Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: RSyslog: users

Trigger mechanism in Rsyslog

 

 

RSyslog users RSS feed   Index | Next | Previous | View Threaded


kaushalshriyan at gmail

Dec 18, 2011, 2:27 PM

Post #1 of 13 (1151 views)
Permalink
Trigger mechanism in Rsyslog

Hi,

Is there a trigger feature available in Rsyslog meaning if for example
rsyslog detects any disk failure or memory failure or any hardware failure
and also it may be a software bug or critical error on any client host, it
should trigger an event in the form of sms or email to the administrator.

Regards,

Kaushal
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


rpkelly22 at gmail

Dec 18, 2011, 2:51 PM

Post #2 of 13 (1129 views)
Permalink
Re: Trigger mechanism in Rsyslog [In reply to]

> Is there a trigger feature available in Rsyslog meaning if for example
> rsyslog detects any disk failure or memory failure or any hardware failure
> and also it may be a software bug or critical error on any client host, it
> should trigger an event in the form of sms or email to the administrator.
Please check out the ommail module. You can then configure rsyslog to
match on certain log messages containing the failures you are talking
about and send email to administrators (or to an email-to-sms gateway).

-Ryan Kelly

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


kaushalshriyan at gmail

Dec 18, 2011, 3:07 PM

Post #3 of 13 (1133 views)
Permalink
Re: Trigger mechanism in Rsyslog [In reply to]

On Mon, Dec 19, 2011 at 4:21 AM, Ryan Kelly <rpkelly22 [at] gmail> wrote:

> > Is there a trigger feature available in Rsyslog meaning if for example
> > rsyslog detects any disk failure or memory failure or any hardware
> failure
> > and also it may be a software bug or critical error on any client host,
> it
> > should trigger an event in the form of sms or email to the administrator.
> Please check out the ommail module. You can then configure rsyslog to
> match on certain log messages containing the failures you are talking
> about and send email to administrators (or to an email-to-sms gateway).
>
> -Ryan Kelly
>
>
Hi Ryan,

Thanks for the quick reply, I have around 200 client hosts which pushes
syslog to a Remote Centralized Rsyslog server. Do i need to use
http://rsyslog.com/doc/ommail.html on all 200 client hosts or can it be
setup only on Remote Centralized Rsyslog server.

Please suggest

Thanks and Regards,

Kaushal


_______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


rpkelly22 at gmail

Dec 18, 2011, 3:25 PM

Post #4 of 13 (1129 views)
Permalink
Re: Trigger mechanism in Rsyslog [In reply to]

> Thanks for the quick reply, I have around 200 client hosts which pushes
> syslog to a Remote Centralized Rsyslog server. Do i need to use
> http://rsyslog.com/doc/ommail.html on all 200 client hosts or can it be
> setup only on Remote Centralized Rsyslog server.
It can be setup just on the centralized server, assuming those messages
you are interested in are actually being forwarded to that server.

-Ryan Kelly

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


kaushalshriyan at gmail

Dec 18, 2011, 3:48 PM

Post #5 of 13 (1128 views)
Permalink
Re: Trigger mechanism in Rsyslog [In reply to]

On Mon, Dec 19, 2011 at 4:55 AM, Ryan Kelly <rpkelly22 [at] gmail> wrote:

> > Thanks for the quick reply, I have around 200 client hosts which pushes
> > syslog to a Remote Centralized Rsyslog server. Do i need to use
> > http://rsyslog.com/doc/ommail.html on all 200 client hosts or can it be
> > setup only on Remote Centralized Rsyslog server.
> It can be setup just on the centralized server, assuming those messages
> you are interested in are actually being forwarded to that server.
>
>
Thanks Ryan and any further use cases or several examples regarding
$template (*Configuration Directives*) as mentioned in
http://rsyslog.com/doc/ommail.html

Please suggest.

