[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: System Messages Review

To: wredman@Kodak.COM
Subject: Re: System Messages Review
From: lindes@daveltd.com (David Lindes)
Date: Thu, 22 Apr 1999 12:52:28 -0700 (PDT)
Cc: sage-members@usenix.org, wredman@ycc.kodak.com
In-Reply-To: <370CBCD0.416EA6FF@ycc.kodak.com> from "William D. Redman" at Apr 8, 99 10:27:29 am
Sender: owner-sage-members@usenix.org

William D. Redman wrote:
> 
> How often do you monitor the messages from  your servers?

Late reply, I know, but one thing that I've done in the past,
and recently started doing again on one or two of my systems
(I'm mostly out of the SA business, so I don't maintain that
many systems anymore) is have my log rotation program mail me
the just-rotated-out log.  (On RedHat, I use a modified version
of logrotate...  See the following URL for info about a patch:
http://developer.redhat.com/bugzilla/show_bug.cgi?id=2103)

I then use procmail to filter that mail through a little perl
script I wrote called "digestlog"...  Perhaps I can post a
version of that sometime, but my current version is a bit
system (not platform, but specefic system) dependant...

Anyway, digestlog "digests" the syslog into something better
suited for a quick read.  It strips out dates, times, pids, and
a few other specific things that I don't care about getting
fine granularity on, and then groups all messages (effectively
a uniq -c | sort -rn, but in perl, and differently
implimented... ;-), and I read that.  The stuff that happens a
lot drifts to the top, and if it's stuff that's every day, I
tend to just gloss over it (some things I even explicitly nuke,
if I really never care about them, or fold a bunch of things
into one generic line (such as all DNS zone transfers for a
specific set of known zones from a specific set of known
servers), but then the stuff that either happened a lot but
doesn't usually, or some of the stuff which only happened one
or two times, but normally doesn't happen at all, I take note
of...

I currently run this daily, but it could be run at whatever
interval you wanted.

real-time notification is also good...  I don't have anything
like that set up currently, but used to have some scripts that
would actually be added to the syslog.conf on one machine that
would fire off e-mail to my text pager for things of alert
level or higher, and certain other things.  For other stuff, it
would pop up a dialog box on my screen if I was logged in.  In
either case, certain post-processing was sometimes done...
(converting IP addresses to hostnames is one example)

Cheers,

	David

-- 
David Lindes, KF6HFQ		DaveLtd[tm] Enterprises
lindes@daveltd.com		http://www.daveltd.com/

References:
- System Messages Review
  - From: "William D. Redman" <wredman@Kodak.COM>

Prev by Date: Re: recycling CDs?
Next by Date: 2 sendmail glitches
Prev by thread: Re: System Messages Review
Next by thread: Re: System Messages Review
Index(es):
- Date
- Thread