Hi Everyone,
I need to be able to create a summary report of all relevent syslog entries that is then emailed weekly.
The idea I have for this is to pipe the syslog entries (logged from many hosts UNIX-Like and Windows) out to a a named pipe (say /var/log/logpipe) that is then read periodically by a perl script started from cron.
The perl script then filters the log entries (probably using regular expressions) and takes the appopriate action based on the severity of the error (i.e. log to summary file, or immediately email admin).
My main concern is that if a lot of entries get logged the FIFO buffer may overload therefore loosing entries.
Does anyone know what the size of the FIFO buffer is (or how it can be configured) or maybe there is a better way to do something like what I'm trying.
TIA
Regards
Lee W
Lee W wrote:
Hi Everyone,
I need to be able to create a summary report of all relevent syslog entries that is then emailed weekly.
The idea I have for this is to pipe the syslog entries (logged from many hosts UNIX-Like and Windows) out to a a named pipe (say /var/log/logpipe) that is then read periodically by a perl script started from cron.
The perl script then filters the log entries (probably using regular expressions) and takes the appopriate action based on the severity of the error (i.e. log to summary file, or immediately email admin).
My main concern is that if a lot of entries get logged the FIFO buffer may overload therefore loosing entries.
Does anyone know what the size of the FIFO buffer is (or how it can be configured) or maybe there is a better way to do something like what I'm trying.
This doesn't exactly answer your question, but have you checked out the logcheck package that's part of the Abacus Project tool set? It does not come with CentOS, but logcheck had some nice regex matching capabilities at one time. Essentially it would mail anomalous syslog entries to the admin every hour/day/week/etc. as a cron job. It also requires the logtail package.
More info can be found at http://logcheck.org/
There is also Logwatch Consolidator, which supposedly combines multiple logwatch emails into a single one which can be mailed.
http://freshmeat.net/projects/lc/
I know about these from my Debian days. There did not appear to be a logwatch package for woody, and it was the next thing.
The reports were a little bit too verbose for me. I prefer the organization that logwatch provides on a daily basis, but I figured maybe you can use their code as a starting place to do some hacking, rather than rewriting everything yourself.
Good luck,
Shawn M. Jones
On Mon, 2005-04-25 at 23:21 -0400, Shawn M. Jones wrote:
Lee W wrote:
Hi Everyone,
I need to be able to create a summary report of all relevent syslog entries that is then emailed weekly.
The idea I have for this is to pipe the syslog entries (logged from many hosts UNIX-Like and Windows) out to a a named pipe (say /var/log/logpipe) that is then read periodically by a perl script started from cron.
The perl script then filters the log entries (probably using regular expressions) and takes the appopriate action based on the severity of the error (i.e. log to summary file, or immediately email admin).
My main concern is that if a lot of entries get logged the FIFO buffer may overload therefore loosing entries.
Does anyone know what the size of the FIFO buffer is (or how it can be configured) or maybe there is a better way to do something like what I'm trying.
This doesn't exactly answer your question, but have you checked out the logcheck package that's part of the Abacus Project tool set? It does not come with CentOS, but logcheck had some nice regex matching capabilities at one time. Essentially it would mail anomalous syslog entries to the admin every hour/day/week/etc. as a cron job. It also requires the logtail package.
More info can be found at http://logcheck.org/
There is also Logwatch Consolidator, which supposedly combines multiple logwatch emails into a single one which can be mailed.
http://freshmeat.net/projects/lc/
I know about these from my Debian days. There did not appear to be a logwatch package for woody, and it was the next thing.
The reports were a little bit too verbose for me. I prefer the organization that logwatch provides on a daily basis, but I figured maybe you can use their code as a starting place to do some hacking, rather than rewriting everything yourself.
I'll toss a plug in for epylog -- http://linux.duke.edu/projects/epylog/ It's really nice on a central syslog server. It gives you the option of having the reports generated as either a web page or as an email or both. I have it setup to run a daily analysis which sends a reminder notice and one that runs every4 hours with no notification. I have have disabled email reports (get too much system email as it is :). The nice thing about epylog is the powerful extensions to the existing canned warnings (notice_local.xml and weed_local.cf) to generate reports and filter out noise.
Sean
-
Lee W -
Sean O'Connell -
Shawn M. Jones