[clug] logcheck or logwatch?

[Alex Satrapa]

On 1 Jun 2005, at 11:44, Stephen Granger wrote:

> Against logwatch
> If the syslogs are being collected by one single syslog server all the
> information of all the servers being logged is presented in the  
> logwatch
> email and you can't tell what messages have come from where.

I have logwatch installed on our systems here, and that's exactly the  
issue I hate the most about it. The hostname is present on each line  
of the log file, why can't it use that? Silly... one day I might even  
care enough about it to go and make the changes required to support  
running logwatch on a central syslog host.

Biggest complaint from me so far is that I have no way of filtering  
out kernel messages such as those presented at boot time (you know,  
the display of the ACPI interrupt table, initialising the IDE  
interface, checking the bogomips, etc) without adding all billion two  
hundred and 35 million and three startup messages to the "ignore"  
list (which gets trampled with the immediately following Debian  
upgrade).

At least all the noise is easily parsed, and usually if I see  
Logwatch messages about a particular service, I know which machine  
the service is running on.

Perhaps a change I can make myself (and submit to upstream) is to  
have a local config file containing regexes for log messages that can  
be safely ignored.

> I am also using nagios to monitor the availability of system services.

I use mon for the same thing.

I use snort for "intrusion detection" - one should assume that the  
logs will not contain useful information about an intrusion. The  
snort logs get happily slurped up by Logwatch. Next step is to get  
snort to send me Jabber messages for important events (and then  
generate some important events to get Snort to send me a Jabber  
message - I'm sure that activity will make me popular with the ANU  
network manager).

Alex