Regards

Kaushal
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


kaushalshriyan at gmail

Dec 18, 2011, 8:00 PM

Post #6 of 13 (1127 views)
Permalink
Re: Trigger mechanism in Rsyslog [In reply to]

On Mon, Dec 19, 2011 at 5:18 AM, Kaushal Shriyan
<kaushalshriyan [at] gmail>wrote:

>
>
> On Mon, Dec 19, 2011 at 4:55 AM, Ryan Kelly <rpkelly22 [at] gmail> wrote:
>
>> > Thanks for the quick reply, I have around 200 client hosts which pushes
>> > syslog to a Remote Centralized Rsyslog server. Do i need to use
>> > http://rsyslog.com/doc/ommail.html on all 200 client hosts or can it be
>> > setup only on Remote Centralized Rsyslog server.
>> It can be setup just on the centralized server, assuming those messages
>> you are interested in are actually being forwarded to that server.
>>
>>
> Thanks Ryan and any further use cases or several examples regarding
> $template (*Configuration Directives*) as mentioned in
> http://rsyslog.com/doc/ommail.html
>
> Please suggest.
>
> Regards
>
> Kaushal
>

Hi,

I am referring to http://rsyslog.com/doc/ommail.html to set email or sms
alerts using email-to-sms feature
Basically i am interested in various conditions or strings which can be
captured or trapped and post it to the user

For example "if $msg contains 'hard disk fatal failure' then
:ommail:;mailBody" as per that link

so how would i know what strings i can expect if there is a hardware or
software error in the syslog ?
I mean typical error description for specific problem

Please guide me

Regards

Kaushal
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


kaushalshriyan at gmail

Dec 18, 2011, 8:15 PM

Post #7 of 13 (1130 views)
Permalink
Re: Trigger mechanism in Rsyslog [In reply to]

On Mon, Dec 19, 2011 at 9:30 AM, Kaushal Shriyan
<kaushalshriyan [at] gmail>wrote:

>
>
> On Mon, Dec 19, 2011 at 5:18 AM, Kaushal Shriyan <kaushalshriyan [at] gmail
> > wrote:
>
>>
>>
>> On Mon, Dec 19, 2011 at 4:55 AM, Ryan Kelly <rpkelly22 [at] gmail> wrote:
>>
>>> > Thanks for the quick reply, I have around 200 client hosts which pushes
>>> > syslog to a Remote Centralized Rsyslog server. Do i need to use
>>> > http://rsyslog.com/doc/ommail.html on all 200 client hosts or can it
>>> be
>>> > setup only on Remote Centralized Rsyslog server.
>>> It can be setup just on the centralized server, assuming those messages
>>> you are interested in are actually being forwarded to that server.
>>>
>>>
>> Thanks Ryan and any further use cases or several examples regarding
>> $template (*Configuration Directives*) as mentioned in
>> http://rsyslog.com/doc/ommail.html
>>
>> Please suggest.
>>
>> Regards
>>
>> Kaushal
>>
>
> Hi,
>
> I am referring to http://rsyslog.com/doc/ommail.html to set email or sms
> alerts using email-to-sms feature
> Basically i am interested in various conditions or strings which can be
> captured or trapped and post it to the user
>
> For example "if $msg contains 'hard disk fatal failure' then
> :ommail:;mailBody" as per that link
>
> so how would i know what strings i can expect if there is a hardware or
> software error in the syslog ?
> I mean typical error description for specific problem
>
> Please guide me
>
> Regards
>
> Kaushal
>
> Hi Again

Also as per http://wiki.rsyslog.com/index.php/FailoverSyslogServer, the
data is stored in /var/log/localbuffer on client hosts
Once the Centralized Primary or Secondary Server is up, will it push the
data which was stored locally on client hosts in /var/log/localbuffer to
the centralized server automatically ?

