[syslog-ng]elegant swatch solution
Nate Campi
nate@campin.net
Fri, 9 Nov 2001 23:11:58 -0800
I found a clean way to use swatch to watch all your syslog messages from
syslog-ng. Normally you need to tell swatch to tail a file, so if you
want swatch to watch all your logs you have to either send all messages
to one file or run multiple instances of swatch.
I came up with this tonight:
# hack to get swatch to read from stdin
destination swatch { program("/usr/bin/swatch --read-pipe=\"cat /dev/fd/0\""); };
# send all logs to swatch
log { source(src); destination(swatch); };
The source "src" is all my logs on that box. This works like a charm, and
if syslog-ng is restarted, so is swatch, so you don't need to worry
about HUP'ing/restarting swatch - ever!
This way you can let swatch monitor your logs instead of using match()
directives - since swatch has built in throttling on alerts I find it
nicer to use. swatch keeps my pager from going nuts after the first
message which caused the alarm, subsequent messages are ignored for a
defined amount of time, using the "throttle feature".
--
Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79
Key fingerprint = BF12 722F 8799 E614 33CC FAB7 5A90 C464 C17A EF79
"Only two things are infinite, the universe and human stupidity,
and I'm not sure about the former" -- Albert Einstein.