Logwatch is really useful for me, but I find it really tiresome to watch through all emails.
Is there any tool or solution that centralizes all the daily reports into one, and allows to easily navigate through them?
Thanks.
Asked
Active
Viewed 1,835 times
2 Answers
4
We just setup a central logging server, then forward all syslog entries to that server and just run logwatch on that server.
Zypher
- 36,995
- 5
- 52
- 95
-
Can logwatch in this case recognize different machines? – SyRenity Jan 02 '10 at 23:58
-
I mean, show in the output that logs are from different machines? – SyRenity Jan 03 '10 at 00:20
-
Yes, the hostname of the machine that generated the log message is in all syslog entries, as you can see by looking at any syslog-managed log file. – womble Jan 03 '10 at 02:56
2
To give an example of Zypher's answer, what I do is forward *.debug to @loghost on all nodes. The loghost node runs syslog-ng, which has the ability to split out by source system. (I presume other modern syslog replacements like rsyslog can do similar things.)
I have a sample syslog-ng.conf file for solaris, but changing it around to be for linux isn't too hard.
As you can see, we also forward all inbound messages to a single file. This lets us run nightly (or more frequently when required) reporting on a single place, but during debugging or forensic operations we can just look at the system in question.
Another benefit of logging all messages to a single file is that the sequencing of events across multiple systems is easier to determine as that file gets written by arrival time. This means your clocks don't have to be 100% synchronized in order to figure out a sequence of events (although of course that should always be a goal, no matter how unattainable it is).
David Mackintosh
- 14,223
- 6
- 46
- 77