Regards,

Kaushal
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


kaushalshriyan at gmail

Dec 19, 2011, 5:19 PM

Post #8 of 13 (1125 views)
Permalink
Re: Trigger mechanism in Rsyslog [In reply to]

On Mon, Dec 19, 2011 at 9:30 AM, Kaushal Shriyan
<kaushalshriyan [at] gmail>wrote:

>
>
> On Mon, Dec 19, 2011 at 5:18 AM, Kaushal Shriyan <kaushalshriyan [at] gmail
> > wrote:
>
>>
>>
>> On Mon, Dec 19, 2011 at 4:55 AM, Ryan Kelly <rpkelly22 [at] gmail> wrote:
>>
>>> > Thanks for the quick reply, I have around 200 client hosts which pushes
>>> > syslog to a Remote Centralized Rsyslog server. Do i need to use
>>> > http://rsyslog.com/doc/ommail.html on all 200 client hosts or can it
>>> be
>>> > setup only on Remote Centralized Rsyslog server.
>>> It can be setup just on the centralized server, assuming those messages
>>> you are interested in are actually being forwarded to that server.
>>>
>>>
>> Thanks Ryan and any further use cases or several examples regarding
>> $template (*Configuration Directives*) as mentioned in
>> http://rsyslog.com/doc/ommail.html
>>
>> Please suggest.
>>
>> Regards
>>
>> Kaushal
>>
>
> Hi,
>
> I am referring to http://rsyslog.com/doc/ommail.html to set email or sms
> alerts using email-to-sms feature
> Basically i am interested in various conditions or strings which can be
> captured or trapped and post it to the user
>
> For example "if $msg contains 'hard disk fatal failure' then
> :ommail:;mailBody" as per that link
>
> so how would i know what strings i can expect if there is a hardware or
> software error in the syslog ?
> I mean typical error description for specific problem
>
> Please guide me
>
> Regards
>
> Kaushal
>
>
Hi

Checking in again for my earlier post to this Mailing List.

Regards

Kaushal
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


kaushalshriyan at gmail

Dec 19, 2011, 5:20 PM

Post #9 of 13 (1125 views)
Permalink
Re: Trigger mechanism in Rsyslog [In reply to]

On Mon, Dec 19, 2011 at 9:45 AM, Kaushal Shriyan
<kaushalshriyan [at] gmail>wrote:

>
>
> On Mon, Dec 19, 2011 at 9:30 AM, Kaushal Shriyan <kaushalshriyan [at] gmail
> > wrote:
>
>>
>>
>> On Mon, Dec 19, 2011 at 5:18 AM, Kaushal Shriyan <
>> kaushalshriyan [at] gmail> wrote:
>>
>>>
>>>
>>> On Mon, Dec 19, 2011 at 4:55 AM, Ryan Kelly <rpkelly22 [at] gmail> wrote:
>>>
>>>> > Thanks for the quick reply, I have around 200 client hosts which
>>>> pushes
>>>> > syslog to a Remote Centralized Rsyslog server. Do i need to use
>>>> > http://rsyslog.com/doc/ommail.html on all 200 client hosts or can it
>>>> be
>>>> > setup only on Remote Centralized Rsyslog server.
>>>> It can be setup just on the centralized server, assuming those messages
>>>> you are interested in are actually being forwarded to that server.
>>>>
>>>>
>>> Thanks Ryan and any further use cases or several examples regarding
>>> $template (*Configuration Directives*) as mentioned in
>>> http://rsyslog.com/doc/ommail.html
>>>
>>> Please suggest.
>>>
>>> Regards
>>>
>>> Kaushal
>>>
>>
>> Hi,
>>
>> I am referring to http://rsyslog.com/doc/ommail.html to set email or sms
>> alerts using email-to-sms feature
>> Basically i am interested in various conditions or strings which can be
>> captured or trapped and post it to the user
>>
>> For example "if $msg contains 'hard disk fatal failure' then
>> :ommail:;mailBody" as per that link
>>
>> so how would i know what strings i can expect if there is a hardware or
>> software error in the syslog ?
>> I mean typical error description for specific problem
>>
>> Please guide me
>>
>> Regards
>>
>> Kaushal
>>
>> Hi Again
>
> Also as per http://wiki.rsyslog.com/index.php/FailoverSyslogServer, the
> data is stored in /var/log/localbuffer on client hosts
> Once the Centralized Primary or Secondary Server is up, will it push the
> data which was stored locally on client hosts in /var/log/localbuffer to
> the centralized server automatically ?
>
> Regards,
>
> Kaushal
>
>
Hi

Checking in again for my earlier post to this Mailing List.

