[sysmon-help] Symon www object response parser

James T. Moore jtmoore at international-auto.com
Tue Jul 8 00:18:09 EDT 2003

The text string we are testing for is always there unless an application, service, server
or network error occurs and I have verified that no error is not occuring. The only difference
is now that the string is embeded in a very long text line rather than a short line. The parser
seems to choke on the long line periodically. 

  ----- Original Message ----- 
  From: Jack Sasportas 
  To: J.T. Moore 
  Cc: sysmon-help at puck.nether.net 
  Sent: Monday, July 07, 2003 10:38 PM
  Subject: Re: [sysmon-help] Symon www object response parser

  I would provide hidden text, meaning if your web page has a white background put in something that WON'T change on that page in a white font.  I use things like server names to make sure apache is running on that server etc.  Also make sure it's not a series of words that may get broken up by browser per say, try something like TEST-WORD. 

  Not sure if that really solves the problem, but that text will always be there.


  J.T. Moore wrote:

I have a question regarding how sysmon parses the response to
a www probe. We recently added some code to strip unnecessary
tabs and crlf's from the dynamic content generated on our web site.
Since then sysmon has been periodically reporting false positive
failures for the www probe monitoring the site. 

What is odd is that the failures are intermittent rather than persistent.
The text that was being searched for is towards the end of the document,
but not at the very end. I have verifyed that the text string is present in
the document as it is in the sysmon.conf file and the web logs indicates
response status 200 for all of the hits from sysmon which occur approximately
once per minute which is the sysmon poll interval.

I changed the text the probe was searching for to "</body></html>" 
which is at the very end of the document which seems to have fixed 
the problem.

We are currently using sysmon v0.91.12

Any ideas/insights are appreciated.


Sysmon-help mailing list
Sysmon-help at puck.nether.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://puck.nether.net/pipermail/sysmon-help/attachments/20030707/9c417e30/attachment.htm

More information about the Sysmon-help mailing list