Re: A tool like "logwatch" for a log server
--On September 14, 2007 4:09:18 PM +0100 Andy Davidson <firstname.lastname@example.org>
On 14 Sep 2007, at 15:59, Felipe Augusto van de Wiel (faw) wrote:
Imagining that a lot of people here concentrate
their logs in a log server, I was wondering if there are
recommendation for a good log analyzer, something like
logwatch, or documented procedure to get logs from various
hosts checked and reported daily (maybe logcheck?).
We aggregate with syslog-ng and analyze with splunk -
Splunk isn't open source, but it's "the mutts".
We tried splunk for quite a while. Worked with them to try to get it to
work but never did. It was unstable in our deployment and would stop
working pretty regularly. Eventually it was finally narrowed down to long
log lines and they had fixed it about the time we decided we weren't going
to deploy it. When it was working, it was VERY informative and VERY
useful. I can recommend it, but with reservations, that you keep an eye on
it with some monitoring software because it was looking like it was working
when in fact it had stopped cold.
I'm pretty sure our particular issues were all cleared up by the time we
decided we couldn't really deploy it. I think most people/places though
have quite a bit less logs than we do. We also objected to the tiered
pricing model they had presented. They're not selling hardware and we have
a hard time accepting a pricing model that requires us to license by the
gig for software running on hardware we own that does nothing involving any