On Tue, Apr 02, 2002 at 02:06:42PM -0500, Sweth Chandramouli wrote: > > How difficult is it to go back and > > reconsile the two logs? > It depends on how rigorous you want to be. If the loghosts > and the hosts logging to them are all on a quiet switched network with > no intervening WAN links, you can probably get away with having each > loghost pull over the most recently rolled logfiles from the other hosts > and each doing a diff against the most recently rolled local logfiles. > Once the networks start getting saturated or you start getting WAN-level > latency, however, the machines will start receiving messages in different > orders and with different timestamps. The timestamp issue can be solved > by just comparing the files after cutting the timestamps out, on the > assumption that if all of the lines are present and in the same order > then the timestamps are irrelevant. Once the orders start differing, > however, things get more interesting; you need to do things like > comparing "rolling windows" of each file and trying to match a given > line in the local file to any of the lines in the current window of the > alternate file that has the same message text and a timestamp within > some reasonable interval (a la diff, but with extra logic for the > timestamps). Next question. How well does this scale? How big are the log files that you do this on? We get about 2GB/week, and I was wondering if something like this would be feasable. thanks, -- Devin Kowatch devinkat_private --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 14:20:47 PST