[prev in list] [next in list] [prev in thread] [next in thread]
List: loganalysis
Subject: [logs] Re: Swatch stops monitoring after log rotation
From: Jeremy Mates <jmates () sial ! org>
Date: 2004-06-22 2:07:29
Message-ID: 20040622020729.GF57057 () darkness ! sial ! org
[Download RAW message or body]
* Ken Toney <ktoney@tiff.org>
> Any suggestions on how I could modify/improve log rotations so Swatch
> will monitor the new logs?
One approach would be to install a better logging daemon such as syslog-
ng, then configure syslog-ng to pipe all logs over to swatch for
consideration.
A more radical solution does away with (IMHO) the icky logfile rotation
and HUPing, and uses syslog-ng to write out the files to an archive
location. The following is what I use on my OS X laptop with syslog-ng:
destination everything {
file("/var/log/archive/$YEAR/$MONTH/$YEAR-$MONTH-$DAY"
template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n")
template_escape(no)
);
};
log { source(local); destination(everything); };
Then disable current rotation scripts and HUPing, setup a script to
maintain symlinks of /var/log/messages -> /var/log/archive/..., and use
a "I have not seen this file" script to call swatch. A bonus of this
method is that if a logfile changes for some reason, the "unseen" script
will calculate a different checksum, and rerun the swatch.
Another bonus is additional swatch or other scripts can be run with
"unseen", allowing one to add in additional logwatch or whatever checks,
even on logfiles prior to the new check being done.
To evict old logfiles, simply use a 'find -mtime ...' to evict logfiles
older than however log your retain period is.
For more information on syslog-ng (it has OS X notes), which has some
portion of the above approach somewhat documented:
http://sial.org/howto/logging/syslog-ng/
The "unseen" script I mentioned (usually I limit it to old consider
logfiles of two weeks of age to keep the checksumming work down):
http://sial.org/code/perl/scripts/unseen.pl
_______________________________________________
LogAnalysis mailing list
LogAnalysis@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/loganalysis
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic