centralized syslogging & notifications

Russell Adams RLAdams at Kelsey-Seybold.com
Fri Jul 18 16:47:15 CEST 2003


I swear I'm repeating myself. ;]

Every time someone brings up log monitoring, I've mentioned that using
passive notification through Nagios is a great idea, otherwise its the
wrong tool for the job.

My implementation is to forward all syslogs to a syslog server running
syslog-ng, with a directory hierarchy for host logs. See
www.campin.net.

Next up, use LogSentry or LogMuncher (which requires a patch) to apply
ignore/warn/critical dictionaries against the log files. Reports then
get mailed out to you with anything not in the ignore dictionary (to
handle messages you haven't seen before), anything in the warn
dictionary, and I mail crit entries to my pager. This could be
rerouted to Nagios via passive check, but I don't bother.

Russell

On Thu, Jul 17, 2003 at 05:03:21PM -0500, Carroll, Jim P wrote:
> Greets to all.
> 
> Lately I've been pondering/revisiting the whole issue of how best to
> manage/respond to lines worthy of critical/warning events which show
> up in /var/log/messages.  Here's what I'm doing today:
> 
> - all hosts log to xloghost (alias for another host)
> - xloghost is running NRPE client
> - NRPE kicks off the Perl version of check_log
> - if match found return string/code to NRPE
> 
> Sounds good so far.  However:
> 
> - Nagios reports a problem on 'xloghost', not on the host in question
> - if notifications for host 'foobar' have been disabled, this doesn't
>   stop notifications being relayed by from 'xloghost'; if check_log finds
>   a matching string, it doesn't care about host details
> 
> Possible steps to improve the situation:
> 
> - move xloghost (centralized syslogging) to Nagios host
> - munge check_log (Perl version) to inject proper details into nagios.cmd
>   (reporting on actual host, not xloghost), and run from cron
> - additional munge to check_log to possibly report first (not last)
>   line of log output
> 
> Wish list:
> 
> - when syslog catches multiple lines of related output:
>   - the whole lot would be forwarded to the appropriate contacts
>     via e-mail
>   - a modest snippet gets sent to the pager contacts (longer pages
>     can be split into 2 or 3 chunks and sent as separate pages)
>   - the whole lot gets appended (with a separator) to an HTML file
>     which can be accessed via notes_url
> 
> Comments?  Critiques?  Suggestions and improvements?  Enlightened input?
> 
> jc
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
> same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
> ::: Messages without supporting info will risk being sent to /dev/null


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list