$ ktrace logger -it "this is a log message"
$ kdump -f ktrace.out
Too much, too little, and everything between (± bugs).
It depends!
*.info @loghost.example.org
options { use_time_recvd(yes); };
http://sial.org/howto/logging/syslogd-problems/
*.err;kern.debug;auth.notice;mail.crit /dev/console
*.info;kern.debug;mail.none /var/log/messages
mail.info /var/log/maillog
*.emerg *
Apr 15 15:06:50 server sshd[58101]: Connection closed by 192.0.2.151
messages messages.11 messages.15 messages.4 messages.8
messages.0 messages.12 messages.16 messages.5 messages.9
messages.1 messages.13 messages.2 messages.6
messages.10 messages.14 messages.3 messages.7
We can do better! Because…
http://sial.org/howto/logging/syslog-ng/
destination mail {
file("/var/log/archive/mail/$YEAR/$MONTH/$YEAR-$MONTH-$DAY"
template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n") template_escape(no) ); };
2004-04-15T15:06:50-0700 <daemon.info> server.example.org sshd[58101]: Connection↵
closed by 192.0.2.151
2004-08-12T12:41:45-0800 <auth.info> ' from 192.0.2.151
2004-08-12T12:42:08-0800 <user.warning> client.example.org (username-1234): ↵
Error releasing lockfile: Failed to link '/afs/example/home/username/.gconfd/…
/^\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d-\d{4} <[^.]+\.[^>]+> \S+ clamd(?:\[\d+\])?: /
tail -f /var/log/messages
$ ls /var/log/htpd/
access_log error_log httpd.pid proxy ssl_engine_log
$ eet /var/log/httpd/*_log | colorize
$ ptail /var/log/everything 'print unless m/(\.(debug|info|notice)> |modprobe)/'
$ ptail /var/log/messages 'print if /named|testhost/'
Cannot watch logs all the time…
/var/log/everything - rotated daily
# 3ware logs
watchfor /(?i)3w-xxxx.+no longer fault tolerant/
mail=root,subject=LW warn: disk 3ware RAID not fault tolerant
throttle 1:00:00,use=regex
# this uses MIMEDefang MDLOG entries to spot viruses from "local" subnets
watchfor /MDLOG,[^,]+,virus,[^,]+,(?:10\.0\.(?:11|12)|192\.0\.2)/
mail=root:admin-alert,subject=LW warn: mail site malware source
throttle 30:00,use=regex
# for reporting things via email
watchfor /(?i)custom-notify: /
mail=root,subject=LW info: misc custom notify message
throttle 15:00,use=regex
$ long-running-job ; logger "custom-notify: long job done"
watchfor /logwatch restart/
mail=root,subject=LW info: log logwatch restart
throttle 15:00,use=regex
ignore /\.info> \S+ clamd(?:\[\d+\])?: /
ignore /\.notice> \S+ clamd(?:\[\d+\])?: clamd (startup|shutdown) succeeded/
watchfor /clamd\[\d+\]:.+Unable to open file or directory/
echo
throttle 1:00:00,use=regex
watchfor /./
echo
#!/bin/sh
unseen -w 30d -T -s ~/share/unseen.logs /var/log/archive | \
while read logfile; do
swatch --config-file=everything.conf --examine=$logfile | \
mail -s "swatch check: file=`basename $logfile`" `id -un`
done
$ redress | pbcopy
example.log: (user-500) file=/var/log/maillog
$ echo `pbpaste`
example\.log: \(user-500\) file=\/var\/log\/maillog