LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 10-28-2005, 12:15 PM   #1
TotalDefiance
Member
 
Registered: Jan 2004
Distribution: Slackware, RH, WBEL
Posts: 65

Rep: Reputation: 15
*realtime* syslog monitoring/alerting with Rsyslog?


So I am using Rsyslog as a replacement for the standard syslog daemon on my syslog server. I use Rsyslog's functionality of logging to a MySQL DB rather than plaintext files, this allows for easy searching and management via a php web interface. Rsyslog has been working well on a quad PIII box with MySQL; currently there are only about 33k syslog messages in the DB and searches are fast. Now that I have proved the central storage of logs to be stable, I would like to add alerting based on expressions into the mix.....

I am aware of some software packages that can monitor system logs using tail, however one of the main reasons I am using Rsyslog is to have the web interface/searching of the logs. I would like to set up a system where I am alerted/emailed when various expressions are found in the logs.

How can this be done with Rsyslog using a MySQL DB as storage? I dont want to have to write to both a DB and plaintext files, as this is wasteful. I am sure a perl/php script could be written and put in crontab every n-minutes to search for expressions in the DB, however this would get increasingly taxing as the syslog db grows...also I'd have to severly brush up on my skills if I went the perl route =)

So....the end question is, does anyone know if some kind of modification which coul dbe made to Rsyslog, which would allow for realtime monitoring and alerting of the messages passing *though* rsyslog? Also, if anyone has seen a php/perl crontab job as I mentioned, let me know, it cant hurt to try that as well.

Thanks
 
Old 10-29-2005, 09:09 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,005
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
If it was using PostgreSQL I would have said use
triggers, but I don't know with which version MySQL
will support/does support those.


Cheers,
Tink
 
Old 10-29-2005, 09:28 PM   #3
TotalDefiance
Member
 
Registered: Jan 2004
Distribution: Slackware, RH, WBEL
Posts: 65

Original Poster
Rep: Reputation: 15
I found that mysql will apparently support triggers in 5.0....which i am running 4.0.

Also, rsyslog supports alerting by word matches....however I haven't gotten it to work yet....more info I if do.
 
Old 11-01-2005, 11:23 AM   #4
TotalDefiance
Member
 
Registered: Jan 2004
Distribution: Slackware, RH, WBEL
Posts: 65

Original Poster
Rep: Reputation: 15
So i found that rsyslog does support checking for specific words by means of : :msg,contains,"error" ^/usr/bin/alerter "^" is supposed to execute the following script, and send the contents of the syslog message as arguements, which can easily be dealt with using $* and email them.

However, using this methog, I recieve the following error: rsyslogd: unknown priority name "" And I know that it has to do with my /etc/rsyslog.conf line :msg,contains,"invalid" ^/usr/sbin/rsyslog_alerter;precise as I do not recieve the error (when debugging) if it is commented out. ('precise' is a correctly defined template for formatting the syslog message when sending it to the script)

I realize that this is probably a rsyslog specific deal...but perhaps there is someone out there who has seen this or soemthing comparable?

Last edited by TotalDefiance; 11-01-2005 at 11:24 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
realtime programming (c) os2 Programming 2 03-02-2005 04:13 PM
xmms - realtime curmudgeon42 Linux - Software 1 01-29-2005 12:58 PM
Realtime record spotslayer Linux - Software 0 10-16-2004 10:45 AM
Snort alerting with Swatch? ladyath Linux - Security 1 09-08-2004 05:22 AM
realtime-lsm denzo74 Mandriva 0 08-11-2004 05:45 AM


All times are GMT -5. The time now is 07:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration