> Hi > > I am using rsyslog to get logs to a central box and they are stored in the > format of > > /<hostname>/<year>/<month>/<day>/<logfilename> > > I need a solution that can trawl through these directories and pick up > exceptions like failed logons and sudo usage that sort of thing. > > Has anyone got any clues as to what might help to achieve this, i am > looking > into logsurfer but not sure if this handles the directory structure > nicely. > > thanks for any tips Good question. How many servers do you have to collect logs from? I'd like to hear of people who have used both Splunk and/or prelude in an environment with, say, 500<x<1000 servers, for collection of logs and can voice a few opinions. The problem, as the author recognizes, is not collection but retrieval and processing (a cron-job that deletes them periodically does not qualify as "processing"...). Rainer