LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Correlating log messages with syslog-ng

Correlating log messages with syslog-ng

Posted Jan 29, 2011 4:06 UTC (Sat) by Klavs (subscriber, #10563)
Parent article: Correlating log messages with syslog-ng

I'm not sure if syslog-ng has this, but there's one thing I've never understood with various logcheck utilities.

They all tend to be "permissive" - ie. they only check for things they know to check for - and thus doesn't catch the odd log entries, which are often the ones you'd particularly want to know about (and can't match for as the events are seldom and you don't know how they look exactly, unless you ensure to check the sourcecode for each version of all software you're running).

To solve it for me, I added a small feature to swatch (so it starts a logfile from where it was last - so you can scan the same file every minute, and only get new events) - and wrote swatch rules for each logfile (so it only checks the one relevant for this logfile - and outputs all that wasn't specificly discarded.

I wrote about it on my blog, and posted the rewritten swatch: http://blog.klavsen.info/content/1-way-do-proper-log-moni...

(Log in to post comments)

Correlating log messages with syslog-ng

Posted Jan 31, 2011 17:00 UTC (Mon) by nicolas@jungers (✭ supporter ✭, #7579) [Link]

I'm a logcheck user and it's the reverse that happens, logcheck uses active ignorance, letting everything go through except for what was explicitly tagged to be ignored.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds