| < bundle | Russ Allbery > Software | lbcd > |
"I see the world didn't end yesterday."
"Are you sure?"Alan Moore, Watchmen
I wrote this program because we had hundreds of systems all merrily saving their syslog files nightly into AFS to absolutely no purpose whatsoever apart from wasting disk space because no one looked at them. We had all the information we'd ever want to check for problems, but since we didn't have anything in place to do that, it was just sitting there, saved in case we could do something with it later.
Now, for new server builds, we install this program, running it out of newsyslog nightly. It's a fairly simple filter, much simpler than other, more complex programs like logcheck, but that also makes it easier to teach someone how to configure. And we don't bother archiving these logs in AFS any more.
filter-syslog isn't really designed for individual systems; for that, I recommend instead installing the Debian logcheck package. It's more for deploying standard syslog filtering across hundreds of servers.
This is not a security tool. It does not monitor logs in real time like swatch. If someone breaks into the system and removes the incriminating evidence from syslog, this won't catch it. Rather, this is designed more to be run periodically to pick up things like disks that are starting to complain, unusual activity or software failures that otherwise might not have been noticed, and just things that were happening on the system that you didn't know about. It works best with a syslog.conf file that directs all of the logs to one file, or when run as part of the log rotation process on the just-rotated log.
For a similar program to filter logs managed by multilog, see multilog-watch.
Perl 5.6.0 or later, and a program installed as /usr/sbin/sendmail or /usr/lib/sendmail that supports standard sendmail options and can be used to send the filtered report via mail.
The program:
| filter-syslog 1.20 | 2007-04-14 | Download |
Documentation:
A Debian package is available from my personal repository.
Copyright 2002, 2003, 2004, 2006, 2007 Board of Trustees, Leland Stanford Jr. University.
This program is free software; you may redistribute it and/or modify it under the same terms as Perl itself. This means that you may choose between the two licenses that Perl is released under: the GNU GPL and the Artistic License. Please see your Perl distribution for the details and copies of the licenses.
| < bundle | Russ Allbery > Software | lbcd > |