Regards

Kaushal
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


david at lang

Dec 20, 2011, 12:05 PM

Post #10 of 13 (1119 views)
Permalink
Re: Trigger mechanism in Rsyslog [In reply to]

On Mon, 19 Dec 2011, Kaushal Shriyan wrote:

> On Mon, Dec 19, 2011 at 5:18 AM, Kaushal Shriyan
> <kaushalshriyan [at] gmail>wrote:
>
>> On Mon, Dec 19, 2011 at 4:55 AM, Ryan Kelly <rpkelly22 [at] gmail> wrote:
>>
>>>> Thanks for the quick reply, I have around 200 client hosts which pushes
>>>> syslog to a Remote Centralized Rsyslog server. Do i need to use
>>>> http://rsyslog.com/doc/ommail.html on all 200 client hosts or can it be
>>>> setup only on Remote Centralized Rsyslog server.
>>> It can be setup just on the centralized server, assuming those messages
>>> you are interested in are actually being forwarded to that server.
>>>
>>>
>> Thanks Ryan and any further use cases or several examples regarding
>> $template (*Configuration Directives*) as mentioned in
>> http://rsyslog.com/doc/ommail.html
>>
>> Please suggest.
>>
>> Regards
>>
>> Kaushal
>>
>
> Hi,
>
> I am referring to http://rsyslog.com/doc/ommail.html to set email or sms
> alerts using email-to-sms feature
> Basically i am interested in various conditions or strings which can be
> captured or trapped and post it to the user
>
> For example "if $msg contains 'hard disk fatal failure' then
> :ommail:;mailBody" as per that link
>
> so how would i know what strings i can expect if there is a hardware or
> software error in the syslog ?
> I mean typical error description for specific problem
>
> Please guide me

It's not clear what you are asking.

Are you asking what error messages could indicate hardware or software
problems in your logs? if so, that is too large a list of errors for
anyone to predict (in part it will depend on what software you are
running)

or are you asking what log messages rsyslog produces if there are errors?
(this is a smaller list, but still hard to define)

as a general statement, just about any log message could potentially
indicate an error of some sort, you have to know the system to know what
it means.

Alerting on every potentially bbad message does not work well in practice
(too many messages have the potential to mean something bad)

rsyslog does have the ability to generate e-mails if you match something,
but that's not really an efficient way to do alerting. You really need to
do a lot more logic on the logs to decide if something is bad (a message
may inddicate a problem only in combination with other mesages, only if it
happens more than X times in Y minutes, only if some other message
_doesn't_ show up within X minutes, etc)

the right answer to finding bad things in the logs is very complex and
involves several tools. It's also something where there is no one True
Answer (TM)

What I like to do is to send the logs to Simple Event Correlator (SEC)
where I can program it to generate alerts on things that it sees.

Tofigure out what I need to alert on, I use the 'artificial ignorance'
method. get all your logs for a day, do some simple filtering to replace
IP addresses, pids, numbers, etc with placeholders and then run the logs
through sort |uniq -c |sort -n and look at your most common logs for the
time period.

for each log message type, decide which category it falls under

1. Something that you want to create a summary report on

this could be a list of what sites accessed a webserver for example

2. Something that is not interesting

but note that the number of times that something 'not interesting
happened' could be interesting, especially if that count changes
significantly

3. Something that you want to alert on (at least potentially)


update your reporting script to filter out the log messages that you have
classified and repeat the process. you will find that you very quickly
classify all the log messages that you have seen, and the report of these
'unknown' messages starts getting rather small. have someone review these
unknown messages each day to catch new things (which may involve creating
a report or otherwise classifying the messages using the same logic)

David Lang

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


david at lang

Dec 20, 2011, 12:06 PM

Post #11 of 13 (1127 views)
Permalink
Re: Trigger mechanism in Rsyslog [In reply to]

On Mon, 19 Dec 2011, Kaushal Shriyan wrote:

