[hobbit] Logfile monitoring - I'd like some comments

Sherman, Larry, GCM Larry.Sherman at rbsgc.com
Wed Feb 15 15:34:57 CET 2006


I have one concern about the amount of logfile data being sent back to
the server.  Our application logfiles our VERY verbose for compliance
reasons, but on a daily basis I don't need 99% of the information.  I
would rather have the ability to have the client side agent use the
regex rule to define what part of the file to send back to the server.

IE:

#Machine name
Gsets001
# LODFILE define
$LOG_DIR/some_verbose_app_logfile.log
#Rules for logfile define (string match and contex)
#COLOR	STRING	NUMLINESABOVE NUMLINESBELOW	
RED_STRING	/FH DOWN/	3              4
RED_STRING	/BAD Trade/ 10             1
RED_STRING	/forced log off from server/	0	0
$OTHER_LOG_DIR/another_verbose_app_logfile.log
RED_STRING	/Slow Consumer/	2	    6

Does this make sense to you?

Larry


-----Original Message-----
From: Henrik Stoerner [mailto:henrik at hswn.dk] 
Sent: Tuesday, February 14, 2006 4:40 PM
To: hobbit at hswn.dk
Subject: [hobbit] Logfile monitoring - I'd like some comments

A few days ago, I mentioned that I would like to do logfile
monitoring for the next Hobbit release.

I've worked a bit on this and have a prototype solution for
it, which you can test with the current snapshots. I'd like
some comments on how it works to make sure I haven't overlooked
something before committing myself.

There are several objectives:
- As far as is possible, logfile monitoring must be configured
  centrally, on the Hobbit server. Having to go to each server
  to (re)configure what logfiles to check and what to look for
  simply doesn't work.
- The amount of data sent from each client to Hobbit should be
  small, but it must catch the "important" stuff.
- You rarely know in advance what will be in the logs when you
  need them the most. So the monitor should give you as much
  of the log entries as possible, not just those lines that
  match some pre-defined strings or regex'es.
- Some systems log messages on multiple lines. The system must
  be able to show all parts of a log entry.
- Logfile entries must appear on the monitor for some time after
  they show up in the logs, but should also disappear after a
  while.

In other words: The ideal solution would let you have the entire
logfile available on the Hobbit server - but that obviously 
won't work. So the client should - after weeding out the really 
irrelevant stuff - send us as much of each logfile as possible.

My proposed solution is this:
- On the Hobbit server, there's a log-monitoring configuration
  file for the Hobbit clients. This defines which logfiles are
  monitored for a single client installation, or you can define
  it for a group of clients. (The idea is to define at least 
  one group for each operating system, since the standard
  system logs are OS dependant). This configuration lists the
  log filename, the maximum amount of data to send from this
  logfile, a regex "noise" filter (i.e. lines that are stripped
  from the logfile), and *optionally* a regex identifying really
  interesting stuff in the logfile that should always be 
  reported.
- When a client connects to the Hobbit server and sends the
  normal client message, the Hobbit server will respond with
  the logfile configuration for this client. So the client
  has a copy of the central configuration file, but only the
  part that it needs for itself. The reason for sending this
  as a response to the client message is to avoid an extra
  round-trip from client to server; piggy-backing the config
  push on the client message means that it is almost without
  any performance cost on the server side.
- When the client runs, it uses the local copy of the configuration
  file to determine what logs to look at. For each logfile, it
  maintains a "where-was-I-the-last-time" status, so it only
  looks at the entries made to the logfile during the past 30
  minutes. First, the client strips off any "noise" messages.
  Then, if all of the entries fit into the maximum size that
  can be reported, it sends all of the log to the Hobbit server.
  If there is more than will fit, it first checks to see of the
  regex defining the really interesting stuff is present in the
  log - if it is, then it drops anything before the interesting
  text. If there is still more than will fit, it keeps the
  interesting text + a few lines after that (to allow for
  multi-line log-entries which some OS'es have), and then
  sends that together with as much of last part the log as will
  fit inside the max. message size.

This part has been implemented in the Hobbit daemon (hobbitd),
and in the clients via a new "logfetch" utility. This utility
uses standard regular expressions - not the Perl-compatible
ones, because that would require you to install the PCRE
library on all of your clients. The standard regex routines
are included in all (I think) system libraries used today.

The last part is what happens when the log data arrives on the
Hobbit server. Currently, there's a simple processing of this
data to just dump it into an always-green "msgs" column. What
should happen once I get it coded is:
- Data from each logfile is matched against a set of strings 
  (regex'es) defined in the hobbit-clients.cfg file. Each string 
  determines the color (red, yellow, green) and sets the color
  of the msgs column accordingly.

When the color has been decided, all of the normal alerting
happens automatically. I do plan on making a more fine-grained
alert mechanism (for the msgs, procs and disk statuses) so you
can direct alerts to different groups depending on exactly 
which log-message triggered the alert, but that will not be
part of this release.


So - how does that sound ? Anything I've missed ?


Regards,
Henrik


To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk




-----------------------------------------
*******************************************************************
*

This e-mail is intended only for the addressee named above.
As this e-mail may contain confidential or privileged information,
if you are not the named addressee, you are not authorized
to retain, read, copy or disseminate this message or any part of
it.

*******************************************************************
*




More information about the Xymon mailing list