mk_sap: Add exclude_paths option to skip monitoring objects#939
Open
Simon0Harms wants to merge 1 commit into
Open
mk_sap: Add exclude_paths option to skip monitoring objects#939Simon0Harms wants to merge 1 commit into
Simon0Harms wants to merge 1 commit into
Conversation
The monitor_paths option of the mk_sap agent plugin is a pure allow list. When using wildcard patterns there is no way to skip single unwanted monitoring objects below a matched subtree, e.g. the alert container of a client which only holds purely technical number range objects (like ALAUTOUID) that roll over by design and produce permanent noise once they pass their warning threshold. The only workarounds are to enumerate all wanted sibling nodes explicitly (losing auto-discovery of new nodes) or to disable the alert in the SAP system itself. Introduce an exclude_paths option which uses the same unix shell pattern syntax as monitor_paths. A path matching any exclude pattern is skipped, even if it matches one of the monitor_paths patterns. Exclude rules are always matched against the full path and are intentionally not shortened to the first two segments during toplevel matching: shortening a rule which targets a single subtree node would exclude the whole monitor. A rule matching the toplevel path itself still skips the whole monitor and saves the RFC calls for its tree. Since path segments are built from the 40 character SAP field MTNAMESHRT, long node names arrive truncated and patterns have to match the truncated name. This is documented in the sample config. The option defaults to an empty list, existing configurations are not affected.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
General information
This concerns the
mk_sapagent plugin (cmk/plugins/sap/agents/mk_sap.py),which collects monitoring data from SAP R/3 / S/4HANA systems via RFC calls
against the SAP CCMS monitoring infrastructure (RZ20 monitor trees). Which
parts of the CCMS tree are collected is controlled by the
monitor_pathsoption in
/etc/check_mk/sap.cfg, a list of unix shell patterns matchedagainst the full path of each monitoring object.
Setup where this came up: S/4HANA system monitored via
mk_sapwithThe "Critical Number Ranges" monitor warns before SAP number ranges run
full — valuable for business objects, since a number range overflow stops
production. However, the same subtree also contains alert containers for
purely technical number ranges such as
ALAUTOUID(package SMOI, UIDs forCCMS data suppliers). This number range is rolling by design with a
warning threshold of 25% remaining, so it periodically produces WARN
alerts that cannot be acted upon — permanent noise in the resulting
logwatch service.
Proposed changes
What is the expected behavior?
It should be possible to use a wildcard
monitor_pathsrule (to keepautomatic pickup of new nodes, which is important for number range
monitoring where new critical objects appear dynamically) while skipping
individual known-noisy objects below it.
What is the observed behavior?
monitor_pathsis a pure allow list; there is no exclude mechanism. Theonly workarounds are to enumerate all wanted sibling nodes explicitly
(losing auto-discovery) or to disable alert generation in the SAP system
itself (RZ20/RZ21), which affects all CCMS consumers, not just Checkmk.
In what way does the patch change the current behavior?
It introduces an
exclude_pathsoption (default: empty list) using thesame unix shell pattern syntax as
monitor_paths. A path matching anyexclude pattern is skipped, even if it matches a
monitor_pathspattern.Configurations that do not set
exclude_pathskeep the exact previousbehavior — all pre-existing unit tests pass unchanged.
Design note on toplevel matching: When deciding whether a whole monitor
tree is fetched via RFC,
monitor_pathsrules are shortened to theirfirst two path segments. Exclude rules are intentionally not
shortened and are always matched against the full path: shortening a rule
which targets a single subtree node would exclude the whole monitor
instead of just the node. A rule matching the toplevel path itself still
skips the whole monitor and saves the RFC calls for its tree.
Documentation note: Path segments are built from the 40 character SAP
field
MTNAMESHRT, so long node names arrive truncated (e.g.Client 000 Alert Messages for Number Ran) and patterns have to matchthe truncated name. The sample config documents this, including a pointer
to the debug output line in the plugin for verifying exact paths.
Example configuration (from the updated sample config
agents/sap/sap.cfg):Unit tests:
tests/unit/cmk/plugins/sap/agents/test_mk_sap.pygains a parametrizedtest for
to_be_monitored()with 7 cases. The cases covering the newbehavior fail without the patch; the cases covering the unchanged default
behavior pass before and after. Covered: exclude precedence over a
matching monitor rule, sibling nodes (other clients) staying monitored,
subtree excludes not skipping the whole monitor during toplevel matching,
and toplevel excludes skipping the whole monitor. Additionally verified
manually that config loading via
sap.cfg(exclude_paths += [...])works with the existing
exec()mechanism and correctly filters thenode on a live system.
Is this a new problem? What made you submit this PR?
Not new — a structural limitation of the allow-list-only filtering. It
became relevant while curating
monitor_pathsfor an S/4HANA system,where the CCMS number range monitor is genuinely valuable but the
rolling technical number range
ALAUTOUIDpermanently sits above itswarning threshold and turns the service into noise.