> On Mon, Dec 19, 2011 at 9:30 AM, Kaushal Shriyan
> <kaushalshriyan [at] gmail>wrote:
>
>>
>>
>> On Mon, Dec 19, 2011 at 5:18 AM, Kaushal Shriyan <kaushalshriyan [at] gmail
>>> wrote:
>>
>>>
>>>
>>> On Mon, Dec 19, 2011 at 4:55 AM, Ryan Kelly <rpkelly22 [at] gmail> wrote:
>>>
>>>>> Thanks for the quick reply, I have around 200 client hosts which pushes
>>>>> syslog to a Remote Centralized Rsyslog server. Do i need to use
>>>>> http://rsyslog.com/doc/ommail.html on all 200 client hosts or can it
>>>> be
>>>>> setup only on Remote Centralized Rsyslog server.
>>>> It can be setup just on the centralized server, assuming those messages
>>>> you are interested in are actually being forwarded to that server.
>>>>
>>>>
>>> Thanks Ryan and any further use cases or several examples regarding
>>> $template (*Configuration Directives*) as mentioned in
>>> http://rsyslog.com/doc/ommail.html
>>>
>>> Please suggest.
>>>
>>> Regards
>>>
>>> Kaushal
>>>
>>
>> Hi,
>>
>> I am referring to http://rsyslog.com/doc/ommail.html to set email or sms
>> alerts using email-to-sms feature
>> Basically i am interested in various conditions or strings which can be
>> captured or trapped and post it to the user
>>
>> For example "if $msg contains 'hard disk fatal failure' then
>> :ommail:;mailBody" as per that link
>>
>> so how would i know what strings i can expect if there is a hardware or
>> software error in the syslog ?
>> I mean typical error description for specific problem
>>
>> Please guide me
>>
>> Regards
>>
>> Kaushal
>>
>> Hi Again
>
> Also as per http://wiki.rsyslog.com/index.php/FailoverSyslogServer, the
> data is stored in /var/log/localbuffer on client hosts
> Once the Centralized Primary or Secondary Server is up, will it push the
> data which was stored locally on client hosts in /var/log/localbuffer to
> the centralized server automatically ?

If you configure the clients to buffer things and send them when the
server comes back up they will. Rsyslog provides the option to do lots of
things, but the default configuration does not do this sort of fancy stuff
(because there are too many ways that people may want to do things)

David LAng
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


kaushalshriyan at gmail

Dec 20, 2011, 3:45 PM

Post #12 of 13 (1123 views)
Permalink
Re: Trigger mechanism in Rsyslog [In reply to]

On Wed, Dec 21, 2011 at 1:35 AM, <david [at] lang> wrote:

