SUMMARY:capturing syslog events

From: Oscar Goldes (ogolde@impsat1.com.ar)
Date: Tue Sep 16 1997 - 12:29:57 CDT


Original message:

I need a (hopefully simple and easy) way of triggering processes when
certain messages are written by syslogd in /var/adm/messages.

Please note that I am NOT asking to print messages to a different file;
what I want is to run a process (or to pass the messages to an already
running process) to trigger certain actions when they appear.(In real time)
I am aware that syslogd sometimes takes some seconds to write down
messages, but this is tolerable.

I have browsed the FAQs, and searched the relevant man pages, having found
no hints.

The purpose of this is to implement a specialized alarm system in our site,
to help diagnosing some "strange" failures.

Our plattform is Sparc5/ Solaris 2.5

Thanks for any help or pointers

Summary:

Most of you suggested getting swatch at
ftp://ftp.stanford.edu/general/security-tools/swatch

Also suggested were Hawk,logsurfer,expect,contool,tklogger,logcheck,watcher
and use of perl and shell scripts, reading the log file and grepping or
using a nawk script, using tail -f and nawk.

However the solution I finally used was the one suggested by Alex Lattanzi
and Adrian Singh. I configured syslogd to write the messages to a file
named "FIFO", and created the file as a pipe with "mknod FIFO p".
Then I created a shell script that sits forever reading from the pipe, like
this (provided by Adrian):

#!/usr/bin/ksh

while true
do
   while read line
   do
      my_program $line
   done <FIFO
done

Of course, syslogd needs to be HUPped and the shell script must be run in
background.
I have tested it, it does what I need.

I also got the swatch package, it seems well worth to have a look into.

Thanks to:

Cliff Trapp
Michael Hill
Rick Reineman
Rich Kulawiec
Rodney C. Marable
Alex Lattanzi
David Schiffrin
Vasu Srisanan
Mark Tindall
Dieter Gobbers
David Montgomery
Adrian Singh
Glenn Satchell
Daniel Kluge
Patrick Patterson
Mark Bergman
Benjamin Cline

And others whose whose messages may not yet have arrived

-- Oscar Goldes
-- Orden Argentina SA



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:03 CDT