 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
What's your favorite log monitoring tool? While some might argue that tools that can perform active service monitoring, like Nagios, are a better approach, I tend to think that tracking what daemons are writing to logs is also important. Tools like Nagios undoubtedly have plug-ins available to track logs, but such tools can be overkill for a small server. I looked at a few tools suitable for a Debian server and here's what I found: Logcheck http://logcheck.org/ As recommended by this article: http://www.debian-administration.org/articles/278 Implementation: shell script, some C Pros: -Uses egrep patterns to filter logs. -Many Debian packages include corresponding logcheck filters. Cons: -It apparently lumps together all the log files, sorts them, and then applies the filters. The result is that reports contain lines from multiple log files mixed together. It appears that you also have to be careful when constructing filters, as they aren't specific to a particular log file. -It's line oriented, which means I don't think it can deal with tracking sequences of events, like only reporting a line matching X of it comes after a line matching Y. -It doesn't run as root (which is obviously good from a security perspective), so it took a while to get the permissions and ownership adjusted on all log files so it could read them. -"Out of the box" it didn't produce useful reports. SWATCH: The Simple WATCHer of Logfiles http://swatch.sourceforge.net/ Implementation: Perl Pros: -Config file can incorporate Perl routines, so in theory it should be able to handle any type of filtering or sequence matching requirement. Cons: -The man page made several references to legacy configuration file formats and directives, which gave the impression of crufty old code. -The Debian package didn't seem to include any documentation on writing configuration files or a sample configuration. -"Out of the box" it isn't configured to do anything. Logwatch http://www2.logwatch.org:81/ Implementation: Perl Pros: -In addition to configuration files, each type of log file has a "driver" written in Perl, to provide unlimited filtering and matching possibilities. This arrangement permits monitoring things other than log files, such as running and parsing the output of 'df', which starts to overlap with a more general purpose system monitoring tool. -The only tool I've tried so far that produces useful reports "Out of the box." Each service with unusual activity gets its own clearly labeled section in the generated email. I'll still need to customize it for local log files that are in non-standard paths or are for custom daemons, but a good start. Cons: -It has a somewhat complex file structure for storing configuration files, with the package supplied defaults located in /usr/share/logwatch/, and your local overrides going into various subdirectories below /etc/logwatch. Flexible, but perhaps more complicated than it needs to be. I'll likely invest time in customizing Logwatch, unless someone suggests something better. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