> On Mon, 19 Dec 2011, Kaushal Shriyan wrote:
>
> On Mon, Dec 19, 2011 at 5:18 AM, Kaushal Shriyan
>> <kaushalshriyan [at] gmail>**wrote:
>>
>> On Mon, Dec 19, 2011 at 4:55 AM, Ryan Kelly <rpkelly22 [at] gmail> wrote:
>>>
>>> Thanks for the quick reply, I have around 200 client hosts which pushes
>>>>> syslog to a Remote Centralized Rsyslog server. Do i need to use
>>>>> http://rsyslog.com/doc/ommail.**html<http://rsyslog.com/doc/ommail.html>on all 200 client hosts or can it be
>>>>> setup only on Remote Centralized Rsyslog server.
>>>>>
>>>> It can be setup just on the centralized server, assuming those messages
>>>> you are interested in are actually being forwarded to that server.
>>>>
>>>>
>>>> Thanks Ryan and any further use cases or several examples regarding
>>> $template (*Configuration Directives*) as mentioned in
>>>
>>> http://rsyslog.com/doc/ommail.**html<http://rsyslog.com/doc/ommail.html>
>>>
>>> Please suggest.
>>>
>>> Regards
>>>
>>> Kaushal
>>>
>>>
>> Hi,
>>
>> I am referring to http://rsyslog.com/doc/ommail.**html<http://rsyslog.com/doc/ommail.html>to set email or sms
>> alerts using email-to-sms feature
>> Basically i am interested in various conditions or strings which can be
>> captured or trapped and post it to the user
>>
>> For example "if $msg contains 'hard disk fatal failure' then
>> :ommail:;mailBody" as per that link
>>
>> so how would i know what strings i can expect if there is a hardware or
>> software error in the syslog ?
>> I mean typical error description for specific problem
>>
>> Please guide me
>>
>
> It's not clear what you are asking.
>
> Are you asking what error messages could indicate hardware or software
> problems in your logs? if so, that is too large a list of errors for anyone
> to predict (in part it will depend on what software you are running)
>
> or are you asking what log messages rsyslog produces if there are errors?
> (this is a smaller list, but still hard to define)
>
> as a general statement, just about any log message could potentially
> indicate an error of some sort, you have to know the system to know what it
> means.
>
> Alerting on every potentially bbad message does not work well in practice
> (too many messages have the potential to mean something bad)
>
> rsyslog does have the ability to generate e-mails if you match something,
> but that's not really an efficient way to do alerting. You really need to
> do a lot more logic on the logs to decide if something is bad (a message
> may inddicate a problem only in combination with other mesages, only if it
> happens more than X times in Y minutes, only if some other message
> _doesn't_ show up within X minutes, etc)
>
> the right answer to finding bad things in the logs is very complex and
> involves several tools. It's also something where there is no one True
> Answer (TM)
>
> What I like to do is to send the logs to Simple Event Correlator (SEC)
> where I can program it to generate alerts on things that it sees.
>
> Tofigure out what I need to alert on, I use the 'artificial ignorance'
> method. get all your logs for a day, do some simple filtering to replace IP
> addresses, pids, numbers, etc with placeholders and then run the logs
> through sort |uniq -c |sort -n and look at your most common logs for the
> time period.
>
> for each log message type, decide which category it falls under
>
> 1. Something that you want to create a summary report on
>
> this could be a list of what sites accessed a webserver for example
>
> 2. Something that is not interesting
>
> but note that the number of times that something 'not interesting
> happened' could be interesting, especially if that count changes
> significantly
>
> 3. Something that you want to alert on (at least potentially)
>
>
> update your reporting script to filter out the log messages that you have
> classified and repeat the process. you will find that you very quickly
> classify all the log messages that you have seen, and the report of these
> 'unknown' messages starts getting rather small. have someone review these
> unknown messages each day to catch new things (which may involve creating a
> report or otherwise classifying the messages using the same logic)
>
> David Lang
>
>
> ______________________________**_________________
> rsyslog mailing list
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>

Hi David

I have gone through http://simple-evcorr.sourceforge.net/ and it is quite
interesting and there is also a learning process. At present I am using
rsyslog daemon as a centralized server and several rsyslog clients
connecting to it. Not sure i understand how sec is used in conjunction with
rsyslog daemon or are they separate applications.

Please help me understand.

Regards

Kaushal
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


david at lang

Dec 20, 2011, 5:39 PM

Post #13 of 13 (1142 views)
Permalink
Re: Trigger mechanism in Rsyslog [In reply to]

On Wed, 21 Dec 2011, Kaushal Shriyan wrote:

> I have gone through http://simple-evcorr.sourceforge.net/ and it is quite
> interesting and there is also a learning process. At present I am using
> rsyslog daemon as a centralized server and several rsyslog clients
> connecting to it. Not sure i understand how sec is used in conjunction with
> rsyslog daemon or are they separate applications.
>
> Please help me understand.

one of the core Unix ideas is that instead of getting one monolithic
program that does everything, you get a bunch of individual programs that
each do one thing really well and you combine them to get the results that
you want (which may not be the results that someone else wants, so they
woul dcombine a slightly different set of tools)

rsyslog is great at transporting log messages (gathering them,
transporting them, storing them) and includes some really neat
functionality for dividing the logs. It's not designed to alert on logs.

SEC is designed to read it's input, compare the input to it's files and
then take action based on the contents of the logs.

So rsyslog gathers the logs and writes them to SEC. you could do this with
omprog in rsyslog to start SEC and feed it the data via stdin, or you can
make a named pipe on your filesystem and have rsyslog write to that 'file'
and SEC read from that 'file' as it's input.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

RSyslog users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.