incoming message stats (fwd)
Anyone have any thoughts on this? ---------- Forwarded message ---------- Date: Fri, 1 Apr 2005 13:45:48 -0500 (EST) From: Jim <jim@jeke.fdns.net> Reply-To: syslog-ng@lists.balabit.hu To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]incoming message stats Hello, I would like to get some stats on the number of incoming messages I am receiving on a central log server. I am running syslog-ng 1.6.6, built with libol 0.3.15.
From what I can see, I will need to modify libol in order for syslog-ng to count these messages, and tell me at a regular interval. Does this sound right, or am I missing another simple way to do this?
assuming I have to modify source, it looks like I can just add a counter to the do_write_str() function in pkt_buffer.c that looks something like this: if (self->queue_size == self->queue_max) { /* fifo full */ pktbuf_dropped_pkts++; ol_string_free(string); return ST_FAIL | ST_OK; } else { struct buffer_node *item; --> pktbuf_recved_pkts++; NEW_SPACE(item); item->packet = string; ol_queue_add_tail(&self->queue, &item->header); if (++self->queue_size == self->queue_max && self->super.writable) (*self->super.writable) = 0; } the "-->" indicates the new line. Pretty much all I did was copy where the "pktbuf_dropped_pkts" was, and added in my variable. The numbers that I get when I run with this don't appear to totally match up with what I expect, but is fairly close. Is this the right place to insert a counter to count total syslog messages recieved over the network (from both TCP and UDP sources). If not, can someone point me in a different direction? thanks! Mike _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
search for the post by Jay Guerrette (sp?) where he posted some C code to maintain stats - and I think also input them into an RRD database so you can view graphs. No source mods needed, just a program destination to keep track - much cleaner in the long run if it can keep up with your load. On Apr 7, 2005 11:49 AM, Jim <jim@jeke.fdns.net> wrote:
Anyone have any thoughts on this?
---------- Forwarded message ---------- Date: Fri, 1 Apr 2005 13:45:48 -0500 (EST) From: Jim <jim@jeke.fdns.net> Reply-To: syslog-ng@lists.balabit.hu To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]incoming message stats
Hello,
I would like to get some stats on the number of incoming messages I am receiving on a central log server.
I am running syslog-ng 1.6.6, built with libol 0.3.15.
From what I can see, I will need to modify libol in order for syslog-ng to count these messages, and tell me at a regular interval. Does this sound right, or am I missing another simple way to do this?
assuming I have to modify source, it looks like I can just add a counter to the do_write_str() function in pkt_buffer.c that looks something like this: if (self->queue_size == self->queue_max) { /* fifo full */ pktbuf_dropped_pkts++; ol_string_free(string); return ST_FAIL | ST_OK; } else { struct buffer_node *item; --> pktbuf_recved_pkts++;
NEW_SPACE(item); item->packet = string; ol_queue_add_tail(&self->queue, &item->header); if (++self->queue_size == self->queue_max && self->super.writable) (*self->super.writable) = 0; }
the "-->" indicates the new line.
Pretty much all I did was copy where the "pktbuf_dropped_pkts" was, and added in my variable.
The numbers that I get when I run with this don't appear to totally match up with what I expect, but is fairly close. Is this the right place to insert a counter to count total syslog messages recieved over the network (from both TCP and UDP sources). If not, can someone point me in a different direction?
thanks! Mike _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
mmmmmm! much nicer. For some reason I was thinking of taking the output of my modifications and putting them in Excel or something. throwing them in an RRD will be a lot better. thanks, Mike On Thu, 7 Apr 2005, UNIX Admin wrote:
search for the post by Jay Guerrette (sp?) where he posted some C code to maintain stats - and I think also input them into an RRD database so you can view graphs. No source mods needed, just a program destination to keep track - much cleaner in the long run if it can keep up with your load.
On Apr 7, 2005 11:49 AM, Jim <jim@jeke.fdns.net> wrote:
Anyone have any thoughts on this?
---------- Forwarded message ---------- Date: Fri, 1 Apr 2005 13:45:48 -0500 (EST) From: Jim <jim@jeke.fdns.net> Reply-To: syslog-ng@lists.balabit.hu To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]incoming message stats
Hello,
I would like to get some stats on the number of incoming messages I am receiving on a central log server.
I am running syslog-ng 1.6.6, built with libol 0.3.15.
From what I can see, I will need to modify libol in order for syslog-ng to count these messages, and tell me at a regular interval. Does this sound right, or am I missing another simple way to do this?
assuming I have to modify source, it looks like I can just add a counter to the do_write_str() function in pkt_buffer.c that looks something like this: if (self->queue_size == self->queue_max) { /* fifo full */ pktbuf_dropped_pkts++; ol_string_free(string); return ST_FAIL | ST_OK; } else { struct buffer_node *item; --> pktbuf_recved_pkts++;
NEW_SPACE(item); item->packet = string; ol_queue_add_tail(&self->queue, &item->header); if (++self->queue_size == self->queue_max && self->super.writable) (*self->super.writable) = 0; }
the "-->" indicates the new line.
Pretty much all I did was copy where the "pktbuf_dropped_pkts" was, and added in my variable.
The numbers that I get when I run with this don't appear to totally match up with what I expect, but is fairly close. Is this the right place to insert a counter to count total syslog messages recieved over the network (from both TCP and UDP sources). If not, can someone point me in a different direction?
thanks! Mike _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On Thu, Apr 07, 2005 at 08:04:40PM -0400, Jim wrote:
mmmmmm! much nicer. For some reason I was thinking of taking the output of my modifications and putting them in Excel or something. throwing them in an RRD will be a lot better.
