Maybe you could have syslog write to a pipe that your swatch could monitor? try this: mkfifo /var/log/fifo Then add a line like this to your /etc/syslog.conf: *.notice;*.info;authpriv,remoteauth,ftp,install.none;kern.debug;mail.crit /var/log/fifo (don't forget to restart your syslogd!) Then have SWATCH watch the fifo instead of the /var/log/messages file. Hope this helps, Jim p.s. Shouldn't log analysis tools take care of this automagically? ;) On Mon, 21 Jun 2004, Ken Toney wrote: > I am using Mac OS X on a central log station with Swatch monitoring the > logs. The problem I have is that Swatch does not monitor the new log > files after the logs have been rotated. For example, after rotating the > system.log file each night, I "kill-HUP" the syslog daemon so it will > start writing to a new file. This is the line from the nightly script: > > "if [ -f /var/run/syslog.pid ]; then kill -HUP $(cat > /var/run/syslog.pid | head -1); fi" > > After that I do the same for Swatch so it will monitor the new > system.log file. > > "if [ -f /var/run/swatch.pid ]; then kill -HUP $(cat > /var/run/swatch.pid | head -1); fi" > > Any suggestions on how I could modify/improve log rotations so Swatch > will monitor the new logs? > > Thanks > > Ken > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > -- James E. Prewett "everything that is, that was, was not enough" Systems Team Leader 505.277.8210 Designated Security Officer download@private Jim@private HPC Systems Engineer III @ HPC@UNM OpenPGP key: pub 1024D/31816D93 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Jun 22 2004 - 11:04:27 PDT