|
Home > Archive > Red Hat Topics > August 2005 > Syslog scanning
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Steve Baker 2005-08-17, 5:48 pm |
| We have a load of machines spitting out various concoctions of message to a
central syslog server. The messages generally contain something about
severity, such as "error" or "warning" or "info", etc. The problem is, how
bad an issue a particular "warning" or "error" really is depends on some
complex rules. The rules are typically "this is only bad if it's happened
XXX times in the last XXX minutes" or "this is bad if it's happened together
with something else" or "this is bad if something else has happened just
before it". Also, some error or warning conditions can be ignored "this
isn't a worry if it takes this particular form or contains this string".
So, in order to scan the syslog sensibly and trigger alarms, we need some
kind of syslog scanner which is very smart and can do this complex rule
stuff. There are lots of log scanners around, but there doesn't seem to be
anything which addressed this type of need.
Can anyone recommend anything? What are the rest of you using in large-scale
Linux installations?
Thanks,
Steve
(Linux RHEL3, by the way, not that it should make a difference)
| |
| Jean-David Beyer 2005-08-17, 5:48 pm |
| Steve Baker wrote:
> We have a load of machines spitting out various concoctions of message to a
> central syslog server. The messages generally contain something about
> severity, such as "error" or "warning" or "info", etc. The problem is, how
> bad an issue a particular "warning" or "error" really is depends on some
> complex rules. The rules are typically "this is only bad if it's happened
> XXX times in the last XXX minutes" or "this is bad if it's happened together
> with something else" or "this is bad if something else has happened just
> before it". Also, some error or warning conditions can be ignored "this
> isn't a worry if it takes this particular form or contains this string".
>
> So, in order to scan the syslog sensibly and trigger alarms, we need some
> kind of syslog scanner which is very smart and can do this complex rule
> stuff. There are lots of log scanners around, but there doesn't seem to be
> anything which addressed this type of need.
>
> Can anyone recommend anything? What are the rest of you using in large-scale
> Linux installations?
>
> Thanks,
>
> Steve
>
> (Linux RHEL3, by the way, not that it should make a difference)
>
>
You could reconfigure logwatch to print your stuff as well as what it does
by default. Config files are in /etc/log.d/scripts.
man logwatch
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key: 9A2FC99A Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 15:40:01 up 63 days, 9:34, 4 users, load average: 4.31, 4.27, 4.19
| |
| Steve Baker 2005-08-18, 5:48 pm |
| "Jean-David Beyer" <jdbeyer@exit109.com> wrote in message
news:11g74vmhe0frpb0@corp.supernews.com...
> Steve Baker wrote:
> You could reconfigure logwatch to print your stuff as well as what it does
> by default. Config files are in /etc/log.d/scripts.
>
> man logwatch
Print it?? We actually need it to raise alerts in our monitoring systems. I
don't think logwatch is quite smart enough to handle that kind of rule-set.
Steve
|
|
|
|
|