log analyzers

A big problem for anything that manages many systems is keeping the systems working. A company recently put out something that I think is basically a GPL’ed syslogd for windows. http://www.loglogic.com/logforge/ It looks like hey are thinking about syslog, and mention “TCP syslog”.

(A joke… you can’t use the same port. syslog is UDP port 514, while TCP port 514 is… rlogin! That was a surprise one day in firewall land, a decade ago)

TCP syslog is not perfect — the problem is that you want reliability, but you need to not slow the machines down due to network congestion. That calls, really, for SCTP.

For now, I stick to UDP, and use IPsec to keep it private, if available.

I’ve long pointed the syslogd on my Unix machines to one machine, usually my desktop, and arrange for my desktop to show them on my screen. Okay, when I’m not plugged in at that IP, I don’t see suff.

It used to be that you could run xconsole or xterm -C, and you’d get the /dev/console stolen to that pty. This doesn’t work as well anymore, but one can now use:

xconsole -file /dev/xconsole -geometry 1000x30+0+1 -font 5x7 -fg green -bg black -name Console

along with the default entries in /etc/syslog.conf:

daemon.*;mail.*;\ news.crit;news.err;news.notice;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole

Note that xconsole’s geometry is in pixels, vs xterm’s which is in characters.

Don’t forget to edit =/etc/init.d/sysklogd= to set

SYSLOGD="-r"

You’d expect to see an =/etc/default/syslog= file on Debian, but I don’t.

The challenge now, is actually to get a better xconsole program– one with a menu of some kind, and a way to interactively set filters, and have it show me logs with a given pattern, from a given host, etc.