[hobbit] hobbitclient + msgs test sugesstion

Manu yoogie at schurkennetz.de
Tue Nov 29 23:38:05 CET 2005


Hi,

Why should the log-entries, hobbit-msg-monitor should look after be 
maintained centrally on the hobbit server? Are important log-entries 
essential on a sql-server as well in every case as on a firewall? I 
think that there are different things on different servers you want 
hobbit to take care about...
Maybe I missed the point...

To reduce overhead, you can use a similar mechanism as logtail does. 
Storing the file offset in conjunction with the inode-id would grant 
you never check an entry twice.

Maybe, having a closer look at logsentry from the sentry-tools 
(http://sourceforge.net/projects/sentrytools) would help finding an 
appropriate way of realizing this.

Kind regards,

Manuel




----- Message from iqbala-hobbit at qwestip.net ---------
     Date: Tue, 29 Nov 2005 16:42:21 -0500
     From: Asif Iqbal <iqbala-hobbit at qwestip.net>
Reply-To: hobbit at hswn.dk
  Subject: Re: [hobbit] hobbitclient + msgs test sugesstion
       To: hobbit at hswn.dk


> On Tue, Nov 29, 2005 at 10:09:48PM, Henrik Stoerner wrote:
>> Hi Peter (and anyone else interested),
>>
>> On Tue, Nov 29, 2005 at 08:26:14PM +0100, Peter Welter wrote:
>> >
>> > Since the msgs-check is not available yet in the Hobbit display, I
>> > want to make a suggestion to have it enabled relatively easy. I think
>> > of two methods:
>> >
>> > -1- A client must have read access to the file [client picks out the
>> >     "interesting" bits]
>> >
>> > -2- Your Hobbit server must _also_ be a central loghost. [allows
>> >     centralized configuration of how to monitor the logs]
>>
>> I'm not really thrilled with either of these - sorry! Each of them
>> have some drawbacks: The first one moves the configuration of what
>> logs to monitor away from the central hobbit server, and the
>> second one only works for logs that go through the syslog interface.
>> If I want to monitor e.g. an Apache webserver error-log, or the
>> custom logs from a BEA server, solution 2) won't work. I dont see
>> how it can work with logs from a Windows server either. Plus it
>> adds load to the central Hobbit server to deal with all of the
>> logfiles.
>>
>> So - I think some other solution is needed, and I've been thinking
>> about how to do it. So far it's just ideas - no code. But I believe
>> the log checking has to happen on each client, but controlled by
>> a central configuration. So what I plan to implement is something
>> like this:
>>
>> * The configuration of what logs to monitor and what strings to
>>   look for is maintained on the central Hobbit server, either as
>>   an addition to the hobbit-clients.cfg file, or in a separate
>>   file - that isn't really important.
>> * When a client connects and sends in a client-side message, the
>>   Hobbit server accepts the client message, but also sends back
>>   the current log-check configuration info. By re-using the
>>   client connection, the overhead involved in pushing the
>>   configuration to each client becomes almost nil.
>> * When the client has a log-check configuration, it knows what logs
>>   to check for what strings, and can include that information in
>>   the normal client message it sends back to the Hobbit server.
>>   That means the client will need a tool to do the logfile checking;
>>   probably using a client-side regular-expression matching tool
>>   like "grep". It can either be built into the Hobbit client, or
>>   it could just rely on the existing "grep" utility found on the
>>   system - this would probably be the simplest to implement.
>
> Would it be possible to create a new hobbitd channel that will get
> install with hobbit client. Then add that channel to the syslog.conf
> which is kind a work like a pipe. So when syslog say related to
> /var/adm/messages file get send to the hobbitd channel (or pipe) it will
> scan right away against strings that needs to get alerted about. Also it
> won't store anything in the channel. So there is no chance to scan the
> same string on the same timestamp twice. Also if it is not receiving any
> alert for say 5 mins it will check if syslogd is actually running by
> sending a 'logger' output to the channel.
>
> Sorry if I talking 'no sense' but throwing anything here while the idea
> is still cooking :-)
>
> Thanks
>
>>
>>
>> Regards,
>> Henrik
>>
>>
>> To unsubscribe from the hobbit list, send an e-mail to
>> hobbit-unsubscribe at hswn.dk
>>
>>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> "..there are two kinds of people: those who work and those who take 
> the credit...try
>  to be in the first group;...less competition there."  - Indira Gandhi
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
>
>
>


----- End message from iqbala-hobbit at qwestip.net -----







More information about the Xymon mailing list