Re: Syslog scanning

From: Steve Baker (steve.baker_at_notthis-jakata.net)
Date: 08/18/05

  • Next message: usenet_at_sta.samsung.com: "POSIX signal handling versus traditional signal handling" 
    Date: Thu, 18 Aug 2005 14:56:13 +0100

    "Jean-David Beyer" <jdbeyer@exit109.com> wrote in message
    news:11g74vmhe0frpb0@corp.supernews.com...
    > Steve Baker wrote:
    >> We have a load of machines spitting out various concoctions of message to
    >> a
    >> central syslog server. The messages generally contain something about
    >> severity, such as "error" or "warning" or "info", etc. The problem is,
    >> how
    >> bad an issue a particular "warning" or "error" really is depends on some
    >> complex rules. The rules are typically "this is only bad if it's happened
    >> XXX times in the last XXX minutes" or "this is bad if it's happened
    >> together
    >> with something else" or "this is bad if something else has happened just
    >> before it". Also, some error or warning conditions can be ignored "this
    >> isn't a worry if it takes this particular form or contains this string".
    >>
    >> So, in order to scan the syslog sensibly and trigger alarms, we need some
    >> kind of syslog scanner which is very smart and can do this complex rule
    >> stuff. There are lots of log scanners around, but there doesn't seem to
    >> be
    >> anything which addressed this type of need.
    >>
    >> Can anyone recommend anything? What are the rest of you using in
    >> large-scale
    >> Linux installations?
    >>
    >> Thanks,
    >>
    >> Steve
    >>
    >> (Linux RHEL3, by the way, not that it should make a difference)
    >>
    >>
    > You could reconfigure logwatch to print your stuff as well as what it does
    > by default. Config files are in /etc/log.d/scripts.
    >
    > man logwatch

    Print it?? We actually need it to raise alerts in our monitoring systems. I
    don't think logwatch is quite smart enough to handle that kind of rule-set.

    Steve

  • Next message: usenet_at_sta.samsung.com: "POSIX signal handling versus traditional signal handling"

    Relevant Pages

    • Re: Syslog scanning
      ... > Steve Baker wrote: ... >> central syslog server. ... >> kind of syslog scanner which is very smart and can do this complex rule ... > You could reconfigure logwatch to print your stuff as well as what it does ...
      (linux.redhat.misc)
    • Re: log file for eth0
      ... > it realy heavy and difficult to consult. ... > Using RedHat8 ... Read up on the "syslog" utility. ... Steve... ...
      (comp.os.linux.misc)
    • Re: how to centralize aix syslog to a windows 2000 server ?
      ... >> messages to the syslog daemon on that box. ... > to accept incoming syslog messages, ...
      (comp.unix.aix)