[syslog-ng] Log analysis software for syslog-ng+mysql?
Mike Tremaine
mgt at stellarcore.net
Tue Nov 15 15:51:19 CET 2005
On Tue, 2005-11-15 at 00:15 -0500, seth vidal wrote:
> On Tue, 2005-11-15 at 00:12 -0500, Crayola wrote:
> > > > I have used swatch, logchecker, and logwatch in the past against
> > > > standard OS logs..
> > > >
> > > > Now I have a centralized syslog system where everything is being
> > > > pumped directly into multiple MySQL databases.
> > > >
> > > > Are there any log analysis tools that can look at syslog data in a
> > > > mysql database and send out alerts based on it?
> > > >
> > >
> > > Why not just use swatch or sec and an alternate destination
> > > to handle the alerts?
> >
> > I'd prefer not to send it to two locations.. Its already being pumped
> > into a database. I'd rather not pump it to files as well.
> >
>
> You don't pump it to files. Pump it to the program sec.
>
> Right now you're using a program to push the log info to the mysql db.
> Do the same thing but piping it directly to sec.
>
> -sv
If you want real time [or near real time] alerts then you pretty much
have to catch it at the input stream. Either with a filter in syslog-
ng.conf that calls a program, which you could have some very specific
clever filters to catch critical things, or change your mysql inserter
to have some extra logic to do inspection and fire off alerts as needed
before moving on to insert into the DB.
If you do not need real time [or if a few well placed syslog-ng filters
will cover the critical ones] you can create a shell script that queries
the DB every so often, dumps the output to a temp file and calls your
favorite log analysis software against the temp file. Have it delete the
temp file after it is done and you've got it.
Just my 2 cents
-Mike
More information about the syslog-ng
mailing list