On Tue, Feb 14, 2006 at 11:43:20PM -0700, Charles Jones wrote:
How will it handle monitoring files that get rotated out? For example if the hobbit client is monitoring /var/log/messages, and a cron rotate script moves messages to messages.1 and gzips it, will the hobbit client be smart enough to reseek to the end of the newly created file?
Log rotation is difficult to handle - I just wrote about it in another reply. In the scenario you describe, Hobbit would miss those log messages that were made between the last client run and the log rotation - so normally, that would only be log-entries for a few minutes (since the client runs every 5 minutes).
Hobbit does notice that the log was rotated, and starts sending the entries that go into the new logfile.
*** Partially off-topic *** While looking at another groups monitoring setup, they were using a program called ****** (name doesnt matter), which I found to be inferior to Hobbit, but it did have one nice feature, which was the ability to test the checksum of a list of files, and send an alert if the file changed (default examples were /etc/passwd, /vmlinuz, /etc/syslog.conf). I suppose this functionality could be achieved via a client-side external script, but I mention it here because it might be easy to add in now while you are working on the file scanning code :)
I think this is better handled by some of the host-based IDS systems that are out there - like Tripwire, or the open-source equivalent AIDE. That's what they are designed to do, and they have much more advanced techniques of checking that the file contents doesn't change (multiple hashes, checking of file meta-data etc.)
Regards, Henrik