Re: [hobbit] hobbitclient + msgs test sugesstion

[Manu <yoogie (at) schurkennetz.de>]

Hi,

Why should the log-entries, hobbit-msg-monitor should look after be 
maintained centrally on the hobbit server? Are important log-entries 
essential on a sql-server as well in every case as on a firewall? I 
think that there are different things on different servers you want 
hobbit to take care about...
Maybe I missed the point...

To reduce overhead, you can use a similar mechanism as logtail does. 
Storing the file offset in conjunction with the inode-id would grant 
you never check an entry twice.

Maybe, having a closer look at logsentry from the sentry-tools 
(http://sourceforge.net/projects/sentrytools) would help finding an 
appropriate way of realizing this.

Kind regards,

Manuel




----- Message from iqbala-hobbit (at) qwestip.net ---------
    Date: Tue, 29 Nov 2005 16:42:21 -0500
    From: Asif Iqbal <iqbala-hobbit (at) qwestip.net>
Reply-To: hobbit (at) hswn.dk
 Subject: Re: [hobbit] hobbitclient + msgs test sugesstion
      To: hobbit (at) hswn.dk


> On Tue, Nov 29, 2005 at 10:09:48PM, Henrik Stoerner wrote:
> > Hi Peter (and anyone else interested),
> >
> > On Tue, Nov 29, 2005 at 08:26:14PM +0100, Peter Welter wrote:
> > >
> > > Since the msgs-check is not available yet in the Hobbit display, I
> > > want to make a suggestion to have it enabled relatively easy. I think
> > > of two methods:
> > >
> > > -1- A client must have read access to the file [client picks out the
> > >     "interesting" bits]
> > >
> > > -2- Your Hobbit server must _also_ be a central loghost. [allows
> > >     centralized configuration of how to monitor the logs]
> >
> > I'm not really thrilled with either of these - sorry! Each of them
> > have some drawbacks: The first one moves the configuration of what
> > logs to monitor away from the central hobbit server, and the
> > second one only works for logs that go through the syslog interface.
> > If I want to monitor e.g. an Apache webserver error-log, or the
> > custom logs from a BEA server, solution 2) won't work. I dont see
> > how it can work with logs from a Windows server either. Plus it
> > adds load to the central Hobbit server to deal with all of the
> > logfiles.
> >
> > So - I think some other solution is needed, and I've been thinking
> > about how to do it. So far it's just ideas - no code. But I believe
> > the log checking has to happen on each client, but controlled by
> > a central configuration. So what I plan to implement is something
> > like this:
> >
> > * The configuration of what logs to monitor and what strings to
> >   look for is maintained on the central Hobbit server, either as
> >   an addition to the hobbit-clients.cfg file, or in a separate
> >   file - that isn't really important.
> > * When a client connects and sends in a client-side message, the
> >   Hobbit server accepts the client message, but also sends back
> >   the current log-check configuration info. By re-using the
> >   client connection, the overhead involved in pushing the
> >   configuration to each client becomes almost nil.
> > * When the client has a log-check configuration, it knows what logs
> >   to check for what strings, and can include that information in
> >   the normal client message it sends back to the Hobbit server.
> >   That means the client will need a tool to do the logfile checking;
> >   probably using a client-side regular-expression matching tool
> >   like "grep". It can either be built into the Hobbit client, or
> >   it could just rely on the existing "grep" utility found on the
> >   system - this would probably be the simplest to implement.
>
> Would it be possible to create a new hobbitd channel that will get
> install with hobbit client. Then add that channel to the syslog.conf
> which is kind a work like a pipe. So when syslog say related to
> /var/adm/messages file get send to the hobbitd channel (or pipe) it will
> scan right away against strings that needs to get alerted about. Also it
> won't store anything in the channel. So there is no chance to scan the
> same string on the same timestamp twice. Also if it is not receiving any
> alert for say 5 mins it will check if syslogd is actually running by
> sending a 'logger' output to the channel.
>
> Sorry if I talking 'no sense' but throwing anything here while the idea
> is still cooking :-)
>
> Thanks
>
> > Regards,
> > Henrik
> >
> >
> > To unsubscribe from the hobbit list, send an e-mail to
> > hobbit-unsubscribe (at) hswn.dk
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> "..there are two kinds of people: those who work and those who take 
> the credit...try
>  to be in the first group;...less competition there."  - Indira Gandhi
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe (at) hswn.dk


----- End message from iqbala-hobbit (at) qwestip.net -----