3 |
File Watcher |
This chapter covers the following topics:
The File Watcher module monitors a list of files for additions, deletions, and modifications. If changes are detected, it builds events and displays them in a table. It provides default capabilities for some of the popular files, such as passwd, vfstab, and so on.
You can add, remove, or edit entries in this default list. To add a new file, you must define the record format of the file being monitored. In the case of a record addition event, a record deletion event, or a record modification event, you have to also specify the file-specific severities of the alarms to be generated.
Note - The purpose of the File Watcher module is to monitor files that are not modified frequently, and therefore, it is useful to get notified when a change occurs. Therefore, module should only be used to monitor system files that are not expected to change frequently, for example, the passwd file.
To Access the File Watcher or the File Watch Module |
1. | Load the File Watch module. |
For instructions on how to load a module, refer to the Sun Management Center 3.0 User's Guide. |
2. | Double-click Local Applications in the Navigator window. |
3. | Double-click on File Watch in the Navigator window. |
4. | Double-click on the File Watcher option. |
The Viewer displays the File Watch icon in the Viewer window. |
5. | Double click on the File Watch icon in the Viewer window. |
Sun Management Center displays the following File Watch tables:
On the right side of each table title, File Watch lists the associated alarm counts.
The Watched File Table is used to monitor the existence of files. The Change Table is used to monitor the changes in existing files.
File changes can only be noticed once the file has been detected as existing. This means that if a file does not exist or is non-existing, the module detects that it is existing with a size bigger than 0. For example, when a file has two records already, the module will not be able to notice those two records. However, the module will notice all future modifications.
FIGURE 3-1 displays the File Watcher tables.
This table is initialized with seven system files through filewch.dat:
The Watched File Table lists all the files being monitored by the module. It displays some of the more commonly used attributes at the top level and other hidden attributes in a lower level. For more information on hidden attributes, refer to To Access Hidden Attributes.
The Watched File Table displays information about each file and provides the data on the following.
To Access Hidden Attributes |
1. | Select a row. |
2. | Right-click and select Edit Row. |
Sun Management Center displays the Row Editor with all the attributes displayed in the Watched File Table, and those that are hidden. |
The following attributes are hidden and can be accessed by right clicking on any row and selecting Edit Row. You will see the Row Editor.
TABLE 3-2 Row Editor Field
Description
Delimiter
Delimiter between columns.
Comment char
Type of the char that delimits a comment line.
Number of fields
Number of fields in each file entry.
Num key field
Number of fields composing the key. The key is assumed to be at the beginning of the record. A key is an identifier for the record. For example, in the passwd file, the key for each record is the first field: user name. It is unique for each record.
Field names
Names of the different columns in the file entries.
Hide values flag
One of the following values:
FALSE = Display the value that changed TRUE = Do not display Addition Severity
Possible values: Info, Warning, Error, None.
Deletion Severity
Possible values: Info, Warning, Error, None.
Change Severity
Possible values: Info, Warning, Error, None.
Record Format
Format of the record. Refer to Validation Script for more information.
During a refresh, if the module detects that the timestamp of a file has changed, the validation script associated with the file, if provided, will be executed. The exit code of the last execution will be displayed in Exit Code. When a new value is given to the script field, the module checks if the path given is a valid file. If it is not, the Exit Code field will display NO_SUCH_SCRIPT. (The field could also display "killed" in the event that the validation script running was killed. In this case, specify regular expressions on which to generate alarms for Exit Code.)
You can place your own scripts in /var/opt/SUNWsymon/SysMgmtPack/filewch/scripts or use the fileparse binary installed with the module.
Fileparse
The default list of files has a value set for Validation Script and Record Format. For example, for /etc/hosts:
fileparse is a C binary located in:
/var/opt/SUNWsymon/SysMgmtPack/filewch/scripts/
It accepts four arguments: delimiter, comment, record format, filename. Its usage is:
./fileparse -d index -c index -f record_format -n input_filename
The binary parses an input file against the file format specified as parameters, and reports an error if the file contents do not conform to the input file format. Blank lines and comment lines are skipped. The default comment is "NULL", which means there is no comment. The binary returns the following values:
0: Success; 1: cannot open file. 2: record_format is not correct. 3: input_file's format is not correct. -1: program error, such as not enough memory. -2: argument error.
Fileparse Arguments
fileparse accepts four parameters. The module will provide the correct values as arguments when fileparse is invoked.
%fileparse -d index -c index -f record_format -n input_filename
where
-d index Specifies the delimiter index; -c index Specifies the comment index; -f record_format Specifies grammar expression, where grammar expression support 4 kinds of operation on datatypes.
The datatypes supported are:
datatype = {STRING, INT, IPADDRESS, ZERO_STRING, CONST}
where
STRING The string can not be empty. ZERO_STRING The string can be empty or not empty. CONST The field value must match.
A constant string can be declared by enclosing it in double quotes. For example:
"+" | "-" | STRING STRING
Syntax of record format:
The operators available are:
operator = | , [], *
where
| Means "or". For example: - line-format = "+" | "-" | STRING STRING [] Means optional. For example: - line-format = STRING [STRING|IPADDRESS] * Means zero or multiple repetition of one datatype. For example: - line-format= IPADDRESS STRING STRING*
For example, the record format to validate /etc/passwd is:
STRING STRING INT INT ZERO_STRING STRING ZERO_STRING | "+" | "-"
The precedence of the operators is:
[] , | , *
The File Change Table monitors files and displays their record additions, deletions, or modifications.
The File Change Table displays information about each file and provides the data on the following.
Commands are available at the following levels:
To Add a New File to the List of Files to Be Monitored |
1. | Right-click over the header or any selected row in the table to access the pull-down menu commands. |
2. | Select Add Row. |
3. | Add a row to add a file. |
To Modify or Edit a Row |
1. | Select the row where the file name is present. |
2. | Right-click and select Edit Row. |
3. | Modify the path name and the definition of the record format of the file. |
4. | Click OK. |
To Delete a Row |
1. | Select the row where the file name is present. |
2. | Right-click and select Delete Row. |
3. | Remove a file from the list of files to be monitored. |
Note - If you remove a file from the list of files to be watched, the events that have already been detected for that file will not be automatically removed from the events log and will continue to be displayed in the File Changes Table. To clear the File Change Table, issue the Dump events to log command.
To Dump Events to a Log |
1. | Right click anywhere in the row. |
2. | Select Dump events to log. |
3. | Delete the corresponding events by moving events.log to events_<timestamp>.log in the log directory. |
The Probe Viewer then provides the location of the log file to which events.log was moved.