check_log not working properly

Jeff Rodriguez jeff at unixisgod.com
Mon Feb 2 01:36:03 CET 2004
Previous message: check_log not working properly
Next message: check_log not working properly
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Neil wrote:

> Jeff Rodriguez writes:
>
>>
>> Well, if you're using it for syslog, you might want to check out 
>> using syslog-ng and dumping your logs into a database. That'd also be 
>> useful for checking the logs of multiple systems. After that making a 
>> simple perl script to query the database is cake. Then again it's 
>> only usefl if you're using it for syslog.
>> Jeff
>
>
> I actually installed evtsys and snare so I can dump Event Log of NT to 
> a unix box. I got both working to send messages to my FreeBSD syslog. 
> But of course, I was just testing w/c one is better.
> It seems to me that monitoring logs is a little bit a pain in the 
> neck. If I would go for "dumping logs" into a database, are there any 
> available check script for this?
> Thanks for the idea.
> Neil

I haven't written it /yet/.

We're using NTSyslog to do the same thing, I've written the script do 
dump data from a syslog-ng FIFO into mysql.

Here's my MySQL Table with Indexes:

mysql> describe logs;
+----------+---------------------+------+-----+---------+----------------+
| Field    | Type                | Null | Key | Default | Extra          |
+----------+---------------------+------+-----+---------+----------------+
| id       | bigint(20) unsigned |      | PRI | NULL    | auto_increment |
| facility | varchar(20)         | YES  | MUL | NULL    |                |
| priority | varchar(20)         | YES  | MUL | NULL    |                |
| date     | bigint(20) unsigned | YES  | MUL | NULL    |                |
| host     | varchar(16)         | YES  | MUL | NULL    |                |
| program  | varchar(255)        | YES  | MUL | NULL    |                |
| message  | text                | YES  | MUL | NULL    |                |
+----------+---------------------+------+-----+---------+----------------+
7 rows in set (0.03 sec)

mysql> show index from logs;
+-------+------------+----------------------------+--------------+-------------+-----------+-------------+----------+--------+------+------------+---------+
| Table | Non_unique | Key_name                   | Seq_in_index | 
Column_name | Collation | Cardinality | Sub_part | Packed | Null | 
Index_type | Comment |
+-------+------------+----------------------------+--------------+-------------+-----------+-------------+----------+--------+------+------------+---------+
| logs  |          0 | PRIMARY                    |            1 | 
id          | A         |    18488671 |     NULL | NULL   |      | 
BTREE      |         |
| logs  |          0 | id                         |            1 | 
id          | A         |    18488671 |     NULL | NULL   |      | 
BTREE      |         |
| logs  |          1 | facilities                 |            1 | 
facility    | A         |        NULL |     NULL | NULL   | YES  | 
BTREE      |         |
| logs  |          1 | priorities                 |            1 | 
priority    | A         |        NULL |     NULL | NULL   | YES  | 
BTREE      |         |
| logs  |          1 | hosts                      |            1 | 
host        | A         |        NULL |     NULL | NULL   | YES  | 
BTREE      |         |
| logs  |          1 | programs                   |            1 | 
program     | A         |        NULL |     NULL | NULL   | YES  | 
BTREE      |         |
| logs  |          1 | dates                      |            1 | 
date        | A         |        NULL |     NULL | NULL   | YES  | 
BTREE      |         |
| logs  |          1 | facilitites_and_priorities |            1 | 
facility    | A         |        NULL |     NULL | NULL   | YES  | 
BTREE      |         |
| logs  |          1 | facilitites_and_priorities |            2 | 
priority    | A         |        NULL |     NULL | NULL   | YES  | 
BTREE      |         |
| logs  |          1 | messages                   |            1 | 
message     | A         |        NULL |        1 | NULL   | YES  | 
FULLTEXT   |         |
+-------+------------+----------------------------+--------------+-------------+-----------+-------------+----------+--------+------+------------+---------+
10 rows in set (0.01 sec)


This setup performs pretty well, I bet it does even better without a 
firewall dumping every 'deny'd packet into it. With properly tuned 
indexes (which I'm still working on) and dumping everything that's more 
than a month or so old it would probably scream. This is about two weeks 
worth of logs:

mysql> select count(*) from logs;
+----------+
| count(*) |
+----------+
| 18490471 |
+----------+

and it's running fine.

If you happen to write a script for this please send it to me if you can :)

Jeff



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: check_log not working properly
Next message: check_log not working properly
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list