LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   *realtime* syslog monitoring/alerting with Rsyslog? (https://www.linuxquestions.org/questions/linux-software-2/%2Arealtime%2A-syslog-monitoring-alerting-with-rsyslog-377766/)

TotalDefiance 10-28-2005 11:15 AM
*realtime* syslog monitoring/alerting with Rsyslog?
 
So I am using Rsyslog as a replacement for the standard syslog daemon on my syslog server. I use Rsyslog's functionality of logging to a MySQL DB rather than plaintext files, this allows for easy searching and management via a php web interface. Rsyslog has been working well on a quad PIII box with MySQL; currently there are only about 33k syslog messages in the DB and searches are fast. Now that I have proved the central storage of logs to be stable, I would like to add alerting based on expressions into the mix.....

I am aware of some software packages that can monitor system logs using tail, however one of the main reasons I am using Rsyslog is to have the web interface/searching of the logs. I would like to set up a system where I am alerted/emailed when various expressions are found in the logs.

How can this be done with Rsyslog using a MySQL DB as storage? I dont want to have to write to both a DB and plaintext files, as this is wasteful. I am sure a perl/php script could be written and put in crontab every n-minutes to search for expressions in the DB, however this would get increasingly taxing as the syslog db grows...also I'd have to severly brush up on my skills if I went the perl route =)

So....the end question is, does anyone know if some kind of modification which coul dbe made to Rsyslog, which would allow for realtime monitoring and alerting of the messages passing *though* rsyslog? Also, if anyone has seen a php/perl crontab job as I mentioned, let me know, it cant hurt to try that as well.

Thanks

Tinkster 10-29-2005 08:09 PM
If it was using PostgreSQL I would have said use
triggers, but I don't know with which version MySQL
will support/does support those.


Cheers,
Tink

TotalDefiance 10-29-2005 08:28 PM
I found that mysql will apparently support triggers in 5.0....which i am running 4.0.

Also, rsyslog supports alerting by word matches....however I haven't gotten it to work yet....more info I if do.

TotalDefiance 11-01-2005 10:23 AM
So i found that rsyslog does support checking for specific words by means of : :msg,contains,"error" ^/usr/bin/alerter "^" is supposed to execute the following script, and send the contents of the syslog message as arguements, which can easily be dealt with using $* and email them.

However, using this methog, I recieve the following error: rsyslogd: unknown priority name "" And I know that it has to do with my /etc/rsyslog.conf line :msg,contains,"invalid" ^/usr/sbin/rsyslog_alerter;precise as I do not recieve the error (when debugging) if it is commented out. ('precise' is a correctly defined template for formatting the syslog message when sending it to the script)

I realize that this is probably a rsyslog specific deal...but perhaps there is someone out there who has seen this or soemthing comparable?


All times are GMT -5. The time now is 01:22 PM.