<div dir="ltr">Auto split your logs using the $HOST macro ?<br><div>Watch and count as time progresses since some systems may only log something daily. </div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 12, 2017 at 2:06 PM, Evan Rempel <span dir="ltr"><<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Since the syslog messages might come from UDP sources, you can not look at connections. You have to look at all of the host names in all of the log lines.<br>
<br>
The way we address this is to have a program destination that we send just the hostname to for EVERY log line. That program keeps a running hash and every 5 minutes logs its own line<br>
<br>
2017-05-12T00:00:23.225-07:00 <a href="mailto:local@syslogserver.comp.uvic.ca" target="_blank">local@syslogserver.comp.uvic.c<wbr>a</a> <a href="http://local0.info" rel="noreferrer" target="_blank">local0.info</a> flare-heartbeat[14903]: got syslog messages from <a href="http://syslogclient.comp.uvic.ca" rel="noreferrer" target="_blank">syslogclient.comp.uvic.ca</a><br>
<br>
Your program could update a database or any other repository on a 5 minute interval. If that load is too much, just switch to a 10 minute interval.<br>
<br>
We feed these "got syslog messages" lines into another program that manages a heartbeat timer for every host, and if the "got syslog messages" line is missing<br>
for a host, we alert ourselves to the fact that syslog messages have stopped arriving for a host.<br>
<br>
We wrote our program in perl, which can update hashes very quickly. Our test shows we can handle 1 million events per second and track them all via this approach.<br>
We are only tracking 1000+ hosts via this mechanism.<br>
<br>
<br>
I hope that is helpful.<span class="HOEnZb"><font color="#888888"><br>
<br>
Evan.</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
<br>
On 05/12/2017 10:54 AM, Nik Ambrosch wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
someone correct me if i’m wrong, but i don’t think there’s a good way to get this information directly from the syslog-ng daemon, especially if it’s restarted. a more reliable way is to pull the data off disk.<br>
<br>
depending on your log volume putting them into a database will allow you to easily do this with a single query. i write about 20 million log lines into a mysql database every day so this should cover most use cases. a query would look like one of these two (depends if you want a line count or not):<br>
<br>
mysql> select distinct host from syslog_table_20170511;<br>
mysql> select distinct host,count(*) as count from syslog_table_20170511 group by host order by count desc;<br>
<br>
pulling from log files on disk is obviously takes longer to run but can be done with a one-liner like this:<br>
<br>
$ cat file.log | awk '{print $1}' | sort | uniq -c | sort -nr<br>
<br>
another option is to write one log file per host and just run an ls to see which hosts have sent logs for the day, for example:<br>
<br>
/loghost/YYYYMMDD/hostname.prv<wbr>.log<br>
<br>
the dynamic path can be setup using syslog-ng.<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On May 12, 2017, at 1:11 PM, Sathish Sundaravel <<a href="mailto:sathish.sundaravel@gmail.com" target="_blank">sathish.sundaravel@gmail.com</a>> wrote:<br>
<br>
Hi All<br>
<br>
I have syslog Ng server running on Solaris platform and configured to receive or accept events from all unix servers in one single log file.<br>
<br>
If I want to collect list of servers reporting to the log server , I have to manually extract list from a single log file which is too much time consuming . What would the best way ?<br>
<br>
Regards<br>
Sathish<br>
______________________________<wbr>______________________________<wbr>__________________<br>
</blockquote></blockquote>
<br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br></div>