You define the messages you want Big Brother to report on by adding entries to the etc/bb-msgstab file. Since the message test is performed by the Big Brother client software, you must make your entries in the file on the client host, not the server host. You can have a separate file on each client with just the definitions for that client; however, to ensure consistency and make maintenance easier, we recommend you have a single file with message definitions for all clients, which you distribute to all hosts which run the UNIX client. The format of each line of the file is:
hostname: filename(s) : misc settings : yellow string(s) : red string(s) : strings to ignore
Hostname is the name of the host to use this rule for. If you enter localhost as the host name, this rule will be used on any client where the file exists. You can also use the * wildcard for part or all of the host name to have the same line apply to multiple hosts. You can also leave the hostname out entirely; this is equivalent to a localhost entry.
Filename(s) is the full path to one or more files where Big Brother will check for messages.
Misc settings is reserved for possible future use. Leave it blank in all cases. Be sure to enter two colons after the filenames, as shown in the example below.
Yellow string(s): One or more strings which will cause a yellow status if found in a message.
Red string(s): One or more strings which will cause a red status if found in a message.
Strings to ignore: If a message includes a string listed here, it will not cause a yellow or red status, even if it also includes one of the yellow or red strings. For example, you could use this to exclude error or warning messages which deal with specific areas you do not want reported.
In all fields except hostname, you can make multiple entries; separate each two entries with a semicolon (;).
The client uses the entries in this order:
Strings listed on any line for localhost or with no host name are looked for on all hosts.
If there are one or more lines with a hostname matching the current host, it looks for the strings on those lines in addition to the localhost or blank host strings.
If there are no localhost or blank host lines, and no lines with a name matching the current host, it uses the default MSGS, PAGEMSGS, and IGNMSGS values from bbdef-client.sh. Otherwise, these settings have no effect.
This means the strings listed in the localhost or blank host lines are reported for all hosts, whether there is also a separate line for that host or not. If there is a line for a specific host, the strings on it are also reported on.
You can include multiple lines for one host; this lets you use different settings for different files on the same host.
Here are two examples:
www.bb4.com: /var/log/messages : : WARNING : NOTICE : not
this message ; and this one either
www1.bb4.com: /var/log/maillog
: : refused : ERROR ; error ; BAD SU
: from www.bb4.com
Use the etc/bb-msgstab.DIST file as a starting point; copy it to etc/bb-msgstab and modify as desired.
Tip. You can reset the colored dot from red or yellow to green by removing the corresponding tmp/MSG.red.* or tmp/MSG.yellow.* file. Those files contain previous error messages; they are removed when they expire.
Note. The log files you specify are checked to make sure they are readable and not empty. The empty test is done because some hackers sometimes link log files to /dev/null. However, on some systems, when the logs are rotated they are left empty. If this is your case, you have two choices:
Immediately after the log rotation, add this command to make the message files non-empty:
echo "`date`" >> <message file(s)>
You can also use a syslogd feature to add a line to each message file.
Disable the zero-length check by setting the CHKMSGLEN variable in bbdef-client.sh to FALSE. In most cases, we recommend you do not do this. Security is too important to ignore. Instead, echo data to the message file or use syslogd features as described above. You may also want to install a log scanner to analyze your message file(s).