On 9/6/09, [email protected] <[email protected]> wrote:
> On Sun, 6 Sep 2009, Israel Garcia wrote:
>
>> On 9/6/09, [email protected] <[email protected]> wrote:
>>> On Sun, 6 Sep 2009, Israel Garcia wrote:
>>>
>>>> I have some debian lenny servers sending their logs (via TCP) to a
>>>> central rsyslog server.
>>>> Every remote servers has at /etc/rsyslog.conf:
>>>>
>>>> *.* @@IP_CENTRAL_SERVER
>>>>
>>>> So, I can see in the central syslog server all logs without problems.
>>>> I'm looking for a single and simple report, like logwatch for example
>>>> who process all logs and send me in ONE mail or on ONE html page all
>>>> resume info of all logs. I tried with logwatch and I didn't get this
>>>> report I'm looking for.
>>>>
>>>> My question is?
>>>> Is there any tool, script, app, etc which I run on the syslog server
>>>> and give me the information of all servers in a way as simple as
>>>> possible? Maybe in a single resume mail separated by a line for
>>>> example?
>>>
>>> there are a lot of products and projects out there to analyse logs and
>>> generate reports.
>>>
>>> the problem is that what I am interested in seeing in a report may or may
>>> not match what you are interested in seeing.
>>>
>>> also, most of this effort is taking place within originizations that have
>>> large volumes of logs, so distilling it down to a single report or e-mail
>>> requires that a lot of detail gets left out (and that goes back to
>>> exactly
>>> what you are interested in seeing)
>>>
>>> when you say you want one page that shows you 'everything', what is it
>>> that you want to see?
>> Hi, David
>> I mean, a report like logwatch use to send me everyday from each
>> server. As I said before, I'm collecting all servers logs (syslog and
>> auth.log) into my central syslog, so I need some tool like logwatch
>> running on the collector which send in one mail or in one html page.
>> .
>> I tried to configure logwatch in the collector without sucess.
>>
>> That's what I need. :-)
>
> ok, so you want the report that you get from logwatch, that simplifies
> things.
>
> when you say you can't get it to work on the collector box, more info is
> needed.
>
> does logwatch give you the info that you want about the collector box?
My scenario:
I added this two lines in /etc/rsyslog.conf of all exporting servers:
auth,authpriv.* @@xx.xx.xx.xx
*.*;auth,authpriv.none @@xx.xx.xx.xx
In the collector syslog and auth.log files I see logs coming from
those servers.
logwatch.conf file is the default.
I run logwatch (testing mode) in the collector and it merge logs from
all servers, so you can not identify which log output is belongs to.
It looks like all logs are from the collector server.
here you can see a part of logwatch output:
In my case deb2 is the hostname of the collector and debian is the
hostname of one exporter.
deb2:/etc/cron.daily# /usr/sbin/logwatch --range Today
################### Logwatch 7.3.6+cvs20080702-debian (07/02/08)
####################
Processing Initiated: Sun Sep 6 21:35:29 2009
Date Range Processed: today
( 2009-Sep-06 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: deb2
##################################################################
###This logs are from deb2
Installed:
libdate-manip-perl 5.54-1
lockfile-progs 0.1.11-0.1
logtail 1.2.69
logwatch 7.3.6.cvs20080702-2
postfix 2.5.5-1.1
.
.
.
.
.
--------------------- pam_unix Begin ------------------------
### All this logs entries from user test123 are from one exporter
server (debian).
sshd:
Authentication Failures:
root (localhost): 1 Time(s)
su:
Authentication Failures:
test123(1003) -> root: 2 Time(s)
Sessions Opened:
root -> logcheck: 17 Time(s)
root -> root: 9 Time(s)
sudo:
Authentication Failures:
test123(0) -> test123: 1 Time(s)
**Unmatched Entries**
useradd: failed adding user `test', data deleted: 1 Time(s)
---------------------- Connections (secure-log) End -------------------------
==============================================================================
### This is from exporter debian server.
test123 => root
---------------
/bin/su - 1 Times.
---------------------- Sudo (secure-log) End -------------------------
## This df output is from deb2 (collector)
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 7.5G 2.0G 5.2G 28% /
---------------------- Disk Space End -------------------------
###################### Logwatch End ###################
As you can see, it seems like the report belongs to deb2 server and it's not.
I'd be happy if at least logwatch put some tags at the beginning of
each line to identify the source.
thanks again.
regards,
israel.
>
> do you put the logs from all servers in one file? or do you split them by
> host? (or split them in other ways)
>
> how does logwatch fail? does it crash? give you incorrect information?
> other?
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
--
Regards;
Israel Garcia
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
