syslog-ng and logwatch
Hello, Anyone use syslog-ng with logwatch-7.1? I was wondering how to set it up to scan the proper log files. Right now I have multiple servers writing to the main syslog-ng server. It creates directories such as: /var/log/HOSTS/<ip of clients>/2005/11/14/<logfile-name> logwatch.pl looks like it scans for /var/log or whatever you want, but I'm not sure how to scan the multiple directories of the syslog-ng server client logs. Thanks, Kevin
On Mon, 2005-11-14 at 12:42 -0400, kevin_herald wrote:
Hello,
Anyone use syslog-ng with logwatch-7.1? I was wondering how to set it up to scan the proper log files. Right now I have multiple servers writing to the main syslog-ng server. It creates directories such as:
/var/log/HOSTS/<ip of clients>/2005/11/14/<logfile-name>
logwatch.pl looks like it scans for /var/log or whatever you want, but I'm not sure how to scan the multiple directories of the syslog-ng server client logs.
This probably belongs on logwatch -at- logwatch.org but here goes. You have 2 choices one you can create a wrapper to the log watch call and set --logdir to whatever value you want [this is helpful for only parsing 1 days logs instead of the normal of parsing everything it can find and filtering.] An example of this would be #!/bin/bash year=$(date -d -1day +%Y) month=$(date -d -1day +%m) day=$(date -d -1day +%d) /usr/sbin/logwatch --logdir "/var/log/HOSTS/192.168.0.1/$year/$month/$day" --print exit The other way to is to edit the logfile groups so that LogFile is defined to point at the logs you want parsed. [Wildcards are ok here] Example: /usr/share/logwatch/default.conf/logfiles/messages.conf Has LogFile = messages That messages anything that normally looks for /var/log/messages uses this. You can change that to LogFile = /var/log/HOSTS/*/*/*/*/messages And better yet just add that line to the file [which you'll have to create] /etc/logwatch/conf/logfiles/messages.conf [Using /etc/logwatch/conf/logfiles will allow you to preserve configuration changes across updates.] To have it look at every single day from you syslog-ng template. Note this probably a bad idea if you keep months and months of logs use a wrapper! Hope that helps. Some of these is in the manpage and the HOWTO that comes with logwatch [man logwatch] -Mike
I have used swatch, logchecker, and logwatch in the past against standard OS logs.. Now I have a centralized syslog system where everything is being pumped directly into multiple MySQL databases. Are there any log analysis tools that can look at syslog data in a mysl database and send out alerts based on it? Thanks, Mike
On Mon, 2005-11-14 at 18:27 -0500, Crayola wrote:
I have used swatch, logchecker, and logwatch in the past against standard OS logs..
Now I have a centralized syslog system where everything is being pumped directly into multiple MySQL databases.
Are there any log analysis tools that can look at syslog data in a mysl database and send out alerts based on it?
Why not just use swatch or sec and an alternate destination to handle the alerts? -sv
I have used swatch, logchecker, and logwatch in the past against standard OS logs..
Now I have a centralized syslog system where everything is being pumped directly into multiple MySQL databases.
Are there any log analysis tools that can look at syslog data in a mysql database and send out alerts based on it?
Why not just use swatch or sec and an alternate destination to handle the alerts?
I'd prefer not to send it to two locations.. Its already being pumped into a database. I'd rather not pump it to files as well. Mike
On Tue, 2005-11-15 at 00:12 -0500, Crayola wrote:
I have used swatch, logchecker, and logwatch in the past against standard OS logs..
Now I have a centralized syslog system where everything is being pumped directly into multiple MySQL databases.
Are there any log analysis tools that can look at syslog data in a mysql database and send out alerts based on it?
Why not just use swatch or sec and an alternate destination to handle the alerts?
I'd prefer not to send it to two locations.. Its already being pumped into a database. I'd rather not pump it to files as well.
You don't pump it to files. Pump it to the program sec. Right now you're using a program to push the log info to the mysql db. Do the same thing but piping it directly to sec. -sv
On Tue, 2005-11-15 at 00:15 -0500, seth vidal wrote:
On Tue, 2005-11-15 at 00:12 -0500, Crayola wrote:
I have used swatch, logchecker, and logwatch in the past against standard OS logs..
Now I have a centralized syslog system where everything is being pumped directly into multiple MySQL databases.
Are there any log analysis tools that can look at syslog data in a mysql database and send out alerts based on it?
Why not just use swatch or sec and an alternate destination to handle the alerts?
I'd prefer not to send it to two locations.. Its already being pumped into a database. I'd rather not pump it to files as well.
You don't pump it to files. Pump it to the program sec.
Right now you're using a program to push the log info to the mysql db. Do the same thing but piping it directly to sec.
-sv
If you want real time [or near real time] alerts then you pretty much have to catch it at the input stream. Either with a filter in syslog- ng.conf that calls a program, which you could have some very specific clever filters to catch critical things, or change your mysql inserter to have some extra logic to do inspection and fire off alerts as needed before moving on to insert into the DB. If you do not need real time [or if a few well placed syslog-ng filters will cover the critical ones] you can create a shell script that queries the DB every so often, dumps the output to a temp file and calls your favorite log analysis software against the temp file. Have it delete the temp file after it is done and you've got it. Just my 2 cents -Mike
Try php-syslog-ng http://www.phpwizardry.com/php-syslog-ng.php Then let us know how it goes. Pe5ky Tac0 -------------- Yum, Fish Tacos !! Crayola wrote:
I have used swatch, logchecker, and logwatch in the past against standard OS logs..
Now I have a centralized syslog system where everything is being pumped directly into multiple MySQL databases.
Are there any log analysis tools that can look at syslog data in a mysl database and send out alerts based on it?
Thanks, Mike
_______________________________________________ LogAnalysis mailing list LogAnalysis@lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/loganalysis
participants (5)
-
Crayola
-
kevin_herald
-
Mike Tremaine
-
Pe5kyTac0
-
seth vidal