[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [hobbit] Logfile monitoring - I'd like some comments
- To: <hobbit (at) hswn.dk>
- Subject: RE: [hobbit] Logfile monitoring - I'd like some comments
- From: "Sherman, Larry, GCM" <Larry.Sherman (at) rbsgc.com>
- Date: Wed, 15 Feb 2006 09:34:57 -0500
- Thread-index: AcYxr06PwTPQ8QfLRGGqvVBXl5mhrwAiE8Iw
- Thread-topic: [hobbit] Logfile monitoring - I'd like some comments
I have one concern about the amount of logfile data being sent back to
the server. Our application logfiles our VERY verbose for compliance
reasons, but on a daily basis I don't need 99% of the information. I
would rather have the ability to have the client side agent use the
regex rule to define what part of the file to send back to the server.
IE:
#Machine name
Gsets001
# LODFILE define
$LOG_DIR/some_verbose_app_logfile.log
#Rules for logfile define (string match and contex)
#COLOR STRING NUMLINESABOVE NUMLINESBELOW
RED_STRING /FH DOWN/ 3 4
RED_STRING /BAD Trade/ 10 1
RED_STRING /forced log off from server/ 0 0
$OTHER_LOG_DIR/another_verbose_app_logfile.log
RED_STRING /Slow Consumer/ 2 6
Does this make sense to you?
Larry
-----Original Message-----
From: Henrik Stoerner [mailto:henrik (at) hswn.dk]
Sent: Tuesday, February 14, 2006 4:40 PM
To: hobbit (at) hswn.dk
Subject: [hobbit] Logfile monitoring - I'd like some comments
A few days ago, I mentioned that I would like to do logfile
monitoring for the next Hobbit release.
I've worked a bit on this and have a prototype solution for
it, which you can test with the current snapshots. I'd like
some comments on how it works to make sure I haven't overlooked
something before committing myself.
There are several objectives:
- As far as is possible, logfile monitoring must be configured
centrally, on the Hobbit server. Having to go to each server
to (re)configure what logfiles to check and what to look for
simply doesn't work.
- The amount of data sent from each client to Hobbit should be
small, but it must catch the "important" stuff.
- You rarely know in advance what will be in the logs when you
need them the most. So the monitor should give you as much
of the log entries as possible, not just those lines that
match some pre-defined strings or regex'es.
- Some systems log messages on multiple lines. The system must
be able to show all parts of a log entry.
- Logfile entries must appear on the monitor for some time after
they show up in the logs, but should also disappear after a
while.
In other words: The ideal solution would let you have the entire
logfile available on the Hobbit server - but that obviously
won't work. So the client should - after weeding out the really
irrelevant stuff - send us as much of each logfile as possible.
My proposed solution is this:
- On the Hobbit server, there's a log-monitoring configuration
file for the Hobbit clients. This defines which logfiles are
monitored for a single client installation, or you can define
it for a group of clients. (The idea is to define at least
one group for each operating system, since the standard
system logs are OS dependant). This configuration lists the
log filename, the maximum amount of data to send from this
logfile, a regex "noise" filter (i.e. lines that are stripped
from the logfile), and *optionally* a regex identifying really
interesting stuff in the logfile that should always be
reported.
- When a client connects to the Hobbit server and sends the
normal client message, the Hobbit server will respond with
the logfile configuration for this client. So the client
has a copy of the central configuration file, but only the
part that it needs for itself. The reason for sending this
as a response to the client message is to avoid an extra
round-trip from client to server; piggy-backing the config
push on the client message means that it is almost without
any performance cost on the server side.
- When the client runs, it uses the local copy of the configuration
file to determine what logs to look at. For each logfile, it
maintains a "where-was-I-the-last-time" status, so it only
looks at the entries made to the logfile during the past 30
minutes. First, the client strips off any "noise" messages.
Then, if all of the entries fit into the maximum size that
can be reported, it sends all of the log to the Hobbit server.
If there is more than will fit, it first checks to see of the
regex defining the really interesting stuff is present in the
log - if it is, then it drops anything before the interesting
text. If there is still more than will fit, it keeps the
interesting text + a few lines after that (to allow for
multi-line log-entries which some OS'es have), and then
sends that together with as much of last part the log as will
fit inside the max. message size.
This part has been implemented in the Hobbit daemon (hobbitd),
and in the clients via a new "logfetch" utility. This utility
uses standard regular expressions - not the Perl-compatible
ones, because that would require you to install the PCRE
library on all of your clients. The standard regex routines
are included in all (I think) system libraries used today.
The last part is what happens when the log data arrives on the
Hobbit server. Currently, there's a simple processing of this
data to just dump it into an always-green "msgs" column. What
should happen once I get it coded is:
- Data from each logfile is matched against a set of strings
(regex'es) defined in the hobbit-clients.cfg file. Each string
determines the color (red, yellow, green) and sets the color
of the msgs column accordingly.
When the color has been decided, all of the normal alerting
happens automatically. I do plan on making a more fine-grained
alert mechanism (for the msgs, procs and disk statuses) so you
can direct alerts to different groups depending on exactly
which log-message triggered the alert, but that will not be
part of this release.
So - how does that sound ? Anything I've missed ?
Regards,
Henrik
To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe (at) hswn.dk
-----------------------------------------
*******************************************************************
*
This e-mail is intended only for the addressee named above.
As this e-mail may contain confidential or privileged information,
if you are not the named addressee, you are not authorized
to retain, read, copy or disseminate this message or any part of
it.
*******************************************************************
*