favorite log monitoring tool

Tom Metro blu-5a1Jt6qxUNc at public.gmane.org
Tue Jun 12 14:31:34 EDT 2007 

What's your favorite log monitoring tool?

While some might argue that tools that can perform active service 
monitoring, like Nagios, are a better approach, I tend to think that 
tracking what daemons are writing to logs is also important. Tools like 
Nagios undoubtedly have plug-ins available to track logs, but such tools 
can be overkill for a small server.

I looked at a few tools suitable for a Debian server and here's what I 
found:

Logcheck
http://logcheck.org/

As recommended by this article:
http://www.debian-administration.org/articles/278

Implementation: shell script, some C

Pros:
-Uses egrep patterns to filter logs.
-Many Debian packages include corresponding logcheck filters.

Cons:
-It apparently lumps together all the log files, sorts them, and then 
applies the filters. The result is that reports contain lines from 
multiple log files mixed together. It appears that you also have to be 
careful when constructing filters, as they aren't specific to a 
particular log file.
-It's line oriented, which means I don't think it can deal with tracking 
sequences of events, like only reporting a line matching X of it comes 
after a line matching Y.
-It doesn't run as root (which is obviously good from a security 
perspective), so it took a while to get the permissions and ownership 
adjusted on all log files so it could read them.
-"Out of the box" it didn't produce useful reports.


SWATCH: The Simple WATCHer of Logfiles
http://swatch.sourceforge.net/

Implementation: Perl

Pros:
-Config file can incorporate Perl routines, so in theory it should be 
able to handle any type of filtering or sequence matching requirement.

Cons:
-The man page made several references to legacy configuration file 
formats and directives, which gave the impression of crufty old code.
-The Debian package didn't seem to include any documentation on writing 
configuration files or a sample configuration.
-"Out of the box" it isn't configured to do anything.


Logwatch
http://www2.logwatch.org:81/

Implementation: Perl

Pros:
-In addition to configuration files, each type of log file has a 
"driver" written in Perl, to provide unlimited filtering and matching 
possibilities. This arrangement permits monitoring things other than log 
files, such as running and parsing the output of 'df', which starts to 
overlap with a more general purpose system monitoring tool.
-The only tool I've tried so far that produces useful reports "Out of 
the box." Each service with unusual activity gets its own clearly 
labeled section in the generated email. I'll still need to customize it 
for local log files that are in non-standard paths or are for custom 
daemons, but a good start.

Cons:
-It has a somewhat complex file structure for storing configuration 
files, with the package supplied defaults located in 
/usr/share/logwatch/, and your local overrides going into various 
subdirectories below /etc/logwatch. Flexible, but perhaps more 
complicated than it needs to be.


I'll likely invest time in customizing Logwatch, unless someone suggests 
something better.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Discuss mailing list