[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: A tool like "logwatch" for a log server

--On September 14, 2007 4:09:18 PM +0100 Andy Davidson <andy@nosignal.org> wrote:

On 14 Sep 2007, at 15:59, Felipe Augusto van de Wiel (faw) wrote:

	Imagining that a lot of people here concentrate
their logs in a log server, I was wondering if there are
recommendation for a good log analyzer, something like
logwatch, or documented procedure to get logs from various
hosts checked and reported daily (maybe logcheck?).

We aggregate with syslog-ng and analyze with splunk -

Splunk isn't open source, but it's "the mutts".

We tried splunk for quite a while. Worked with them to try to get it to work but never did. It was unstable in our deployment and would stop working pretty regularly. Eventually it was finally narrowed down to long log lines and they had fixed it about the time we decided we weren't going to deploy it. When it was working, it was VERY informative and VERY useful. I can recommend it, but with reservations, that you keep an eye on it with some monitoring software because it was looking like it was working when in fact it had stopped cold.

I'm pretty sure our particular issues were all cleared up by the time we decided we couldn't really deploy it. I think most people/places though have quite a bit less logs than we do. We also objected to the tiered pricing model they had presented. They're not selling hardware and we have a hard time accepting a pricing model that requires us to license by the gig for software running on hardware we own that does nothing involving any external entities.

Reply to: