Hi,
> On Fri, Aug 10, Tina Bird wrote:
>
> > Would I be correct in assuming, oh list members, that it
> > would be good to have a Web page that included info on
> > syslog processing apps (like swatch, logcheck, logsurfer)
> > and integration tools for systems without native syslog?
>
> I'd appreciate it for sure!
>
> I'm a little bit familiar with swatch and logsurfer, and
> found both of them not powerful enough for me. I particularily
> missed:
>
> - smart handling of "message storms" when a message
> appears thousands of times
> - a way to use the facility/priority information from syslog
> (which could help with unconfigured messages
> - better reports or some way to extend the reports mechanism
Well - at least logsurfer can do all of this.
1) handling of "message storms"
You can use dynamic rules within logsurfer to add certain rules
during runtime. In general I would always advise to use at least
two rules for incoming messages:
a) Use the "rule before" action to add an "ignore" rule with the
same regular expressions like the current rule. In this line
use the "continue" keyword to ensure that the next rule b) is
also getting used.
b) Set up a new context which collects all of these messages (using
the action "open"). This way all messages of this message storm
will be collected into _one_ context. You can associate a default
action to this context to invoke whatever you like (usually a
"report" which then summarizes the context and mails it to some-
one or feeds it into an external program). For the context you
can setup some limits, e.g. timeouts to define when the storm
is over (e.g. if you haven't received a new message for this
context in the last 20 minutes). If this limit is reached the
default action is getting fired off. Use the same limit in
your "ignore" rule and the ignore rule will be deleted, too
(and you're back to normal proccessing).
2) Using facility/priority information from syslog
This depends no the used syslogd. If the syslogd writes this infor-
mation into the log messages, then you can use them as part of your
regular expressions. For example in Solaris you can use the file
/kernel/drv/log.conf to configure msgid=1 (default on Solaris 8)
and you'll gte message IDs and facility/priority get written in
the syslog. For example:
Jun 14 17:25:09 murks nfs: [ID 626546 kern.notice] NFS write error on host..
instead of just
Jun 14 17:25:09 murks nfs: NFS write error on host..
3) Extended reports
Using the "report" action you can feed the collected contexts to any
external program (same for the "pipe" action if you're just interested
in a single line). That way you can extend your reports to whatever
you like.
Bye,
Wolfgang Ley
--
*******************************************************************
Wolfgang Ley Enterprise Services
Solaris Competence Center Wolfgang.Leyat_private
Sun Microsystems GmbH Tel: +49 40 251523-0
Eiffestrasse 80 Fax: +49 40 251523-77
D-20537 Hamburg http://www.sun.de/
-------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 07:56:54 PDT