| View previous topic :: View next topic |
| Author |
Message |
marsf
n00b
Joined: 02 Mar 2003
Posts: 10
|
 Posted: Tue Apr 01, 2003 6:34 pm Post subject: swatch + metalog setup questions |
 |
|
I've been looking at setting up a log monitor utility to work with metalog. Now that Psionic has disappeared into Cisco's black maw I don't feel that logsentry will see any more maintanence. This finally prompted me to try out swatch.
After installing swatch I ended up with a few questions. First of all, why isn't swatch installed and run as a daemon process by Gentoo? Should I set it up to run as a daemon myself, or should it be put into a cron script or something?
Other online documents mention that swatch must be sent SIGHUP when the logs get rotated, so that swatch is made aware of the new log file and stops monitoring the old log file. Does metalog support this functionality? And if it does, how would I implement it?
If metalog can't do this, then does syslog-ng support this functionality?
And finally, is there an easy way to set up a nightly log summary using swatch? It would be nice if I could write a script to filter the log entries for the day through swatch, bundle that in an email, and then send it off to root.
And finally, am I missing the super-easy-and-everyone-else-knows-about-it solution to log monitoring and summarization?
Any help would be appreciated,
Mars |
|
| Back to top |
|
 |
jmckay123456789
n00b
Joined: 16 Aug 2003
Posts: 46
|
| Posted: Tue May 03, 2005 10:41 pm Post subject: two years later.... |
|
|
| I'll bump this two years later in hopes that someone answers this guy. I have similar questions. |
|
| Back to top |
|
|
cybe
n00b
Joined: 22 Jul 2003
Posts: 67
Location: Finland
|
| Posted: Wed May 04, 2005 10:31 am Post subject: Re: two years later.... |
|
|
| jmckay123456789 wrote: | | I'll bump this two years later in hopes that someone answers this guy. I have similar questions. |
bump #2
swatch is a nice app, and I too have similar questions
_________________
_________________________________
The MOST important book on the planet?
http://thewayhomeorfacethefire.info/ |
|
| Back to top |
|
|
heartburn
n00b
Joined: 18 Oct 2002
Posts: 40
|
| Posted: Mon Oct 31, 2005 1:03 am Post subject: |
|
|
| bump |
|
| Back to top |
|
|
blackcollar
n00b
Joined: 23 Jul 2003
Posts: 39
Location: /usa/idaho
|
| Posted: Tue Dec 20, 2005 2:10 pm Post subject: Re: swatch + metalog setup questions |
|
|
I've just been researching this myself, so I'll respond here in hopes it helps somebody else.
[quote="marsf"]I've been looking at setting up a log monitor utility to work with metalog. Now that Psionic has disappeared into Cisco's black maw I don't feel that logsentry will see any more maintanence. This finally prompted me to try out swatch.
First of all, it may not be a great idea to use metalog with swatch. Metalog uses memory buffers to store messages, and flushes to disk only periodically. If you're wanting responses to activites as soon as the entry is logged metalog is a problem because the buffering induces a delay you don't want. I use syslog-ng instead. It's a bit more trouble to set up, but very worth it. (Incidentally, syslog-ng also allows you to log messages to and from a remote server, something metalog won't do).
That said:
| marsf wrote: | | First of all, why isn't swatch installed and run as a daemon process by Gentoo? Should I set it up to run as a daemon myself, or should it be put into a cron script or something? |
Swatch needs to be run from /etc/conf.d/local.start. I usually add the command
| Code: | | swatch -c /etc/swatch.conf -t /var/log/everything/current --daemon |
Where -c specifies the configuration file to use and -t the log file to watch. Your config may vary, so adjust accordingly.
| marsf wrote: | Other online documents mention that swatch must be sent SIGHUP when the logs get rotated, so that swatch is made aware of the new log file and stops monitoring the old log file. Does metalog support this functionality? And if it does, how would I implement it?
If metalog can't do this, then does syslog-ng support this functionality? |
As far as I've been able to discover, metalog dosen't support this.  (If anyone else knows otherwise, I'd love to know more.) Using syslog-ng and logrotate allows this, through the logrotate functionality. A great explanation of logrotate is available at http://www.topology.org/linux/logrotate.html. Basically, you include the following in the logrotate conf file for your specific log:
| Code: | postrotate
/usr/bin/killall -SIGHUP <process>
endscript
|
 Note that, at least on my system, swatch actually runs as '/usr/bin/perl /usr/bin/swatch' so killall may do more than you expect: check that you're not running any other processes using perl before implementing this blindly!
| marsf wrote: | | And finally, is there an easy way to set up a nightly log summary using swatch? It would be nice if I could write a script to filter the log entries for the day through swatch, bundle that in an email, and then send it off to root. |
Well, I'm not sure this is what you're looking for, but here's one solution to that description: swatch will allow you to parse a file given on the command line using the --examine file switch. And you can configure one of the actions in your swatch.conf file to mail you a list of all the matched lines it finds. So you could create a swatch.conf that finds the lines you're interested in, specifies a mail action sending the results to you and then write a short shell script that executes as a cron job daily and runs swatch with the file examine switch to parse the log entries and clear or backup the log so you don't get it the following day. Or, you could use logrotate with syslog-ng and specify the swatch command as a prerotate subdirective (instead of the shell script and cron job).
| marsf wrote: | | And finally, am I missing the super-easy-and-everyone-else-knows-about-it solution to log monitoring and summarization? |
If you ever find that, let me know! 
Matthew Miller |
|
| Back to top |
|
|
VStrider
Apprentice
Joined: 27 Jun 2005
Posts: 244
Location: 1 to Rule All way, Moria Gate, Middle Earth, SAU 70N
|
| Posted: Tue Dec 20, 2005 3:52 pm Post subject: Re: swatch + metalog setup questions |
|
|
| marsf wrote: | | And finally, am I missing the super-easy-and-everyone-else-knows-about-it solution to log monitoring and summarization? |
Maybe.  I'm not so sure about the super-easy part but IMO, SEC is better than swatch.
| Code: | | emerge net-analyzer/sec |
I don't know why it's under net-analyzer and not app-admin, but it doesn't really matter anyway. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
