On Tue, 2005-11-15 at 00:15 -0500, seth vidal wrote:
On Tue, 2005-11-15 at 00:12 -0500, Crayola wrote:
I have used swatch, logchecker, and logwatch in the past against standard OS logs..
Now I have a centralized syslog system where everything is being pumped directly into multiple MySQL databases.
Are there any log analysis tools that can look at syslog data in a mysql database and send out alerts based on it?
Why not just use swatch or sec and an alternate destination to handle the alerts?
I'd prefer not to send it to two locations.. Its already being pumped into a database. I'd rather not pump it to files as well.
You don't pump it to files. Pump it to the program sec.
Right now you're using a program to push the log info to the mysql db. Do the same thing but piping it directly to sec.
-sv
If you want real time [or near real time] alerts then you pretty much have to catch it at the input stream. Either with a filter in syslog- ng.conf that calls a program, which you could have some very specific clever filters to catch critical things, or change your mysql inserter to have some extra logic to do inspection and fire off alerts as needed before moving on to insert into the DB. If you do not need real time [or if a few well placed syslog-ng filters will cover the critical ones] you can create a shell script that queries the DB every so often, dumps the output to a temp file and calls your favorite log analysis software against the temp file. Have it delete the temp file after it is done and you've got it. Just my 2 cents -Mike