Errors in /var/adm/messages file

    Hi,
    I am new to UNIX admin, i am going to write a script in such a way that it has to send a mail to root if any errors in /var/adm/messages file.
    Can any one please send useful links or sample script file?
    Thanks
    Ramesh

    http://www.sunfreeware.com/indexsparc9.html
    look for logsurfer+-1.7-sol9-sparc-local.gz package (there's one for solaris8 and Solaris10, too). Also, you can search on http://www.sun.com/bigadmin/home/index.html
    for these types of scripts.
    John

  • /var/adm/messages error

    Hi All,
    New to solaris
    I am getting the following error in the solaris 5.9 /var/adm/messages file.
    Mar 15 13:33:39 dxb01-sol-tfs in.routed[135]: [ID 798604 daemon.error] empty response from 10.1.251.4
    Is this any telnet related error or anything serious? Please advise
    Any help appreciated
    Rgds
    Najmal

    The first thing that you have to do is to snoop
    10.1.251.4 to see the traffic between localhost and
    that IP Address.Hi,
    Thanks veru much for the response.
    I have tried snoop and it gives the following message. What does this mean? Please help
    10.1.251.4 -> 10.1.255.255 RIP R (0 destinations)
    Rgds

  • Cmn_err doesnt log to /var/adm/messages

    HI,
    I am trying cmn_err to log my messages using different error level. But it is not logging messages to /var/adm/messages file, also not printing on console. I have tried diff options like ! ^ etc. but all efforts proved futile. Can anyone help me?
    - Mayur Talati

    We had a problem on one system similar to yours.
    It tured out that the problem was caused by someone
    removing /usr/ccs/bin/m4 in order to favor a locally
    installed version of m4 in /usr/local/bin. The problem is,
    the syslog daemon needs to find m4 when it starts
    and apparently it must be in /usr/ccs/bin/m4.
    Check if you have /usr/ccs/bin/m4 on your system and
    look in /var/adm/messages for any syslogd startup errors.

  • Syslogd not posting to /var/adm/messages

    Syslogd starts ok but will not send anything to /var/adm/messages. I did remove the existing zero value file and stopped and restarted syslog and it created a new messages file but will not populate it. All the rest of the logs appears to be populating correctly.
    Contents of syslogd.conf is standard:
    #ident  "@(#)syslog.conf        1.5     98/12/14 SMI"   /* SunOS 5.0 */
    # Copyright (c) 1991-1998 by Sun Microsystems, Inc.
    # All rights reserved.
    # syslog configuration file.
    # This file is processed by m4 so be careful to quote (`') names
    # that match m4 reserved words.  Also, within ifdef's, arguments
    # containing commas must be quoted.
    *.err;kern.notice;auth.notice                   /dev/sysmsg
    *.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages
    *.alert;kern.err;daemon.err                     operator
    *.alert;local1.none     root
    *.emerg                                         *
    # if a non-loghost machine chooses to have authentication messages
    # sent to the loghost machine, un-comment out the following line:
    #auth.notice                    ifdef(`LOGHOST', /var/log/authlog, @loghost)
    mail.debug                      ifdef(`LOGHOST', /var/log/syslog, @loghost)
    # non-loghost machines will use the following lines to cause "user"
    # log messages to be logged locally.
    ifdef(`LOGHOST', ,
    user.err                                        /dev/sysmsg
    user.err                                        /var/adm/messages
    user.alert                                      `root, operator'
    user.emerg                                      *
    local1.debug            /usr/tmp/TAMAR_LOGI noticed the following on the console during bootup:
    syslogd: line 12: unknown priority name "notice /dev/sysmsg"
    syslogd: line 13: unknown priority name "crit /var/adm/messages"
    syslogd: line 15: unknown priority name "err operator"
    syslogd: line 16: unknown priority name "none root"
    syslogd: line 18: unknown priority name "emerg *"
    syslogd: line 24: unknown priority name "debug /var/log/syslog"
    syslogd: line 31: unknown priority name "debug /usr/tmp/TAMAR_LOG"
    /etc/default/syslogd has no uncommented line in the file.
    At a loss on this one. Any ideas/suggestions

    I found the solution to this problem. Turns out for reasons unknown to me the whitespace in the syslog.conf file got converted from tabs to spaces. As soon as I made all the white space tabs everything started working.. Go figure.

  • Why  /var/adm/messages stop wrritten while syslogd is running

    /var/adm/messages stop written recently. we are running solaris2.6. I noticed this happened after newsyslog rotated the messages file. In newsyslog, there is a line at end: kill -HUP `cat /etc/syslog.pid`. And syslogd is running. When I use logger to test, the test message was written to /var/adm/messages.
    Can anyone give me a clue for this? Any help will be appreciated!
    Thanks!
    Hong

    Could it be you need this Patch ? :
    Patch-ID# 106439-12
    Synopsis: SunOS 5.6: /usr/sbin/syslogd patch

  • /var/adm/messages tells misterios things

    This is what my messages says:
    Feb 3 08:43:58 [xxx.xxx.xxx.xxx.7.120] 5971: 30w2d: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
    Feb 3 08:43:58 [xxx.xxx.xxx.xxx.7.120] 5972: 30w2d: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
    Feb 3 08:44:25 [xxx.xxx.xxx.xxx.7.120] 5973: 30w2d: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
    Feb 3 08:44:26 [xxx.xxx.xxx.xxx.7.120] 5975: 30w2d: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
    Feb 3 08:44:51 [xxx.xxx.xxx.xxx.7.120] 5976: 30w2d: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
    Feb 3 08:44:52 [xxx.xxx.xxx.xxx.7.120] 5978: 30w2d: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
    Does anyone know why it does so.

    It looks like you are receiving syslog messages from a Cisco router with a BRI interface. Apparently the interface is having problems in addition. You could remove the config in the router that sends the messages to you ( no logging host xxx.xxx.xxx.xxx) or just modify the syslogd.conf file to send the messages to a file other than /var/adm/messages.
    ChrisV

Maybe you are looking for

  • Icon View in Finder sort order is reversed

    Hi, In Finder, when using icon view, the "arrange by">"date modified" order has reversed. I can't find any settings to change it back. Other views such as list view are working normally. The change happened yesterday evening and appears to affect all

  • Create Production order

    I am creating production ordrer by usinf bapi_prodord_create . It is succesfull when the material exist with compoents(sub material-BOM). If BOM not exists how can i create procduction order ? which FM /BAPI ? Note :This is the interface .Third party

  • How much Maximum  Distance  I would keep between Oracle EM OMS and Agent ?

    Hello There, Here I am asking little curious question which come in my mind ? Actually We have many client geographically located in different cities.And we are remotely managing their databases on VPN. I just wanted to Install One Enterprise Manager

  • DrawImage scales on Mac OS X

    On a Mac OS X 10.3.4 system, when using drawImage(myImage, dx1, dy1, dx2, dy2, sx1, sy2, sx2, sy2, null) where dx1 = sx1, dy1 = sy1, sx2 = dx2, and sy2 = dy2 to draw an image to a graphics context it scales the image if I draw partially outside of gr

  • Exposure Droplet

    Hi, Can you please advise me on a problem I am having trying to make a droplet in Photoshop from an action I am trying to create. I want to send an image from Lightroom to Photoshop so I can make an additional two images, one with increased exposure