[unisog] [Fwd: Re: OSS monitoring recommendations]

William Yang wyang at gcfn.net
Fri Sep 30 22:06:07 GMT 2005

Jonathan Glass wrote:
> Michael Holstein wrote:
>>>I've been doing my research and now I know that I might be needing a SIM
>>>solution but I really would appreciate your advice on a good and solid
>>>solution that meets these requirements at least.
>>1) syslog-ng on a unix box.
>>2) 'tail -f firewall.log |grep a.b.c.d'
> Actually, you can write a simple script to do grep for something, and 
> have syslog-ng send a copy of the logs to that script, in addition to 
> the log file.  That's real-time, buddy!  AND you don't have to worry 
> about log rotation.
>  From http://www.campin.net/syslog-ng/faq.html#external_program
> I have been trying syslog-ng and extremely happy with the power of using 
> it. I have one question, when using the program option under destination 
> drivers, my PERL script gets launched when I start syslog-ng, but 
> executes once and then dies. I am using this script to page any time I 
> see an log entry, but it only runs the first time it runs.

I use fifos (named pipes), rather than execing a program directly from 
syslog-ng, to parse log output for security events in real time.  I've 
found that the exec/pipe program approach, if and when it dies, really 
doesn't recover gracefully without restarting syslog-ng as well... whereas, 
the named pipe allows a more graceful and modular restart when necessary.

"Good signal handling is your friend.  Especially in security code."

William Yang
wyang at gcfn.net

More information about the unisog mailing list