Hi!
On Wed, Jul 23, 2014 at 04:05:41PM -0500, Joe M wrote:
> On a slightly different note, how do you process the svlog logs? Do
> you have any related scripts that you do not mind sharing?
I don't do any advanced log rotation/backup/timestamp format change -
default features of svlogd are good enough for me on these tasks.
What I do is log filtering to make it ease to review logs in daily basis
and detect anomalies:
- in /var/log/<SERVICE>/config file I've "e*" command to send copy of all
log lines to STDERR followed by several "Esomething" commands to avoid
sending non-interesting log lines to STDERR (to make it possible to
really review logs on daily basis they shouldn't contain too much lines)
- in beginning of each service's /service/<SERVICE>/log/run I've this:
exec &>/var/log/all/.log
where /var/log/all/.log is FIFO file:
# ls -l /var/log/all/.log
prw------- 1 root root 0 Jul 24 01:00 /var/log/all/.log
- next, I've special service "log-all":
# cat /service/log-all/run
#!/bin/bash
exec 1<>/var/log/.notify 2>&1
exec chpst -u log svlogd /var/log/all/ <>/var/log/all/.log
This let me run `sudo tail -F /var/log/all/current` in one of virtual
consoles 24x7 and have there very few log lines from overall system
which wasn't excluded by "Esomething" and thus might be interesting.
As for /var/log/.notify mentioned in ./run script above - it's second
level of same system, which is optional (just remove that line).
It works by adding same "e*" into /var/log/all/config, creating FIFO
/var/log/.notify and adding one more service "notify". This service is
just a perl script which read from /var/log/.notify and do some automated
actions based on log lines it reads - like showing popup notification when
someone log into my workstation, or automatically block (using iptables)
attempt to bruteforce my ssh, etc.
--
WBR, Alex.
Received on Wed Jul 23 2014 - 22:29:13 UTC