Re: important errors to control with swatch



Maybe this is overkill (or maybe I'm missing the point completely), but wouldn't Splunk ( http://www.splunk.com ) be a good solution, or tool for creating a solution, for this problem?
For those that haven't heard of it, it collects data from many different data sources, syslog being one of them, and provides you with a web based interface to search through them. It allows for complex searches and has the ability to alert on any of the searches. They also have something called SplunkBase, which is a community driven database of what many of these messages mean. It is a commercial product, but they have a free version that will work with up to 500Mb per day of data.
I haven't implemented this myself yet, but I have played around with it and look forward to finding the time to try to really implement it for myself.

Mike Robbert

Hari Sekhon wrote:
I'm also extremely interested in expanding my log watching to include a massive amount of comprehensive pattern matching alerting.

I currently have some but need to expand it. The problem is that this is really a difficult thing to approach because it can only catch known patterns in this fashion. And whitelisting is really not practical in this context as the logs generated are practically infinite and not really able to whitelist them.

I think that there should really be a well maintained project of regexs for this purpose, one official champion for us to build our baselines on... with frequent updates...

Anyone got any ideas or regexs they want to share?

Isaac, you would do well to have things like "I/O Error" for disk problems... "hardware hung"... etc etc, but this list is practically endless, you should look at your logs and decide which ones you'd like to be alerted on.

-h

Hari Sekhon



Isaac Perez Moncho wrote:
Hello,
I just installed swatch, and used this configuration file for the
checks:
http://www.loganalysis.org/sections/signatures/log-swatch-skendrick.txt

Anyone knows any other common phrase or word that I should find the logs
for hardware and system errors?
Or what you consider important to monitor in the logs?
Thanks




Relevant Pages

  • Re: Is FreeBSD ready for desktop (Mozilla Flash)
    ... >> Microsofts hardware detection and FreeBSD's hardware detection has more to ... > printers, etc. where FBSD fails to do so? ... A logs in and gets /dev/dsp. ... and snd_* and try loading them until your sound card works. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: windows start failure after power surge
    ... reformat and I had talked to our IT guy at work. ... offered last know good config and safe mode. ... I will try the step by step hardware troubleshoot. ... > recorded in the logs. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Hardware diagnostics
    ... I have a Debian Etch installation that's beoming increasingly ... It periodically freezes up, with nothing in the logs until ... Can anybody recommend a good hardware diagnostic or "burn-in" program? ...
    (Debian-User)
  • Re: server crashes on debian.
    ... I am suspecting hardware myself..but can see anything in the logs or elsewhere. ... It seems that when i run a backup script in screen - it seems to be ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: [SLE] Unclean shutdown SuSE 9.2
    ... How long has this system been in service with the present configuration? ... What hardware? ... Anything interesting in the logs? ... The root partition is always 'dirty' on startup. ...
    (SuSE)