[rsyslog] Log watch software

Rainer Gerhards rgerhards at hq.adiscon.com
Thu Mar 6 21:27:13 CET 2008


Hi,

I am seeing where you come from. That's the million-dollar question ;) I
suggest you also post to the loganalysis list, that's probably a better
place than over here:

http://www.loganalysis.org/mailman/listinfo/loganalysis

Let me hijack this thread to share an idea. Rsyslog has a lot of
infrastructure in place. Once I am finished with the essentials (which
will of course be in a few month...), I'd like to put that
infrastructure to better use than just drive the simple outputs we
currently have. One thing I have on my mind is an output plugin which
stores (hashes) of all message within a timeframe (e.g. last 7 days).
Then, when a new message comes in, it compares it to all previous
messages and emits a special message itself if the message occured less
than "n" times in the past. I think this goes into the direction of what
you are looking for. 

But would it generally be considered to be a useful idea? Even though we
are months away from an implementation, feedack would be very valuable
to me as it helps me shape my mid- to long-term direction.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com 
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of 
> Stephen Carville
> Sent: Thursday, March 06, 2008 8:44 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Log watch software
> 
> On Thu, Mar 6, 2008 at 9:55 AM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > I am not so involved with logwatch. Let me ask feature-wise: what
> >  capabilities do you need to do the job?
> 
> About 99% of what's in messages or secure is trivia.  JoeBob logged
> in, ran a sudo command and logged off.  An authenticated mount request
> was received from ip.add.re.ss.  That sort of thing.  What I'm looking
> for is a parser that can pick out the (hopefully) rare messages that
> indicates a problem like a disk drive is reporting errors.
> 
> I can modify big brother and logwatch to do this but I am curious if
> anyone has a favorite package I haven't heard of yet.
> 
> >  Rainer
> >
> >
> >
> >  > -----Original Message-----
> >  > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >  > bounces at lists.adiscon.com] On Behalf Of Stephen Carville
> >  > Sent: Thursday, March 06, 2008 6:54 PM
> >  > To: rsyslog-users
> >  > Subject: [rsyslog] Log watch software
> >  >
> >  > I have a cenltralized repository usng rsyslogm and 
> syslog to mirror
> >  > /var/log/messages, /var/log/secure ,and information messages from
> >  > cfengine.  In the near future I hope to get auditd reporting to a
> >  > central server.  My immedate taks is to add some log 
> analysis software
> >  > on teh central server.  I've started modifiying LogWatch 
> to work with
> >  > MySQL -- thats pretty straightforward -- but I'm curious 
> what other
> >  > solutions there may be out there. FOSS is preferred but a I'm not
> >  > against a reasonably priced commercial product.   So far 
> everything
> >  > Google has returned are commercial products for Windows sytems.
> >  >
> >  > --
> >  > Stephen Carville
> >  > _______________________________________________
> >  > rsyslog mailing list
> >  > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >  _______________________________________________
> >  rsyslog mailing list
> >  http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> 
> 
> 
> -- 
> Stephen Carville
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> 



More information about the rsyslog mailing list