Here it is: https://lists.balabit.hu/pipermail/syslog-ng/2004-November/006714.html -- Nate "Few things are harder to put up with than the annoyance of a good example." - Pudd'nhead Wilson's Calendar(1894) - Samuel Clemens
On 4/7/05, Nate Campi <nate@campin.net> wrote:
On Thu, Apr 07, 2005 at 08:04:40PM -0400, Jim wrote:
mmmmmm! much nicer. For some reason I was thinking of taking the output of my modifications and putting them in Excel or something. throwing them in an RRD will be a lot better.
Here it is:
https://lists.balabit.hu/pipermail/syslog-ng/2004-November/006714.html
Has anyone made this work? I use MRTG and have a C compiler, but I'm still confused as to how to compile this, and where it stores the logs for MRTG or RRD? Shane
On Wed, Apr 27, 2005 at 12:28:42PM -0400, Shane Presley wrote:
On 4/7/05, Nate Campi <nate@campin.net> wrote:
On Thu, Apr 07, 2005 at 08:04:40PM -0400, Jim wrote:
mmmmmm! much nicer. For some reason I was thinking of taking the output of my modifications and putting them in Excel or something. throwing them in an RRD will be a lot better.
Here it is:
https://lists.balabit.hu/pipermail/syslog-ng/2004-November/006714.html
Has anyone made this work? I use MRTG and have a C compiler, but I'm still confused as to how to compile this, and where it stores the logs for MRTG or RRD?
The C code simply does the work of keeping tabs on the message count and sending a syslog message with the stats every 60 seconds. It's up to you to somehow get that information out of the logs and update an RRD, and then graph that information. All you'd need to get started is here: http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/tut/rrdtutorial.en.html Maybe somebody will send out a detailed HOWTO with scripts (Jay?) but for now you're on your own. -- Nate "I know your little 4th grade teacher said there are not stupid questions. She was wrong. This is Usenet." - Unknown
Hmmm.... these are pieces of a monitoring system; taking ~8000 performance datapoints per minute from ~200 servers and feeding them into RRD. I spool incoming performance data via syslog-ng to a file like this: 05:19:46 10.100.0.29: Processor(Total)\%_Processor_Time=1.5157 Paging_File(Total)\%_Usage=0.4660 That is the format that you'll notice the C program creates: syslog(LOG_INFO, "Syslog-ng\\Lines=%d Syslog-ng\\Bytes=%d", count, bytes); I wrote a Perl daemon/parser that sits on top of that log and creates new RRDs or updates exisiting RRDs. So that would translate into creating or updating: /rrd/10.100.0.29/Processor(Total)/%_Processor_Time.rrd /rrd/10.100.0.29/Paging_File(Total)/%_Usage.rrd This is probably all overkill for what you want; just a couple of counters. If interested, I could sanitize/comment the code and make it available. Something that WORKS, but I have not implemented in production systems, is the following: Create a syslog-ng destination like this: destination rrdtool { program("/path/to/rrdtool/bin/rrdtool -" template("$MESSAGE\n") template_escape(no) ); }; This puts rrdtool in listen mode on it's STDIN. Then you syslog log a message to the rrdtool destination. This message must look like this: update /path/to/database.rrd N:x This will tell RRDtool to update the named database with a record stamped 'N'ow, with the value of 'x'. The database must already exist; part of the reason I don't use it, my production tool creates RRDs on the fly for new monitors. The trick is to make sure that EXACT message format gets to rrdtool. Some syslog tools, like 'logger' for Linux will throw extra stuff in: logger update /tmp/test.rrd N:1 resulted in: root: update /tmp/test.rrd N:1 Which rrdtool ignored. You would most likely need to create the UDP packet yourself, instead of relying on an existing syslog tool. I tested it like this: echo "<14> update /tmp/test.rrd N:1" | nc -w 1 -u 127.0.0.1 514 '<14>' is the syslog code for 'user.info'. I piped the output of echo to 'nc'; which is a program called netcat (great tool!). netcat just spit the line to the local syslog-ng via UDP. This worked, the output was clean and rrdtool updated my test database. The new 1.2 version of rrdtool can act as a TCP server. http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/doc/rrdtool.en.html#remot... Which gives even more options... But that's enough to chew on for now. Something here will work for you without too much effort. If you're not a C programmer of any sort, and want slight modifications to the code I posted, I'd most likely be happy to help. Just ask. On 4/30/05, Nate Campi <nate@campin.net> wrote:
The C code simply does the work of keeping tabs on the message count and sending a syslog message with the stats every 60 seconds. It's up to you to somehow get that information out of the logs and update an RRD, and then graph that information.
All you'd need to get started is here: http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/tut/rrdtutorial.en.html
Maybe somebody will send out a detailed HOWTO with scripts (Jay?) but for now you're on your own.
One correction: On 4/30/05, Jay Guerette <jayguerette@gmail.com> wrote:
The new 1.2 version of rrdtool can act as a TCP server. http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/doc/rrdtool.en.html#remot...
That's not exactly true; in their example they use xinetd to tcp-enable the same rrdtool listening on it's STDIN. I was mistaken in my first read of it.
participants (5)
-
Jay Guerette
-
Jim
-
Nate Campi
-
Shane Presley
-
UNIX Admin