loghost - syslogd - filter?
Hello, I set up a loghost on a SuSE 8.2 prof. (syslogd -r). Another pc sends its logs to it, thats all ok. But know I get all these msgs and want them to be filtered for each host. <date> <client> <sometext> eg: Aug 4 15:57:12 abakus markus: The text of a logger command (But ofcourse all other msgs, too, not only the ones of logger!) So that eg. there is a log 'abakus.log' which consists of all logs from abakus. Greetz Markus
Hi, What happens when you simply change the name of the output files in /etc/syslogd.conf on machine abakus? Andy On Monday 04 August 2003 15:03, Markus Hochmann wrote:
Hello,
I set up a loghost on a SuSE 8.2 prof. (syslogd -r). Another pc sends its logs to it, thats all ok. But know I get all these msgs and want them to be filtered for each host. <date> <client> <sometext> eg: Aug 4 15:57:12 abakus markus: The text of a logger command (But ofcourse all other msgs, too, not only the ones of logger!) So that eg. there is a log 'abakus.log' which consists of all logs from abakus.
Greetz Markus
Andy Bennett wrote:
On Monday 04 August 2003 15:03, Markus Hochmann wrote:
I set up a loghost on a SuSE 8.2 prof. (syslogd -r). Another pc sends its logs to it, thats all ok. But know I get all these msgs and want them to be filtered for each host. <date> <client> <sometext> eg: Aug 4 15:57:12 abakus markus: The text of a logger command (But ofcourse all other msgs, too, not only the ones of logger!) So that eg. there is a log 'abakus.log' which consists of all logs from abakus. What happens when you simply change the name of the output files in /etc/syslogd.conf on machine abakus?
Then it will be locally logged, but I want it to be logged remotely: Client1-------Loghost----Client1.log Client2---´ `---Client2.log Greetz Markus
Hi, Sorry - maybe I misunderstood. On the machine you want to send the log data from you have an entry like *.* @receiving_machine_name in /etc/syslog.conf This sends all messages to UDP port 514 IIRC. On the remote machine you wish to store the logs on you start the syslog daemon with 'syslogd -r' to accept the output. Isn't that what you've done? Actually I've just realised that the receiving machine selector field in /etc/syslog.conf is the important mechanism - not the sending machines file. Sorry about that. Maybe it's going to be simpler to simply write a sed/grep/awk script to pick out the sending machines data and save it into a file every hour or so using cron. Andy On Monday 04 August 2003 15:35, Markus Hochmann wrote:
Andy Bennett wrote:
On Monday 04 August 2003 15:03, Markus Hochmann wrote:
I set up a loghost on a SuSE 8.2 prof. (syslogd -r). Another pc sends its logs to it, thats all ok. But know I get all these msgs and want them to be filtered for each host. <date> <client> <sometext> eg: Aug 4 15:57:12 abakus markus: The text of a logger command (But ofcourse all other msgs, too, not only the ones of logger!) So that eg. there is a log 'abakus.log' which consists of all logs from abakus.
What happens when you simply change the name of the output files in /etc/syslogd.conf on machine abakus?
Then it will be locally logged, but I want it to be logged remotely:
Client1-------Loghost----Client1.log Client2---´ `---Client2.log
Greetz Markus
* Markus Hochmann wrote on Mon, Aug 04, 2003 at 16:35 +0200:
Then it will be locally logged, but I want it to be logged remotely:
Client1-------Loghost----Client1.log Client2---´ `---Client2.log
I don't think that syslog is capable doing that! You cannot sort by hostname. Personally, I use "logmail" (see http://sws.dett.de/) to get log file excerpts by mail (who should read all that stuff every day!); here you can filter who receives what (which, at this time, was one of the design criterias for logmail :-)). Maybe syslog-ng or other replacements are worth a look also. Finally, you can write to FIFOs with syslog, have a daemon (perl) reading the FIFOs and writing files. Maybe you even can specify PIPE commands in syslogd.conf, I'm unsure and to lazy to check the man page :-) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
You could also use 'logsurfer'. It's not trivial to set up but it is very flexable. -Ben On Wednesday 06 August 2003 04:45 pm, Steffen Dettmer wrote:
* Markus Hochmann wrote on Mon, Aug 04, 2003 at 16:35 +0200:
Then it will be locally logged, but I want it to be logged remotely:
Client1-------Loghost----Client1.log Client2---´ `---Client2.log
I don't think that syslog is capable doing that! You cannot sort by hostname. Personally, I use "logmail" (see http://sws.dett.de/) to get log file excerpts by mail (who should read all that stuff every day!); here you can filter who receives what (which, at this time, was one of the design criterias for logmail :-)). Maybe syslog-ng or other replacements are worth a look also. Finally, you can write to FIFOs with syslog, have a daemon (perl) reading the FIFOs and writing files. Maybe you even can specify PIPE commands in syslogd.conf, I'm unsure and to lazy to check the man page :-)
oki,
Steffen
Markus Hochmann wrote:
So that eg. there is a log 'abakus.log' which consists of all logs from abakus.
You'll have to use an replacement for syslogd. Try syslog-ng or search on http://freshmeat.net/ -- Have fun, Peter
Hello, On Monday 04 August 2003 16:03, Markus Hochmann wrote:
Hello,
I set up a loghost on a SuSE 8.2 prof. (syslogd -r). Another pc sends its logs to it, thats all ok. But know I get all these msgs and want them to be filtered for each host. <date> <client> <sometext> eg: Aug 4 15:57:12 abakus markus: The text of a logger command (But ofcourse all other msgs, too, not only the ones of logger!) So that eg. there is a log 'abakus.log' which consists of all logs from abakus.
You could do that with perl. For a start (useful as a template): http://infocom.cqu.edu.au/Units/aut98/85321/Groups/Draft_Documentation/6/tim... Just change syslog.conf to log to a named pipe and have the perl script process the pipe output. Beware, there are bugs in the example script. At least change 45c45 < ioctl(TTYFILLE, TIOCNOTTY, $scalar); ---
ioctl(TTYFILE, TIOCNOTTY, $scalar);
56c56,57 < while (1) { while($c = getc(PIPE)) { ---
while (1) { $c = getc(PIPE); 81c82 < }}
}
The script can handle a considerable number of hosts in realtime and can be very flexible (since you have complete perl pattern matching available).
Greetz Markus
Regards Martin -- Martin Leweling Westf. Wilhelms-Universitaet Muenster Zentrum fuer Informationsverarbeitung
participants (6)
-
Andy Bennett -
Benjamin P Myers -
Markus Hochmann -
Martin Leweling -
Peter Wiersig -
Steffen Dettmer