<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Johan,
<blockquote
cite="mid:CE29FAAF3C734A43B4D620A517E393FE9238AC@WIN03.ad.deltamanagement.se"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hi.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">We have a syslog server
which receives logs from a number of servers and network
devices.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Currently we use the log
test in Xymon to check for errors in these logs, and it
works fine. But it is a little blunt since all log test end
up in the same msgs test. It could also be a problem if we
get an error in one log file, and need to ack or disable the
test. In this case we would not get any alert if there were
errors in one of the other logs.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">It would have been nice
if you could add a client definition to a logfile test in
analysis.conf, and report each log file as the device which
is originates from. Or maybe as a separate syslog test to
distinguish it from the msgs test.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">This way we could also
set up individual alerts for the different logged devices.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I could, of course,
write a client- or serverside script for this, but I always
find it difficult to do good log monitoring scripts and it
would be nice to be able to use the logic already in Xymon<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">What do you think? Would
anyone else be interested in this feature? I also have no
idea how much work it would be.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</blockquote>
I have also been looking at this same problem just recently.<br>
<br>
My log structure is keyed by IP address with daily files - e.g.
/var/log/rsyslog/IP/messages-YYYMMDD - how the files are set up
would need to be accommodated.<br>
<br>
I've thought of 2 approaches:<br>
* writing a utility from scratch to examine the log files - however
this then requires all the message rules to be reimplemented rather
than using analysis.cfg<br>
* writing a utility that uses 'logfetch' (xymon client utility) to
grab relevant section of logfile and then send a client message
(still need to work out what class and other details to include in
the header) on behalf of the device which contains
[msgs:/var/log/messages] section for the log file. With this
approach, if the client has no other client message reporting we're
OK, but if not, I'm not sure if it will cause problems also. Mostly
I'd be looking at this for switches/firewalls/etc so no direct
client report in place.<br>
<br>
David.<br>
<pre class="moz-signature" cols="72">--
David Baldwin - IT Unit
Australian Sports Commission <a class="moz-txt-link-abbreviated" href="http://www.ausport.gov.au">www.ausport.gov.au</a>
Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616
<a class="moz-txt-link-abbreviated" href="mailto:david.baldwin@ausport.gov.au">david.baldwin@ausport.gov.au</a> Leverrier Street Bruce ACT 2617
</pre>
<br>
<hr>
Keep up to date with what's happening in Australian sport visit <a href="http://www.ausport.gov.au">www.ausport.gov.au</a>
<br><br>
<font size="-2" face="arial">This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.</font>
<hr>
</body>
</html>