* Ken Toney <ktoney@private>
> Any suggestions on how I could modify/improve log rotations so Swatch
> will monitor the new logs?
One approach would be to install a better logging daemon such as syslog-
ng, then configure syslog-ng to pipe all logs over to swatch for
consideration.
A more radical solution does away with (IMHO) the icky logfile rotation
and HUPing, and uses syslog-ng to write out the files to an archive
location. The following is what I use on my OS X laptop with syslog-ng:
destination everything {
file("/var/log/archive/$YEAR/$MONTH/$YEAR-$MONTH-$DAY"
template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n")
template_escape(no)
);
};
log { source(local); destination(everything); };
Then disable current rotation scripts and HUPing, setup a script to
maintain symlinks of /var/log/messages -> /var/log/archive/..., and use
a "I have not seen this file" script to call swatch. A bonus of this
method is that if a logfile changes for some reason, the "unseen" script
will calculate a different checksum, and rerun the swatch.
Another bonus is additional swatch or other scripts can be run with
"unseen", allowing one to add in additional logwatch or whatever checks,
even on logfiles prior to the new check being done.
To evict old logfiles, simply use a 'find -mtime ...' to evict logfiles
older than however log your retain period is.
For more information on syslog-ng (it has OS X notes), which has some
portion of the above approach somewhat documented:
http://sial.org/howto/logging/syslog-ng/
The "unseen" script I mentioned (usually I limit it to old consider
logfiles of two weeks of age to keep the checksumming work down):
http://sial.org/code/perl/scripts/unseen.pl
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Jun 22 2004 - 11:06:12 PDT