[hobbit] hobbitclient + msgs test sugesstion
Allan.Marillier at dana.com
Allan.Marillier at dana.com
Wed Nov 30 14:02:15 CET 2005
A log file monitor would also need to consider what happens when logrotate
(or other switching mechanism) switches logs, as the inode and file offset
may (or will) change. I know some people have a cron job which copies the
log, then truncates the original log file. In this case the inode won't
change, but the file contents / offset will. There are many things to
consider, I'm sure Henrik will come up with a good solution.
Manu <yoogie at schurkennetz.de>
11/29/2005 05:38 PM
Please respond to
hobbit at hswn.dk
To
hobbit at hswn.dk
cc
Subject
Re: [hobbit] hobbitclient + msgs test sugesstion
Hi,
Why should the log-entries, hobbit-msg-monitor should look after be
maintained centrally on the hobbit server? Are important log-entries
essential on a sql-server as well in every case as on a firewall? I
think that there are different things on different servers you want
hobbit to take care about...
Maybe I missed the point...
To reduce overhead, you can use a similar mechanism as logtail does.
Storing the file offset in conjunction with the inode-id would grant
you never check an entry twice.
Maybe, having a closer look at logsentry from the sentry-tools
(http://sourceforge.net/projects/sentrytools) would help finding an
appropriate way of realizing this.
Kind regards,
Manuel
----- Message from iqbala-hobbit at qwestip.net ---------
Date: Tue, 29 Nov 2005 16:42:21 -0500
From: Asif Iqbal <iqbala-hobbit at qwestip.net>
Reply-To: hobbit at hswn.dk
Subject: Re: [hobbit] hobbitclient + msgs test sugesstion
To: hobbit at hswn.dk
> On Tue, Nov 29, 2005 at 10:09:48PM, Henrik Stoerner wrote:
>> Hi Peter (and anyone else interested),
>>
>> On Tue, Nov 29, 2005 at 08:26:14PM +0100, Peter Welter wrote:
>> >
>> > Since the msgs-check is not available yet in the Hobbit display, I
>> > want to make a suggestion to have it enabled relatively easy. I think
>> > of two methods:
>> >
>> > -1- A client must have read access to the file [client picks out the
>> > "interesting" bits]
>> >
>> > -2- Your Hobbit server must _also_ be a central loghost. [allows
>> > centralized configuration of how to monitor the logs]
>>
>> I'm not really thrilled with either of these - sorry! Each of them
>> have some drawbacks: The first one moves the configuration of what
>> logs to monitor away from the central hobbit server, and the
>> second one only works for logs that go through the syslog interface.
>> If I want to monitor e.g. an Apache webserver error-log, or the
>> custom logs from a BEA server, solution 2) won't work. I dont see
>> how it can work with logs from a Windows server either. Plus it
>> adds load to the central Hobbit server to deal with all of the
>> logfiles.
>>
>> So - I think some other solution is needed, and I've been thinking
>> about how to do it. So far it's just ideas - no code. But I believe
>> the log checking has to happen on each client, but controlled by
>> a central configuration. So what I plan to implement is something
>> like this:
>>
>> * The configuration of what logs to monitor and what strings to
>> look for is maintained on the central Hobbit server, either as
>> an addition to the hobbit-clients.cfg file, or in a separate
>> file - that isn't really important.
>> * When a client connects and sends in a client-side message, the
>> Hobbit server accepts the client message, but also sends back
>> the current log-check configuration info. By re-using the
>> client connection, the overhead involved in pushing the
>> configuration to each client becomes almost nil.
>> * When the client has a log-check configuration, it knows what logs
>> to check for what strings, and can include that information in
>> the normal client message it sends back to the Hobbit server.
>> That means the client will need a tool to do the logfile checking;
>> probably using a client-side regular-expression matching tool
>> like "grep". It can either be built into the Hobbit client, or
>> it could just rely on the existing "grep" utility found on the
>> system - this would probably be the simplest to implement.
>
> Would it be possible to create a new hobbitd channel that will get
> install with hobbit client. Then add that channel to the syslog.conf
> which is kind a work like a pipe. So when syslog say related to
> /var/adm/messages file get send to the hobbitd channel (or pipe) it will
> scan right away against strings that needs to get alerted about. Also it
> won't store anything in the channel. So there is no chance to scan the
> same string on the same timestamp twice. Also if it is not receiving any
> alert for say 5 mins it will check if syslogd is actually running by
> sending a 'logger' output to the channel.
>
> Sorry if I talking 'no sense' but throwing anything here while the idea
> is still cooking :-)
>
> Thanks
>
>>
>>
>> Regards,
>> Henrik
>>
>>
>> To unsubscribe from the hobbit list, send an e-mail to
>> hobbit-unsubscribe at hswn.dk
>>
>>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> "..there are two kinds of people: those who work and those who take
> the credit...try
> to be in the first group;...less competition there." - Indira Gandhi
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
>
>
>
----- End message from iqbala-hobbit at qwestip.net -----
To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20051130/78a0e5cf/attachment.html>
More information about the Xymon
mailing list