[hobbit] Logfile monitoring - I'd like some comments
My two cents/pence/francs/pesetas/whatever (I am overcharging):
I think it would be cool if the Hobbit client could watch arbitrary log files for arbitrary messages and turn that into status alarms. But don't assume that /var/log or /var/adm or /var/adm is accessible to ordinary (as in Hobbit client) users -- not around here, anyway. Besides, I already have another solution for managing my UNIX syslogs -- what I don't have is a way to manage all of my application log files.
Wonder how it would work if the client somehow retrieved "orders" from the BB server at startup and this was used to drive a client-side scanner? I like the notion of centralized configuration, but...
Otherwise, you might as well forward all the logs to the central server (syslog-ng?) and have the server parse them. But this wouldn't work for the logs that I want to root through with the clients.
GLH
-----Original Message----- From: Rob Munsch [mailto:rmunsch at solutionsforprogress.com] Sent: Wednesday, February 15, 2006 4:22 PM To: hobbit at hswn.dk Subject: Re: [hobbit] Logfile monitoring - I'd like some comments
Henrik Stoerner wrote:
the amount of log data that Hobbit needs to process. So you can setup a
regexp of stuff in the logfile that you *never* want to see, and a regexp of stuff that you *always* want to report - regardless of how much the log grows.
Well, that covers my comment. I'd much rather give a list of "this stuff is always Good" than try to cover every instance of Bad, so that's awesome.
It would be ideal if the central config was somewhat bb-hosts-ish, and could accept (in addition to aforementioned includes) host-specific directives for what to log. I am assuming that how to react will already be host-specific like every other test, yes?
As far as the logs rotating out... couldn't hobbit look for an environment variable for the format of the rotated logs...? The filenames vary host to host, but on a given host, a quick look at /var/log tells you what to expect, right?
Lastly - being someone who couldn't program his way out of a paper stack, i will now cheekily suggest that on install, hobbit could look at /var/log and guesstimate the format, and ask for human confirmation (as it already does for the hobbit user and homedir).
Even if this automated | dream doesn't happen, could it still be set manually or via config?
-- Rob Munsch Solutions For Progress IT
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
Perhaps this is possible? What we would like to have is a way to tie a specific log file alert with some text on what to do about the error.
In other words, if you caught something like 'FATAL - something just broke down on proc AE56F', obviously you would see this on the Hobbit web page, but it would be nice if we could include some text on how to fix it or at least identify to the end-user why we care about what might appear to them as a very cryptic log file entry.
Does that make sense? Optionally add how to fix, or explanatory text for each log file entry that you alarm on?
~David
Henrik,
Well, may be, we could look at logcheck project. http://logcheck.org . I installed it once and the idea was nice. Every log message was considered as alerts until you create the regexp to ignore it. So, of course, the first days, we would get a lot of alerts on msgs until the database has all the common regular expression. It would be called the "learning time". The nice thing is : if one day, new unknown messages is sent by a client, we are sure to get an alert until we add it to the regexp database.
So, the knowledge database could of course contain include to be able to have some special regulars databases depending the os, the group, the host or the application type to be able to organize clearly the regexp database. All regexp entries in the database would include the alert type and help notes to understand alerts as you all said.
To get configuration from the hobbit server, I think the actual protocol would may be need an extra word :
The actual config message is sent from the client to the hobbit server with only one argument the filename :
Config <filename>
I think for the future, it will be easyer if you implement config message like this :
Config <filename> <hostname>
(sorry for the bad English)
-- Etienne
participants (3)
-
David.Gore@verizonbusiness.com
-
etienne.grignon@gmail.com
-
greg.hubbard@eds.com