On 9/6/09, [email protected] <[email protected]> wrote: > On Sun, 6 Sep 2009, Israel Garcia wrote: > >> On 9/6/09, [email protected] <[email protected]> wrote: >>> On Sun, 6 Sep 2009, Israel Garcia wrote: >>> >>>> On 9/6/09, [email protected] <[email protected]> wrote: >>>>> On Sun, 6 Sep 2009, Israel Garcia wrote: >>>>> >>>>>> I have some debian lenny servers sending their logs (via TCP) to a >>>>>> central rsyslog server. >>>>>> Every remote servers has at /etc/rsyslog.conf: >>>>>> >>>>>> *.* @@IP_CENTRAL_SERVER >>>>>> >>>>>> So, I can see in the central syslog server all logs without problems. >>>>>> I'm looking for a single and simple report, like logwatch for example >>>>>> who process all logs and send me in ONE mail or on ONE html page all >>>>>> resume info of all logs. I tried with logwatch and I didn't get this >>>>>> report I'm looking for. >>>>>> >>>>>> My question is? >>>>>> Is there any tool, script, app, etc which I run on the syslog server >>>>>> and give me the information of all servers in a way as simple as >>>>>> possible? Maybe in a single resume mail separated by a line for >>>>>> example? >>>>> >>>>> there are a lot of products and projects out there to analyse logs and >>>>> generate reports. >>>>> >>>>> the problem is that what I am interested in seeing in a report may or >>>>> may >>>>> not match what you are interested in seeing. >>>>> >>>>> also, most of this effort is taking place within originizations that >>>>> have >>>>> large volumes of logs, so distilling it down to a single report or >>>>> e-mail >>>>> requires that a lot of detail gets left out (and that goes back to >>>>> exactly >>>>> what you are interested in seeing) >>>>> >>>>> when you say you want one page that shows you 'everything', what is it >>>>> that you want to see? >>>> Hi, David >>>> I mean, a report like logwatch use to send me everyday from each >>>> server. As I said before, I'm collecting all servers logs (syslog and >>>> auth.log) into my central syslog, so I need some tool like logwatch >>>> running on the collector which send in one mail or in one html page. >>>> . >>>> I tried to configure logwatch in the collector without sucess. >>>> >>>> That's what I need. :-) >>> >>> ok, so you want the report that you get from logwatch, that simplifies >>> things. >>> >>> when you say you can't get it to work on the collector box, more info is >>> needed. >>> >>> does logwatch give you the info that you want about the collector box? >> >> My scenario: >> I added this two lines in /etc/rsyslog.conf of all exporting servers: >> >> auth,authpriv.* @@xx.xx.xx.xx >> *.*;auth,authpriv.none @@xx.xx.xx.xx >> >> In the collector syslog and auth.log files I see logs coming from >> those servers. >> >> logwatch.conf file is the default. >> >> I run logwatch (testing mode) in the collector and it merge logs from >> all servers, so you can not identify which log output is belongs to. >> It looks like all logs are from the collector server. > > ahh, that's the problem. > > unforutnantly fixing this would take some significant surgury to logwatch. > it assumes that all the logs it is dealing with are from the local box and > therefor it ignores the server tag in the output. > > you could use the rsyslog dynafiles feature to create a different file for > each server, run logwatch against each of those files, and then combine > the reports (including adding text to tell you which server is up next) Hi David,
I'll try this way.. but do you know if there another tool more simple to get jmy report? thanks in advance. regards, israel. > > David Lang > >> here you can see a part of logwatch output: >> >> In my case deb2 is the hostname of the collector and debian is the >> hostname of one exporter. >> >> deb2:/etc/cron.daily# /usr/sbin/logwatch --range Today >> >> ################### Logwatch 7.3.6+cvs20080702-debian (07/02/08) >> #################### >> Processing Initiated: Sun Sep 6 21:35:29 2009 >> Date Range Processed: today >> ( 2009-Sep-06 ) >> Period is day. >> Detail Level of Output: 0 >> Type of Output/Format: stdout / text >> Logfiles for Host: deb2 >> ################################################################## >> >> ###This logs are from deb2 >> Installed: >> libdate-manip-perl 5.54-1 >> lockfile-progs 0.1.11-0.1 >> logtail 1.2.69 >> logwatch 7.3.6.cvs20080702-2 >> postfix 2.5.5-1.1 >> . >> . >> . >> . >> . >> --------------------- pam_unix Begin ------------------------ >> ### All this logs entries from user test123 are from one exporter >> server (debian). >> sshd: >> Authentication Failures: >> root (localhost): 1 Time(s) >> >> su: >> Authentication Failures: >> test123(1003) -> root: 2 Time(s) >> Sessions Opened: >> root -> logcheck: 17 Time(s) >> root -> root: 9 Time(s) >> >> sudo: >> Authentication Failures: >> test123(0) -> test123: 1 Time(s) >> >> **Unmatched Entries** >> useradd: failed adding user `test', data deleted: 1 Time(s) >> >> ---------------------- Connections (secure-log) End >> ------------------------- >> >> >> ============================================================================== >> ### This is from exporter debian server. >> test123 => root >> --------------- >> /bin/su - 1 Times. >> >> ---------------------- Sudo (secure-log) End ------------------------- >> >> ## This df output is from deb2 (collector) >> --------------------- Disk Space Begin ------------------------ >> >> Filesystem Size Used Avail Use% Mounted on >> /dev/sda1 7.5G 2.0G 5.2G 28% / >> >> ---------------------- Disk Space End ------------------------- >> >> ###################### Logwatch End ################### >> >> As you can see, it seems like the report belongs to deb2 server and it's >> not. >> >> I'd be happy if at least logwatch put some tags at the beginning of >> each line to identify the source. >> >> thanks again. >> regards, >> israel. >> >> >> >> >> >>> >>> do you put the logs from all servers in one file? or do you split them by >>> host? (or split them in other ways) >>> >>> how does logwatch fail? does it crash? give you incorrect information? >>> other? >>> >>> David Lang >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >>> >> >> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > -- Regards; Israel Garcia _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
