Eventlog

Russell Adams RLAdams at Kelsey-Seybold.com
Thu Apr 3 16:33:05 CEST 2003
Previous message: Eventlog
Next message: Eventlog
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I modified Logmuncher to work with the multi-host directory hierarchy
I setup, and returned a patch to the author. I'd be happy to give you
a copy of the patch, or you can try emailing the author. I'm hoping
he'll integrate it into the next release.

I'm surprised they left the .org up, thats cool. =] Not sure how Cisco
would handle purchasing a company with GPL'ed code, my first
impression was they'd just make it unavailable for
download. Psionic.org certainly never showed up in my Googling.

Logmuncher does almost exactly what LogSentry did, but more in a more
flexible fashion. Logmuncher could be configured to work exactly like
LogSentry, but its better to understand all the options. I might also
mention that with both LogSentry and Logmuncher I've always run them
at 5 minute intervals so I get the logs as they happen. With the right
regexp's setup in the dictionaries, its not spammy. I prefer
up-to-date vs a nightly report.

Logmuncher can take a directory for configuration files, and read each
file as a config file. So in /etc/logmuncher/conf, I have a config
file for each host that logs to my syslog server. 

Here's a sample config: /etc/logmuncher/conf/soja

subject soja %d %t Logmuncher Report
header ********** soja Log Entries **********

mtailfile       /var/log/HOSTS/soja/*/*/*/*
re-ignore       /etc/logmuncher/patterns/common
re-ignore       /etc/logmuncher/patterns/soja
send-report     rladams at kNeOlSsPeAyM-seybold.com

This sample file just uses two exclude dictionaries, common (for
messages common to all hosts) and soja (for just that host). I have
other files that use the "re-report" to watch for specific patterns
and send out mail to email pagers when certain messages occur.

The mtailfile directive is added by my patch, to take a multi-file
argument for the files to examine with logtail. My hosts all log into
/var/log/HOSTS/hostname/year/month/day/loglevel, and I have a script
that archives anything older than 2 months in order to keep the number
of files to parse down. 

Having individual config files per host, and individual pattern files
/ dictionaries makes multi-host management with Logmuncher a
breeze. Works like a charm too.

Russell

On Wed, Apr 02, 2003 at 05:27:43PM -0800, White, Chad (MED) wrote:
> 
> On Wednesday, April 2, 2003, at 01:43  PM, Russell Adams wrote:
> 
> <snip>
> >Having used several log parsing packages, I found LogSentry was quite
> >good, but its now unavailable. Cisco bought Psionic Software
> >(www.psionic.com) and all their software (LogSentry, PortSentry,
> >HostSentry) is offline, though originally GPL'ed. :P
> 
> Actually, I just found out today that you can still get those packages. 
>  The URL is now www.psionic.org.  I couldn't find it in a Google 
> search, but I just randomly tried changing the com to .org and was 
> pleasantly surprised ;)
> 
> 
> >About 8 months ago when I setup my central syslog host, I decided on
> >syslog-ng with a multi-host directory hierarchy
> >(/var/log/HOSTS/hostname/year/month/day/loglevel). I also evaluated
> >Logmuncher at that time. I've found I prefer Logmuncher's flexibility
> >with my setup. A minor modification to Logmuncher to support the
> >multi-host directory hierarchy and I've used it ever since. It works
> >much like LogSentry, having dictionaries of regexp statements that
> >match patterns in syslog messages to ignore, warn about by default, or
> >immediately notify the admin as critical. As it stands, I have a
> >common dictionary across my hosts, and then host specific dictionaries
> >for ignore, warn, and critical. It sends email reports, and is
> >configured to send critical emails to my pager via email. Logmuncher
> >runs only on my central host at 5 minute intervals.
> <snip>
> 
> What did you do to Logmuncher to allow for multiple hosts in separate 
> directories?  That is the situation I am facing as I am using syslog-ng 
> to centrally collect syslog for all my hosts.  What I would also really 
> like is something like logsentry that will give me an overview of the 
> previous days logs to review each day without a bunch of duplication.  
> Logsentry does a good job when running on each individual host but it 
> doesn't look easy to setup for multiple hosts on a logserver...
> 
> thx,
> --chd


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: Eventlog
Next message: Eventlog
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list