An incident file is whatever you want or need it to be. What I meant was a text file of notes-to-self recorded at or near the time of each incident to jog the memory when analyzing future incidents. Myself, I would of course begin each entry w/ a date; beyond that, I would add what ever seems relevant. In a situation like yours, I might put it in its own directory & include dated tails from /var/log/messages. Seems to me the hour or minutes before the crash are most likely to be relevant.
I had a talk w/ a friend who monitors servers' log files for a living, & he had some other suggestions. Of course, I have forgotten the details. I will try to have the talk again, this time I intend to take notes & post suggestions.
|