Hi, I am seeing where you come from. That's the million-dollar question ;) I suggest you also post to the loganalysis list, that's probably a better place than over here:
http://www.loganalysis.org/mailman/listinfo/loganalysis Let me hijack this thread to share an idea. Rsyslog has a lot of infrastructure in place. Once I am finished with the essentials (which will of course be in a few month...), I'd like to put that infrastructure to better use than just drive the simple outputs we currently have. One thing I have on my mind is an output plugin which stores (hashes) of all message within a timeframe (e.g. last 7 days). Then, when a new message comes in, it compares it to all previous messages and emits a special message itself if the message occured less than "n" times in the past. I think this goes into the direction of what you are looking for. But would it generally be considered to be a useful idea? Even though we are months away from an implementation, feedack would be very valuable to me as it helps me shape my mid- to long-term direction. Rainer > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Stephen Carville > Sent: Thursday, March 06, 2008 8:44 PM > To: rsyslog-users > Subject: Re: [rsyslog] Log watch software > > On Thu, Mar 6, 2008 at 9:55 AM, Rainer Gerhards > <[EMAIL PROTECTED]> wrote: > > I am not so involved with logwatch. Let me ask feature-wise: what > > capabilities do you need to do the job? > > About 99% of what's in messages or secure is trivia. JoeBob logged > in, ran a sudo command and logged off. An authenticated mount request > was received from ip.add.re.ss. That sort of thing. What I'm looking > for is a parser that can pick out the (hopefully) rare messages that > indicates a problem like a disk drive is reporting errors. > > I can modify big brother and logwatch to do this but I am curious if > anyone has a favorite package I haven't heard of yet. > > > Rainer > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:rsyslog- > > > [EMAIL PROTECTED] On Behalf Of Stephen Carville > > > Sent: Thursday, March 06, 2008 6:54 PM > > > To: rsyslog-users > > > Subject: [rsyslog] Log watch software > > > > > > I have a cenltralized repository usng rsyslogm and > syslog to mirror > > > /var/log/messages, /var/log/secure ,and information messages from > > > cfengine. In the near future I hope to get auditd reporting to a > > > central server. My immedate taks is to add some log > analysis software > > > on teh central server. I've started modifiying LogWatch > to work with > > > MySQL -- thats pretty straightforward -- but I'm curious > what other > > > solutions there may be out there. FOSS is preferred but a I'm not > > > against a reasonably priced commercial product. So far > everything > > > Google has returned are commercial products for Windows sytems. > > > > > > -- > > > Stephen Carville > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > -- > Stephen Carville > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
