Syslog scanning - Redhat

This is a discussion on Syslog scanning - Redhat ; We have a load of machines spitting out various concoctions of message to a central syslog server. The messages generally contain something about severity, such as "error" or "warning" or "info", etc. The problem is, how bad an issue a ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Syslog scanning

  1. Syslog scanning

    We have a load of machines spitting out various concoctions of message to a
    central syslog server. The messages generally contain something about
    severity, such as "error" or "warning" or "info", etc. The problem is, how
    bad an issue a particular "warning" or "error" really is depends on some
    complex rules. The rules are typically "this is only bad if it's happened
    XXX times in the last XXX minutes" or "this is bad if it's happened together
    with something else" or "this is bad if something else has happened just
    before it". Also, some error or warning conditions can be ignored "this
    isn't a worry if it takes this particular form or contains this string".

    So, in order to scan the syslog sensibly and trigger alarms, we need some
    kind of syslog scanner which is very smart and can do this complex rule
    stuff. There are lots of log scanners around, but there doesn't seem to be
    anything which addressed this type of need.

    Can anyone recommend anything? What are the rest of you using in large-scale
    Linux installations?

    Thanks,

    Steve

    (Linux RHEL3, by the way, not that it should make a difference)



  2. Re: Syslog scanning

    Steve Baker wrote:
    > We have a load of machines spitting out various concoctions of message to a
    > central syslog server. The messages generally contain something about
    > severity, such as "error" or "warning" or "info", etc. The problem is, how
    > bad an issue a particular "warning" or "error" really is depends on some
    > complex rules. The rules are typically "this is only bad if it's happened
    > XXX times in the last XXX minutes" or "this is bad if it's happened together
    > with something else" or "this is bad if something else has happened just
    > before it". Also, some error or warning conditions can be ignored "this
    > isn't a worry if it takes this particular form or contains this string".
    >
    > So, in order to scan the syslog sensibly and trigger alarms, we need some
    > kind of syslog scanner which is very smart and can do this complex rule
    > stuff. There are lots of log scanners around, but there doesn't seem to be
    > anything which addressed this type of need.
    >
    > Can anyone recommend anything? What are the rest of you using in large-scale
    > Linux installations?
    >
    > Thanks,
    >
    > Steve
    >
    > (Linux RHEL3, by the way, not that it should make a difference)
    >
    >

    You could reconfigure logwatch to print your stuff as well as what it does
    by default. Config files are in /etc/log.d/scripts.

    man logwatch

    --
    .~. Jean-David Beyer Registered Linux User 85642.
    /V\ PGP-Key: 9A2FC99A Registered Machine 241939.
    /( )\ Shrewsbury, New Jersey http://counter.li.org
    ^^-^^ 15:40:01 up 63 days, 9:34, 4 users, load average: 4.31, 4.27, 4.19

  3. Re: Syslog scanning

    "Jean-David Beyer" wrote in message
    news:11g74vmhe0frpb0@corp.supernews.com...
    > Steve Baker wrote:
    >> We have a load of machines spitting out various concoctions of message to
    >> a
    >> central syslog server. The messages generally contain something about
    >> severity, such as "error" or "warning" or "info", etc. The problem is,
    >> how
    >> bad an issue a particular "warning" or "error" really is depends on some
    >> complex rules. The rules are typically "this is only bad if it's happened
    >> XXX times in the last XXX minutes" or "this is bad if it's happened
    >> together
    >> with something else" or "this is bad if something else has happened just
    >> before it". Also, some error or warning conditions can be ignored "this
    >> isn't a worry if it takes this particular form or contains this string".
    >>
    >> So, in order to scan the syslog sensibly and trigger alarms, we need some
    >> kind of syslog scanner which is very smart and can do this complex rule
    >> stuff. There are lots of log scanners around, but there doesn't seem to
    >> be
    >> anything which addressed this type of need.
    >>
    >> Can anyone recommend anything? What are the rest of you using in
    >> large-scale
    >> Linux installations?
    >>
    >> Thanks,
    >>
    >> Steve
    >>
    >> (Linux RHEL3, by the way, not that it should make a difference)
    >>
    >>

    > You could reconfigure logwatch to print your stuff as well as what it does
    > by default. Config files are in /etc/log.d/scripts.
    >
    > man logwatch


    Print it?? We actually need it to raise alerts in our monitoring systems. I
    don't think logwatch is quite smart enough to handle that kind of rule-set.

    Steve



+ Reply to Thread