[clug] logcheck or logwatch?
Alex Satrapa
grail at goldweb.com.au
Wed Jun 1 02:09:39 GMT 2005
On 1 Jun 2005, at 11:44, Stephen Granger wrote:
> Against logwatch
> If the syslogs are being collected by one single syslog server all the
> information of all the servers being logged is presented in the
> logwatch
> email and you can't tell what messages have come from where.
I have logwatch installed on our systems here, and that's exactly the
issue I hate the most about it. The hostname is present on each line
of the log file, why can't it use that? Silly... one day I might even
care enough about it to go and make the changes required to support
running logwatch on a central syslog host.
Biggest complaint from me so far is that I have no way of filtering
out kernel messages such as those presented at boot time (you know,
the display of the ACPI interrupt table, initialising the IDE
interface, checking the bogomips, etc) without adding all billion two
hundred and 35 million and three startup messages to the "ignore"
list (which gets trampled with the immediately following Debian
upgrade).
At least all the noise is easily parsed, and usually if I see
Logwatch messages about a particular service, I know which machine
the service is running on.
Perhaps a change I can make myself (and submit to upstream) is to
have a local config file containing regexes for log messages that can
be safely ignored.
> I am also using nagios to monitor the availability of system services.
I use mon for the same thing.
I use snort for "intrusion detection" - one should assume that the
logs will not contain useful information about an intrusion. The
snort logs get happily slurped up by Logwatch. Next step is to get
snort to send me Jabber messages for important events (and then
generate some important events to get Snort to send me a Jabber
message - I'm sure that activity will make me popular with the ANU
network manager).
Alex
More information about the linux
mailing list