itologmon

Version 1.3.1
Date 8 October 2001
Author Paul Gear <citecpdg@citec.qld.gov.au>, <paulgear@bigfoot.com>

Copyright (c) 2000-2001, CITEC


This program is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public License for more details.

You should have received a copy of the GNU Library General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA, or go to <http://www.gnu.org/copyleft/lgpl.html> on the World Wide Web.


Introduction

Itologmon is an alternative log file monitor for use with HP OpenView IT/Operations (now VantagePoint Operations, formerly Operations Center - hereafter ITO).  It provides a mechanism for sending log file data to ITO via the opcmsg(3) API instead of the HP-supplied log file encapsulator (opcle).

The Reason for Itologmon

The sole reason for itologmon's existence is to work around a design limitation in ITO, namely that multiple templates cannot be used to monitor a single log file in conjunction with the use of the 'Forward Unmatched' facility.  If such a configuration were used, the log file template that is set to forward unmatched messages to the server would forward all messages that are not matched by that specific template, resulting in an unmatched message for every message that was configured in another template (in addition to any message conditions that are configured for such messages).  Some template types are not subject to this limitation, namely opcmsg(3), SNMP traps, and MPE console messages.

Thus, by sending log file data to ITO via the opcmsg(3) API, we can monitor log files from multiple templates and still use the 'Forward Unmatched' option to capture unmatched messages.  At CITEC, we separate log file conditions into individual templates for each application: ftpd has one template, sshd another, inetd another, named another, and so on.  Since all of these write their messages using syslog(3), on most OSes they appear all in the one log file (on HP-UX /var/adm/syslog/syslog.log).  If we used opcle, these conditions would all have to be mixed in together in the same template.  By using itologmon, we can use separate application templates and mix and match them on hosts as required.

Itologmon can be used instead of, or in conjunction with, opcle, the default ITO log file monitor.

How It Works

Itologmon works by reading data from log files in a manner similar to 'tail -f' and passing the data to the opcmsg(3) API.  It can detect when a file has been appended to, truncated, or deleted and recreated (thus it works happily with log file rotation utilities such as Red Hat Linux's logrotate).  Itologmon has been designed to be conservative in the way it monitors log files, and a design decision was made to sacrifice performance for safety.

Itologmon saves a state file which indicates the last position in each file that it has read to, along with a copy of the file's stat(2) buffer.  This enables it to track changes to files, even if it has been shut down for some time (this is not recommended, but is possible due to the design of itologmon).

Disadvantages Of Using Itologmon

The reason for itologmon's existence is very specific, and if it is not a requirement of your ITO installation that this functionality be available, you may not want to use itologmon, as it has some drawbacks:

Now What?

Obtain the Software

You can download itologmon from its SourceForge project page.

Build & Install the Software

See the file INSTALL for instructions on compiling and installing itologmon.  If you are upgrading from an older version, see the file CHANGES for information about recent changes to the software.  Install the software on each client system that requires it (i.e. those with ITO agents).

Template Setup

For those log files which you wish to wish to monitor with itologmon, set up opcmsg(3) templates in ITO and assign them to the nodes you have installed it on.  Itologmon sends the name of the source log file as the opcmsg(3) object name, so if you want to match on a specific log file location, you need to set this field in each template condition.  Otherwise, just leave it blank, and your condition will match regardless of which file it came from.  In our implementation here at CITEC, we have used the specific file name only in the suppress unmatched conditions at the top of some of our templates.

It is recommended that you allocate a dedicated template for capturing unmatched messages.  To do this, create an empty template, turn on the 'Forward to Server' option in the 'Unmatched Messages' section.

If you also create an 'Unmatched' message group in the message group bank and set this as the default message group for that template, then all unmatched messages can be filtered by message group.

Configuration

There is no configuration file per se for itologmon.  Simply call it with a list of files to monitor.  The supplied init script provides a simple mechanism to do this by using an external configuration file.

Ensure that itologmon's own log file (/var/log/itologmon.log by default) is not specified as a file to monitor (this can create logging loops when there are ITO agent problems).  Itologmon will automatically send all errors in its own log file to ITO.  The local log file is provided for tracing and debugging purposes in the event that there are ITO problems.

Reporting Problems

If you experience problems with itologmon, use the link at the top of this page to email the author a copy of the itologmon log file with full debugging and tracing enabled, along with the following additional information:

Please read the file BUGS before emailing a problem report to ensure that you are not reporting a known issue.

Make Your Contribution!

Please email any patches in 'diff -u' format.  See TODO for a list of tasks that could be done in the future.

Version History

1.2.0 Initial public release.
1.2.1 Makefile updated to enable compiling on Solaris.
1.3.0 Unreleased development version using slightly different algorithm for tailing files that (unsuccessfully) attempted to work around HP-UX kernel stat buffer bug.
1.3.1 Reversion to previous tailing algorithm due to failure of previous attempts to work around it.  We're stuck with this bug until HP fix it.  :-(